The team at security group Sucuri have identified the blacklisting issue as a result of the latest malware campaign from SoakSoak.ru.
“Our analysis is showing impacts in the order of 100s of thousands of WordPress specific websites,” Tom Perez, Sucuri’s CEO,
writes in a security blog on the issue.
This new malware campaign by SoakSoak gets into your site’s WordPress Core and changes the file wp-includes/templates-loader.php to include new content.
“This causes the wp-includes/js/swobject.js to be loaded on every page you view on the site which includes the malware,” Perez writes. “This malware, when decoded, loads a javascript malware from the SoakSoak.ru domain, specifically this file: hxxp//soaksoak.ru/xteas/code.”
Sites that have been affected by this SoakSoak attack are showing up as blacklisted by Google. In some cases this can be a small warning that pops up with your site; in extreme cases Google may simply not list a blacklisted site in a search result at all.
What do I do if I’ve been blacklisted?
If you are a developer and you are comfortable in editing the WordPress core for your site, you can replace the affected files with clean versions. You can download a clean WordPress installation to replace the two files:
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js
If you think you’ve been infected by the SoakSoak vulnerability, but you are uncomfortable with making changes to the WordPress core, don’t hesitate to call our team. Our engineers are always available for our customers, and our team will be happy to apply this fix for you.
Replacing these two files does seem to remove the Google blacklisting quite quickly. Typically waiting a few minutes after replacing the files is all it takes.
This vulnerability has just been made public within the past 24 hours. It’s important to note that even if you have been infected, and you fix the modified files in question with clean versions of the files, there is a possibility that your site could become infected again.
We fully anticipate WordPress to have a permanent solution to this vulnerability quickly.
As always, our team will keep an eye on this rapidly developing issue.
------
Update, 12/23/2014
There are reports that just cleaning these two files may not be enough to completely resolve the issue.
Sucuri is reporting that some websites may remain infected: "Expect to find yourself riddled with backdoors and infections. You have to not only clean, but also stop all malicious attacks," their report states. It is recommended using a strengthened firewall will help to close these backdoors.
The attack vector has been confirmed to be an outdated version of the RevSlider plugin. RevSlider immediately implemented a fix to the issue, however there may be older, vulnerable versions of the plugin still packaged as part of plugin bundles. If you have this plugin installed, update it immediately to further mitigate this vulnerability. In that same post, the RevSlider team has issued a statement (in the comments) apologizing for the issue and emphasizing their dedication both to their customers and to fixing it immediately.
------
Works Cited / For Further Reading:
SoakSoak malware compromises 100,000+ WordPress websites. (
Sucuri)
WordPress under attack by SoakSoak malware. (
TechWorm)