When one of our websites was infected recently with the SoakSoak.ru virus, it was a real-world test our systems and policies and how we would respond. We learned a lot and thought it would be helpful to share the experience.

The SoakSoak.ru virus enters your website through early versions (pre-4.2) of RevSlider, a popular WordPress plugin used to create sliding images with animation. What surprised us is that we don’t use RevSlider, we use strong passwords, we disable admin accounts, we keep systems up to date, and yet still we got infected.

A little background: When you design a WordPress website you can purchase a theme that gives you a look and feel. Most themes bundle several plugins that add useful functionality. But, when the themes update, the underlying plugins don’t always update. So, even though we don’t use RevSlider, it was enabled, and it was not being updated.

Fortunately we use a quality service provider that actively monitors traffic on our network and runs diagnostics across our files on a regular basis looking for malware. When we received a system-generated email notification from our service provider notifying us that our website had been taken offline, why, and included a list of suspicious files, it was a great real-world test to see if we could respond effectively.

Removing the virus was straightforward, and took under 45 minutes. We backed up the website and the database for further analysis (antivirus on our local PC complained a lot), deleted a half-dozen files that comprised the virus, and got our website back online with the help of our provider. Once we were clean and back online we went to work, deleting all old child plugins and manually upgrading to the latest version of the theme, which also included auto-updates and separate licenses for all child plugins to protect and isolate against any future infection. So we were back to being safe.

What’s valuable are the things we learned:

  1. Run backups, and backup offsite.
    Backups are great, and they can help you get back online. If you use WordPress, check out Backup Buddy. We have adjusted our policies to do full backups and keep them longer in case a virus goes unknown for weeks or months.
     
  2. Use best-of-class service providers.
    Imagine if our service provider did not notify us and take this website offline. It’s reported that over 100,000 sites have been compromised by the SoakSoak virus, and Google has blacklisted over 11,000 of these sites.
     
  3. Take your time isolating the problem.
    You’re infected and hopefully you’re offline. On the bright side, visitors to your website will just see a “down for maintenance” message. While you’re down, it’s important to take the time to understand how you got infected, update any technologies, and be ready for another attack when you come back online.
     
  4. Know how to research.
    The power of Google’s indexing algorithm is amazing. By looking at the list of infected files we were able to search by file name and within minutes determine we’d been hit by SoakSoak. There was no online recipe on how to remove the virus, but once we understood what we were dealing with, and where the problem resided, we knew what to look for and what to delete.
     
  5. Courage over fear.
    There are numerous updates coming out, almost every week. Major updates to WordPress or key plugins like shopping carts can be intimidating, and every now and then you will have a compatibility problem, and at worse a site-wide issue that can affect every page. Be cautious, run backups before updates so you can fallback if something goes wrong, and don’t get far behind.
     

Sucuri.net is a great company that specializes in website protection that has been tracking SoakSoak.ru on their blog.