@webdevv, how did you manually find/re-install the rev slider? It is built into my theme as well.
This happened to several of my sites that had the Revolution Slider in it. Only 5 of my 10 websites had the slider and those 5 are the ones that had this problem.
i have similiar issue..
there are 25 websites in 1 HG hosting (i know it;s too many)
20 shows warning : attackers on soaksoak.ru……. . i updated the wp version, and it solved
the remaining 5 websites shows warning: attackers on (domainname.com)… and the issues still not solved. i have also replace swfobject file and submit review to webmaster tool
need help
thanks
I’ve been seeing repeated upload attempts such as these from varying IPs for the last two weeks on my Ninja Firewall logs:
07/Dec/14 21:35:22 critical - 68.64.169.107 POST /wp-admin/admin-ajax.php - Attempt to upload a script - [revslider.zip, 28,907 bytes]
07/Dec/14 21:35:24 critical - 68.64.169.107 POST /wp-admin/admin-ajax.php - Attempt to upload a script - [showbiz.zip, 28,887 bytes]
Details here indicate that the slider is often bundled into premium themes so you may not see it in your list of installed plugins. The advice is to contact/visit your theme vendor and update your premium theme.
Further info from http://seclists.org/fulldisclosure/2014/Nov/78:
Slider Revolution/Showbiz Pro shell upload exploit
# Mitigation:
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn’t update their plugin to the latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get plugin updates or will have to pay to get the update. In other words revslider developers believe that every user
should have the auto-update feature on, otherwise … you are screwed.
Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system as well as the ability to dump the entire wordpress database locally. That being said, upgrade immediately to the latest version or disable/switch to another plugin.
I am facing the same in my wordpress install which is hosted in Bluehost.
I do remember that i was not able to update my wordpress installation before a few weeks ago and i contacted bluehost regarding that.
The customer care agent changed the permissions to all the directories as “Writable” and i just realized how stupid they are.
If you have been through this situation early, first try to remove the infection and then do not forget to change the directory access permissions.
@klsbo I purchased the latest version at Code Canyon, and replaced all the files in the WordPress Revolution Slider plugins folder with the latest version of the files. I then had to go and tweak the settings on my sliders as they didn’t quite work as before.
Hi every body
i ‘m pretty sure there is anothe plugin with problem
becaus on one website i don’t have revslider installed
and the website is hacked
I didn’t install any new plugin or theme in WordPress 4.0.1. I just update some plugin every day for new update is coming. But my website got effect the malware alerted from google webmaster tool. I still don’t know what this malware injected to my code on server yesterday (14 December 2014). I’ve replaced the file follow “@iLabz Dev” instruction above, that’s these 2 files has been modified yesterday by someone or ….
But it’s 6 hours until now, my website still got an malware alert :'(
Has any progress been made as to HOW the injection or hack was done so we can cure rather than fix?
Thanks
t’s pointless cleaning up your javascript files until you find the php backdoor that is making this happen. Believe me, I laboured over this for weeks!
You need to do a grep search on your entire server for the following above two files …….. Otherwise it will not go and stay there as a nightmare each time some one open your web.
for website with alert: attack on soaksoak.ru:
i tried to removed unused themes and plugins, then update to 4.01, it’s solved for now
other website that shows alert : attack on domainname.com.:
i replaced 2 above mentioned files with the files from wordpress.org
then submit review on webmaster.
hope it works for good
Your all swobject.js file will have this type of code at the end :eval(decodeURIComponent(‘%28%0D%0A%66%75%6E%63%74%69%
It is better to replace these files with the original files. but keep in mind that this code is onload even being injected each time by template-loader.php file from your wp-includes folder, so first replace that file with the original one…
That file has function at the start that is injecting this code each time in .js file.
@estilobiru : yes hopefully it will not come again .. but make sure you have cleaned all the websites under your that hosting ………..
if you can’t update you rev slider, disable it and switch to another plugin.
Sucuri has a good write up on the SoakSoak stuff and although there is no concrete evidence of the vector, it looks like it correlates with the RevSlider stuff reported a few months ago.
http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
