Recently the outdated versions of Slider Revolution vulnerabitlies leads to thousands of sites hacked. This post shows you one research on how the hack was performed and how we can use Centrora Security Malware scanner to scan the infected files.
The Hack
The main issue with Slider Revolution is its file upload handling in the WordPress Ajax function. It is reported that this issue is fixed in the latest version of the plugin (versions above 4.1.4), but some of the themes mayinclude this plugin into their framework and do not update it. This expose your website to the hackers with this vulnerability.
To replicate, the Exploit DB provides three articles detailing how the hack can be performed and how to upload files to the website:
Hacking files usually will be uploaded to the following folder: /revslider/temp/update_extract/, this iis the first place the hacking file is uploaded, and the uploaded file usually is named as ‘update_extract.php’.
The findings in the real hack
In one of the website that is affected by this vulnerability, we find that the file contains the following codes:
When we decode this code, it returns the following PHP codes, which is a password protected script that allows the user to post commands to the server and do anything on the server:
Scanning the website
We further scan the website to check if any malware is uploaded into the server, and answer was yes, there are shell codes uploaded and they have to be removed.
For security reasons, we hide the file information that is detected by Centrora Virus Scanner from the screenshot below:
We help the client clean all these files.
Activate the protection
Once the malware is cleaned, we need to activate the Centrora Firewall protection in the php.ini by adding the following activation codes to the php.ini of the website:
[Anti-Hacker] ;File: php.ini in your protected directory ;Parameters added by Centrora Security™ auto_prepend_file= "/home/accountname/public_html/centrora/administrator/scan.php" register_globals=off safe_mode=off allow_url_fopen=on display_errors=off disable_functions="exec,passthru,shell_exec,system,proc_open,curl_multi_exec,show_source"
The post Slider Revolution (RevSlider) vulnerabilities appeared first on Centrora Security - Your All-in-one Central Security Management System.