[stphilips-webadmin]

I am the website administrator for my church’s website at http://www.stphilips-church.com. I have been running the Attitude Premium theme since I took over the job in September 2013 and redesigned it. A day or two ago I attempted to visit the site and was advised by Google Sale Browsing that the site was, in effect, hacked. Yesterday, I raised the concern with the host provider (Hostpapa.ca) who this morning informed me that several files were compromised with malicious code and that the site had deleted in its entirety to remove this compromising code. The exact files that were compromised, as per Hostpapa.ca, are:

/public_html/wp/wp-wnuyoab.php
/public_html/wp/wp-content/plugins/revslider/temp/update_extract/revslider.zip
/public_html/wp/wp-content/plugins/revslider/temp/update_extract/revslider/update.php
/public_html/wp/wp-content/uploads/2014/12/cm0lXRxkLSne.php
/public_html/wp/wp-vfycaeb.php
/public_html/wp/wp-mzhkpue.php

From what I can tell, the Revolution Slider is a plugin required by the theme, even though I do not use it on the site. I did a quick Google search and came across this page from September 2014 that read, “Slider Revolution Plugin Critical Vulnerability Being Exploited” (see http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html).

Has any other theme user experienced a similar hack on their website using the Attitude Premium theme? I’m really skeptical on returning to it in case this happens again.

[Theme Horse Support Team]

Hi stphilips-webadmin,
We have already updated the revolution slider plugins, Yes there is some issue in revolution slider plugins so we have already updated it to prevent it from hacking.
Login to our site with the same username and password while you have purchase the theme and download the latest version of the theme.
If you have still one year subscription you will have access to the download the update file.

Thank you!

[m2aini]

Hi stphillips,

I have experienced the same type of malicious hacking on my site (http://lumiere-instant.net). My host provider (ovh.com) has a robot monitoring activities on servers and when detecting a suspicious script, kills the script and changes site permission to 700, making it in effect inaccessible through a browser, but accessible via ftp. THois ahas allowed me to actually clean up my site. This was a long process, and several type I reverted the permissions to allow public access to my pages, only to see my site back to 700, due to another suspicious execution.

I used several tools to clean up my site. One was sucuri plugin, another antivirus. But in the end, the most effective tool was my local avast antivirus. You should install it if, you don’t have it yet (free), and then dowload your whole site via ftp. Avast quarantines each suspicious file and gives you a message. You can then delete those files from your site.

Be very careful, though. If you were attacked in the same way I was, there are two types of infections. 1. Files that are added, with names such as “wp-conf.php” (config files for wp are wp-config.php), or wpextract.php, and others. These files start with a if(isset=x) where x is a complex variable like x334p, for instance, and then have a reg-replace command with a very long hexadecimal chain. These files should be deleted completely.

2. Some legitimate files have lines added to them at the very beginning, that is, before the comment section that gives the version of the script and its function. It is relatively short, and contains the eval command again with hexadecimal code. These snippets must be deleted from the file, but the file itself mustn’t be deleted. Easy because the snippet is in between its own <?php ?>

I also upgraded all of my plugins to their latest version. I activated the firewall offered by my Host provider. If yours doesn’t offer that, you may want to consider Sucuri’s firewall.

Also I activated all of the “hardening” options from the Sucuri plugin.

Also, one important thing. I had other old, demoted, static sites on my servers (non wordpress sites). The hackers had also populated these folders with virus files. You must clean EVERY file from your root directory. Personally, I removed old folder entirely. I also removed the themes I didn’t use. Making your web space as simple as possible will help maintenance and security.

Hope that helps. For now, this is the first morning in a week that my site is not blocked after an attack attempt during the night. So I am thinking that maybe I have succeeded at getting rid of all the malware. But only time will tell if I am not overoptimistic.

Finally, I would strongly suggest that you change your admin and ftp passwords, and make the new one very complex.

Best regards

[Theme Horse Support Team]

Hi m2aini,
We have already updated the revolution slider. So its already inside ziped with attitude Pro theme. Login to our site with the same username and password while you have purchase the theme and download the latest version of the theme.
If you have still one year subscription you will have access to the download the update file.

Delete the previous revolution slider and update the latest version as we have packed in our theme.

Thank you!

[gassho]

The handling of this well-known vulnerability by Theme Horse has been horrible, especially for a premium theme. Today’s email announcing an update to the theme is the first and only one I’ve ever received! There have been posts here about why we don’t see theme update notifications in our WordPress dashboard as well.

Theme Horse has been very irresponsible in NOT letting all of its paid users know what exactly was going on, dating back to Sept 2014 at the very least. I just went through several weeks of stress, waste of time and expense in cleaning up my blog from a malicious hack exploiting what the whole tech world knows as Revolution Slider’s gaping vulnerability.

A very long time ago I tried to delete this plugin but it doesn’t or didn’t back then delete like a normal plugin. When I contacted the plugins author I was told that if baked into the theme, it can’t be deleted.

Theme Horse REALLY should have let us know MORE THAN ONCE, made a concerted effort to have us update our theme. Moving forward, why bundle anything in the theme at all?! Especially a shady plugin like this? WHY?

[Theme Horse Support Team]

Hi Gassho,

We are the new theme shop at that time and we have not integrate any email subscribe service and also we think that we can not send an email to premium users because they have not subscribe to our newsletter but when it comes about the security issue in the theme then we think that it’s our responsibility to aware our premium users about the revolution slider critical vulnerability and decide to send an email for all our premium users to update the plugin.

Who knows the future if we know it then we will be sure that we will never packed it inside the theme. We packed it inside the theme for only to have more flexibility on the theme slider and it was the most popular plugin as well.

Also we have already updated the theme with fixing the deactivating issue in the Revolution Slider Plugin.

Thank you!

[Author]

Posts