Monday, November 23, 2015
The issue has been discovered during malware clean-up of WordPress installation on private VPS. Additionally, the server hosted around 20 more WP installations. The auto cure procedure came back showing infection left-overs and we switched to manual investigation. This short post is to show how simple and genius some hacks could be.
First checks showed that the VPS was infected via outdated RevSlider installation (3.0.95). Hackers were able upload any arbitrary files to the host. Searching further we found some strange directory (wp-content/plugins/revslider/
temp/update_extract/sym). After investigation of this directory we found taht it contained softlink to "/" (VPS root directory). As simple as that. Needless to say, that it provided attackers an access to entire file system on this VPS and hackers actually had access to any file/directory on this VPS and utilized it to infect all other WP installations.
Removing this directory and updating the vulnerable plugin solved the issue.
If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner
For other questions, do not hesitate to contact Quttera's help-desk.