SoakSoak bug, round two, still widespread infections

I've been really busy so it's been a while since my last post, but this is really important so thought I should update everyone.

This recent SoakSoak bug infected a lot of WordPress sites through a vulnerability in the Revolution Slider plugin. Apparently the developers know about this security hole back in September but did nothing about it until the exploit was widespread. There is now a new version of Revolution Slider that has been patched but there are also many themes that use this slider that cannot be automatically upgraded. The newest version of my Anti-Malware plugin will automatically block the attempts to exploit this vulnerability on your site, even if you have a vulnerable version of Revolution Slider installed.

The bigger problem is that once you have been hit by this bug then there may be other backdoors planted on your site and your DB password may also have been stolen. Your site can also then be used to spread this infection to other sites. I have seen a new round of this threat that no longer uses the popular IP address in the script source. Now its using a variety of infected domains spread the infection.

This threat is changing all the time so please make sure to download the Definition Updates whenever I release a new one. You can follow my Twitter feed @GOTMLS to get notified of new updates.


Tags: , , ,

2 Comments on "SoakSoak bug, round two, still widespread infections"

  • On December 19, 2015 at 11:51 am, Scott said:

    We are still getting redirect after running paid version of your plugin by rev slider. Do you have any further update that we can use to remove?

    • On December 21, 2015 at 2:58 pm, Anti-Malware Admin said:

      If you have downloaded the latest definition updates and run a Complete Scan of the whole site and it does not any Core File Changes or Known Threat or Back-door Scripts (or anything else in red), then please share you infected URL with me so that I can see what threat you are dealing with and add it to my definition updates.


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>