Get in Touch »

How to Remove RevSlider Vulnerability SoakSoak Virus / Malware

How to Remove RevSlider Vulnerability SoakSoak Virus / Malware

If you’re reading this post then you probably recently had your WordPress site infected via the revslider vulnerability. If, so, read on.

Spoiler Alert: I don’t think that WordPress is inherently insecure nor is this article about why you shouldn’t use WordPress. If anything, this issue should support my case for ongoing WordPress maintenance practices.

Disclaimer: These are steps that I have personally taken to remove the SoakSoak malware from WordPress sites that I help my clients manage. I have over six years of experience working with WordPress regularly and some of the outlined tasks are routine to me. So in other words, be careful! Any steps you take are at your own risk

If you would like professional help cleaning up  your WordPress, please contact me.

 

Step 1: If your WordPress site is infected, make a backup immediately

You’re going to be doing some major chopping, copying, cutting, pasting, deleting, moving, searching, hacking, gluing and all other sorts of things. Even though your site may be a bit wounded right now, you need to make a backup in case you break something further. You might also find the backup useful for examination later.

For backups, I recommend using two methods (together, not apart):

  1. Hosting account level backup: for instance, a cPanel whole-site backup .
    A hosting-level backup has the benefit of not only backing-up your WordPress but all the other good stuff like email boxes, forwarders, many server settings and more.
  2. Complete WordPress Backup: and I recommend using the Duplicator plugin. I use it all the time. It’s fast, reliable and really pretty easy to use.

 

Step 2: Confess you’re lost, because you are. Alert your hosting provider, webmaster or developer.

lostIn aviation, we have a five-step acronym for what to do when we get lost, like in the clouds or a box canyon or just flat out confused.

For good reason, the first “C” in the pilots’ lost procedures is “Confess“.
That means telling your key ally (in that case, the air traffic controller) that you’re lost and you need help. Somebody with a better view of the situation needs to be alerted and to get in touch with you to help you out of your situation.

Don’t slip into denial. It’s not necessarily your fault that you got infected – it happens all the time. Even Sony got hacked recently. Yahoo gets hacked all the time. So you’re in good company.

You need help and calling in the cavalry while you’re getting back on your feet is a good idea. Send them an email, call them, submit a support ticket, whatever you need to do. While you’re at it, ask them to do a full server scan with their nifty tools to identify malicious files.

 

Step 3: Take your site offline or lock out the public

screenshot-2You may not have a high volume of traffic and so maybe this doesn’t matter to you. But it can at the least embarrassing if your site doesn’t look right and at the worst a risk to your viewers.

There are several ways to do this. If WordPress is still functioning, you could use a plugin to do it, such as JF3 Maintenance Redirect or WP Maintenance Mode. Either of these plugins will allow you to put up a custom message and to let logged-in administrators bypass the redirect, so you can work on the site and browse it live while you do.

 

Step 4: Scan your server for the infection

wordpress-securityHere’s where the incisions begin. It’s time to find out what exactly got into your server and is currently wreaking havoc on your website. An anti-virus, firewall plugin such as Wordfence or iThemes can help you locate issues, detect infections and do some proactive things to help you protect your website.

Knowing where the infection lies is the first step to cutting it out.

Step 5: Isolate or remove the infectious files

trojan-horseIf your infection has injected files that shouldn’t be there (in classic Trojan horse fashion), it can be trick to find them all and remove them. As long as any of these files remains within the public directories on your server, you’re likely to get reinfected repeatedly.

Optional: Remove the threat but preserve the evidence.

Typically, moving infected files to a location not accessible from outside your server will render them harmless. For instance, you could create a folder called “quarantine” at the root of your web hosting account (i.e., one level UP from the ‘public_html’ or ‘www’ directory). If you do this, rather than just delete, you’ll be able to put some things back in case they weren’t poison after all. You’ll also have evidence to show your hosting provider or web developer to help them help you to prevent this from happening again.

Removing Files: You’ll need to use FTP or a web-based file manager through your hosting account.

Of course you could use SSH (or some other command line method), but if you’re that proficient, you probably don’t need this article!

cPanel File Manager

cPanel File Manager (Click)

If you’re hosting on cPanel through a provider, such as Hostgator.com, you can easily access your files, delete files and create/move files and directories visually using the integrated File Manager.

Alternatively, you could use any one of a myriad of free FTP applications for Mac, Linux or WinDOH!s. They’re easy to configure but you’ll need FTP credentials from your hosting account. In the case of cPanel, the cPanel login itself is usually has top-level FTP credentials.

Personally, I like and use Forklift but it’s not free.

Look for odd-looking files and folders and date stamps.

This is where you go from victim to detective. You’re going to start looking around the directory where your WordPress site is installed for files and folders that shouldn’t be there. These are typically the very files that are letting the attackers get in and/or execute malicious processes from your server.

Common clues to look for:

  • Creation/Modification dates on files that don’t make sense to you.
    If you just got infected today, look for a date/time stamp that is recent and doesn’t correspond to recent updates or other actions by you or another person managing the site. It’s likely that files are spread all around like metastasized cancer but they probably share the same date stamp because they’ll have been generated at the same time.
  • Folders and files that weren’t there before (but be careful)
    I have seen malicious folders called ‘images‘ or ‘css‘ or ‘updates‘,  legitimate names that would masquerade as a vital folder. Thumbing through all folders to find these, paired with strange date stamps, could reveal some stuff that shouldn’t be there. They’ll often have Javascript (.js) or PHP (.php) files in them that are executable and can do all sorts of nasty things like send mass emails or continue creating infections in your website.
  • Non-Image, Non-Document, Non-Video Files in /wp-content/uploads folder. There should be no php or js files in this folder, if there is, it’s almost certainly suspect.

Once you move or delete these files, you’re not out of the woods yet. But march forward!

Step 6: Update (or Reinstall) WordPress

This in itself is a whole set of steps. If I went into detail, this would go from a long post to a really long post. But I’m going to boil it down into these ridiculously broad steps:

  1. Backup WordPress using a method mentioned above
  2. Update via Dashboard > Updates > Update Now It’s quick & easy.
  3. If WordPress is already up to date: reinstall it via the button instead. This may replace infected files with clean ones.
  4. Check that All is OK! Click all around your site to verify nothing is broken.
  5. Back-up WordPress Again. Yep, again. Just do it.

Step 7: Update Your Theme

Using a free theme from WordPress.org?

Updating a theme is rarely quick and easy unless you’re using an official WordPress theme or any other theme without any modifications.  In that case, you may see that there is an update available via Dashboard > Updates. Go ahead and follow the buttons to update. It’s easy, too.

Using a premium WordPress theme?

If you’re using a premium theme from a marketplace like Themeforest, this can be a bit more tricky. First, check the site to see if there has been an update issued later than when you installed your theme. If there is one available, the ridiculously broad version of the steps includes:

  1. Download the new theme version to your computer (.zip file)
  2. Rename your existing theme’s folder with FTP or File Manager.
    It should be located somewhere like (yoursite.com/wp-content/themes/themename). Rename that folder something like themename_copy. The theme will now be, in effect, disabled.
  3. Move ‘themename_copy’ folder to a location outside of public_html (like the hosting root) so that if it contains any malicious code it cannot be accessed by the attackers or run by the server.
  4. Delete the outdated theme folder (/themename)
  5. Unzip the new themename.zip onto your computer somewhere
  6. Upload the new themename folder into /wp-content/themes
  7. Browse your site, refresh and verify that everything is working properly.
  8. ***If Broken: Delete new themename folder, then rename themename_old back to themename so you can resume with your old theme

Step 8: Delete & Replace select WordPress core folders

hazmatYeah, it sounds crazy but it’s both totally easy and necessary. The reason: there’s probably some files that shouldn’t be there but they’re hiding amongst the good files like a kid hiding in a coat rack.

The best way to make sure they’re gone is to delete the entire folder and replace it with clean, freshly-downloaded files from WordPress.

NOTE: You will not do this with folders that change frequently, only core files that stay unchanged between updates.

Here’s the somewhat broad step-by-step to do this:

  1. Download WordPress from their official GitHub. You don’t need a GitHub account, just make sure you download the same version that you just updated to (for example, WordPress 4.1). Choose the zip file, it’s easiest to work with.
  2. Unzip WordPress on your computer. You’ll unpack a hierarchy of folders of files right where you say to.
  3. Locate and Delete the following from the WordPress root folder (on the server):
    1. wp-admin folder
    2. wp-includes folder
    3. index.php
    4. license.txt
    5. readme.html
    6. wp-activate.php
    7. wp-blog-header.php
    8. wp-comments-post.php
    9. wp-config-sample.php (this should be deleted ALWAYS, do not replace it in the next step)
    10. wp-cron.php
    11. wp-links-opml.php
    12. wp-load.php
    13. wp-login.php
    14. wp-mail.php
    15. wp-settings.php
    16. wp-signup.php
    17. wp-trackback.php
    18. xmlrpc.php
  4. Locate and Upload the above list of files/folders to the same WordPress root folder you just deleted them from.
  5. Browse and Refresh your website to verify it’s working properly.

IMPORTANT: Do not delete anything I didn’t just tell you to delete. For instance, do not delete /wp-content or anything inside it. NEVER delete wp-config.php because it contains critical information about your unique WordPress configuration.

Step 9: The Painstaking Plugins Reinstall

Screenshot 2015-01-02 15.58.18If you’re like me, you make serious usage of the huge array of plugins available for WordPress. After all, one could argue that plugins are what makes WordPress what it is. Now you’re going to have to delete and replace them all – manually –  including and especially RevSlider.

Simply updating the plugins just won’t do because there can be hiding files (remember the kid above?).

But if you deactivate them and delete them, you’ll lose all your options from your database. That’s a bit of a conundrum.

I recommend deleting the plugins and replacing them without deactivating or uninstalling them.

This method will preserve the settings for each plugin stored in the database. It’s sort of a “sleight of hand” that you’re going to pull on WordPress. You’re going to delete them and replace them before it “knows” they’re even gone.

So… Time for another ‘Ridiculously Broad Steps List’, kids!

  1. Backup
  2. Update Your Plugins ( Dashboard > Plugins > Update Available )
  3. Verify the Site Works Properly
  4. Make a list of all your active plugins’ names
  5. Take a screenshot or phone pic of your whole plugins folder
  6. Find and download every (yes, every) plugin from their authorized, reliable source.
  7. Unzip all plugins into a folder on your computer, let’s call it “plugins“.
  8. Delete Each Plugin Folder from your live server (yoursite.com/wp-content/plugins/pluginname)
  9. Upload Fresh Plugins to the /wp-content/plugins/ folder in an unzipped state, effectively replacing what you just deleted
  10. Verify the Site Works Properly
  11. ***If Broken, Restore Backup

Step 10: Change WordPress Admin Passwords

password keys

Anybody who has admin access to your WordPress has the power to corrupt it. Even if they’re trustworthy, somebody or something could be using their username to do nasty stuff.

Go to Dashboard > Users and change the passwords of all admin users to something strong, for example:

Im@Secur3Pwd!

Notice the above sample password has capitals, lowercase, numbers and special characters ( @, ! ).

Tricky Step 11: Change WP Database Password

If you want the virus gone, you gotta do it. There’s a good chance your database password got out into the wild and with that an attacker could let themselves back in, just as if they found your hide-a-key under the dead potted cactus by your front door that mom got you before you moved out the first time. (TMI?)

There’s an easy way to do this and there’s a DIY way to do this.

The Easy Way:

Notify your web hosting provider that  you need to change your WordPress database password. Many of them will be happy to do this for you because they want to remove infections like this. They cause servers to run slow and many other customers to get upset and even leave.

The DIY Way (for cPanel Users):

indexI knew you’d ask! Kudos to you, brave soul! If you’re savvy with FTP/SFTP, writing code and your web hosting control panel, proceed. Otherwise, see The Easy Way above.

  1. indexBackup WordPress using methods above. Notice a trend here?
  2. Open wp-config.php in a text editor (like TextEdit, Sublime Text, Notepad, etc.)
  3. Locate and Note Database Username It looks like this: define(‘DB_USER’, ‘some_username‘);
  4. Login to cPanel
  5. Click on ‘MySQL Databases’
  6. Find the Username Found in Step 2
  7. Click ‘Set Password’
  8. Click ‘Password Generator’ a FEW TIMES so that it generates something good and random 😉
  9. Copy/Paste the Password into a notepad somewhere else so you have it for later
  10. Click Change Password
  11. Paste New Password into wp-config.php It looks like this: define(‘DB_PASSWORD’, ‘paste_here‘);
  12. Save/Re-Upload wp-config.php and overwrite the existing one. DO NOT make any other changes!
  13. Test Your Website to make sure it still works!
  14. ***If Broken, restore from backup

Step 12: Re-Scan Your Site (Fingers Crossed)

Fingers-CrossedNow’s the moment of truth… did it work?

Use your security scan plugin you installed earlier on (Wordfence, iThemes Security, etc.) to run a scan again. If it comes up clean, rejoice!

Now do another backup! This time, download a copy to somewhere offsite. If you really have succeeded, you’ll have this backup to keep as a time capsule of your clean site.

I highly recommend also asking your hosting provider to do another scan at this point.

They will likely have tools that you don’t to find anything you might have missed.

Step 13: Notify Google, Get Off the Blacklist

webmaster-toolsIf you found out about this infection through your website being marked with a security warning, you’ll need to let the powers that be know that you’ve done due diligence to remove the issues.

  1. Register Your Site with Google Webmaster Tools If you haven’t already done so. You’ll need to prove you own the site in order to get information about it from Google.
  2. Examine the Security Issues that Webmaster tools may have listed about your site
  3. Ask for Forgiveness. Let Google know that you’ve fixed your website woes and request a site review.
  4. Wait. Google doesn’t do anything in a hurry – at least stuff that isn’t as important to them as it is to you. But your site, if now clean, should be de-blacklisted probably within 24 hours or less.

 

Step 14: Congrats, You’re Done! Keep Vigilant and Carry On

From now on, I recommend doing the following:

  1. Make Regular Backups! Weekly, bi-weekly, monthly even, but just do them! You’ll thank yourself later if you do.
  2. Update WordPress and Plugins Regularly On the same intervals… but backup first!
  3. Remain Vigilant and keep an eye on activity. A website doesn’t run itself (for long). If you’ll take the time to clean things up once in a while, you’ll find peculiar things that just mind indicate a security breach.

 

 

 

 

 

 

Tags