Inspirated

 
 

March 2, 2010

GoDaddy/WordPress ninoplas Base64 virus and the fix

Filed under: Blog — krkhan @ 7:40 pm

Update: The virus seems to have affected only GoDaddy websites, hence the change in title.

Few hours ago I opened my website and noticed some rather strange Javascript hanging around the bottom. After some inspection, it became evident that every page on my blog was trying to load an IFrame to some place called ninoplas.com. Turns out, I wasn’t alone and there are other users as well who are affected by this. Judging by the fact that different blogs were attacked at the same time, this was in all probability the result of a security hole in some plugin or the core itself.

The virus acted by adding a piece of encrypted code on the first line of all PHP files on the server. It’s rather unsettling to consider the extend of damage that could have been caused with the write access to those files. Still, the damage could be rectified by simply deleting those lines. I wrote a tiny script for doing this job which cleans the ninoplas virus from all the PHP files in the current directory:

clean-ninoplas.sh

Warning: While this script has worked for me, I am in no way providing any guarantee for how it behaves on other blogs. Backup your blog as well as database before executing this script.
You have been warned.

Using the fix is a simple matter of:

-bash-$ cd wordpress
-bash-$ wget http://inspirated.com/uploads/clean-ninoplas.sh
-bash-$ sh clean-ninoplas.sh

And don’t forget to backup everything again after cleaning up. The security hole — if there is one — has still not been tracked and if it’s in the core or some plugin which you’re still using, the virus might not be so benevolent next time.

Tags: , , , , , , ,

70 Comments »

  1. ISSUE RESOLVED TEMPORARILY

    1. Restored files using Godaddy file manager.

    After restoration, site worked but the Login/Admin page was redirected to the virus site.

    2. Replaced Wp-admin & Wp-includes.

    Issue resolved.

    WAITING FOR THE THIRD ATTACK

    Comment by Hema Latha — May 2, 2010 @ 4:46 am

  2. I fixed the virus on my site using the script provided in the post, which deleted the code from every PHP line automatically. Then I chose a strong password and since then I haven’t been hit by the thing again.

    I guess the difference is, I used the script in my root directory and hence all PHP files were cleaned. Cleaning them by hand or cleaning them in a subdirectory is bound to leave some infected ones and they can in turn re-infect all the other files.

    I have many of those plugins as well, but it will be difficult figuring out which one is the culprit.

    And please make regular backups :) .

    Comment by krkhan — May 2, 2010 @ 12:22 pm

  3. […] a topic in the WordPress support forums that supported that approximate time. However, I also found another post elsewhere with a Unix/Linux shell script that would fix what appears to be the same issue which was […]

    Pingback by Arcane Palette Creative Design » Blog Archive » GoDaddy-hosted sites at risk — WordPress, Joomla!, Pligg, ZenCart, others… :: creative web design — May 4, 2010 @ 1:26 am

  4. […] a topic in the WordPress support forums that supported that approximate time. However, I also found another post elsewhere with a Unix/Linux shell script that would fix what appears to be the same issue which was […]

    Pingback by jazzsequence :: arcane palette :: GoDaddy-hosted sites at risk — WordPress, Joomla!, Pligg, ZenCart, others… — May 4, 2010 @ 8:57 pm

  5. I have 100 domains on Godaddy and i can say that this company is very reputable.**”

    Comment by Nevaeh Green — May 5, 2010 @ 1:03 pm

  6. Yes, godaddy is pretty ok by me, and i do hosts lots of sites there.

    however they were hit by this virus, big time. i think they should have been a bit more on top of it. just saying.

    Comment by ed — May 5, 2010 @ 2:17 pm

  7. Go Daddy is making strong efforts to reach out to the community. Today, they are going to be speaking at our free WordPress Security teleseminar at 2pm EST. We welcome you to join us: http://www.wpsecuritylock.com/wpsecurity0505

    Comment by WPSecurityLock — May 5, 2010 @ 7:52 pm

  8. […] after the virus was first identified, someone helpful at Inspirated.com released a script to fix the problem. Fixing the process manually is very difficult because when the site is compromised, every PHP file […]

    Pingback by Manually Correcting the GoDaddy Wordpress Virus Ninoplas | Finding Great Web Hosting — May 10, 2010 @ 2:05 am

  9. Is it possible for a Javascript command to get to the php code in order to modify them (adding the eval(base64 lines in each .php file) that way?

    I suspect of a click tracking (which generates a “heat map” of your site) from time ago.

    My partner recommended it me, because “all SEO use it” but when I traced the code, it was hosted in a public place, not in a proud programmer’s site as a honest company would do…
    http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/5758.js

    The script was full of encripted functions.

    Is that possible?

    I have a Linux Deluxe account too.
    Too many coincidences?

    Last, I’d suspect of some plugins I installed with 0 feedback and (surprisingly) didn’t worked at all. That last one I call it “stupidity” by my part.

    Comment by sergio — May 11, 2010 @ 11:07 am

  10. Here’s my php code that can be run from the browser. You MUST edit this to suit your situation.

    You must have safe mode off in php for it to work. Please read the comments inline.

    <?php
    //You will have to change this to your specific base64_encode
    $needle='aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJ . . . .  edit this for your specific base64_encode';
     
    //Uncomment if you need to find your path
    //$output = shell_exec("pwd");
     
    //Uncomment to check for infected files edit the path here
    //$output = shell_exec("grep -rl $needle /home/content/your/path/to/html");
     
    //Uncomment to cleanup infected files edit hte path here
    //$output = shell_exec("grep -rl $needle /home/content/your/path/to//html | xargs sed -i '1d'");
     
    //Output
    echo "$output";
    ?>

    Comment by carcus — May 12, 2010 @ 1:10 pm

  11. @sergio: AFAIK, this JS script does nothing like that. It just redirects. We still don’t know how it got there in the first place.

    @carcus: Thanks for the script. Hope it helps the others.

    Comment by krkhan — May 12, 2010 @ 2:48 pm

  12. @carcus – Thanks a ton for the php script. Just used it to clean up a whole slew of infected WP sites. You’re a life-saver!

    Comment by Justin — May 14, 2010 @ 1:21 am

  13. Glad I could help. Here’s a tip: make it non writeable after you use it and make sure to comment out what you don’t want to be run again. Our clean up script got hit and run again removing the first like of every file recursively from root. Client did not keep good backups. Use at your own risk!

    Comment by carcus — May 14, 2010 @ 5:24 am

  14. Hi.
    I have had my godaddy website hacked with this virus 5 times in the last 3 weeks. I am now savvy enough to backup a clean copy (at least I think its clean) every night, and as I make constant daily changes have virtually been able to pick the exact time the virus infects again and quickly grab my backup and upload straight away which seems to delete the virus from ALL my websites infected but then it comes back within a few days.

    As these websites are not WP sites as most people seem to have had problems with, can I do the SSH thing above to get rid of it or any suggestions as I can’t do the restore with godaddy due to the amount of changes done during the day and any restore could have part of the malicious code on it anyway.

    I manually go through and clean every .php page but wonder if I am missing something on other types of pages.

    I need some layman terms in what I need to do to clean it off forever. I have deleted any databases I had, all forum stuff everything to try not to let it come back including changing all passwords on hosting, ftp and account with godaddy

    Appreciate any advice thanks
    Serena

    Comment by serena — May 17, 2010 @ 5:51 pm

  15. i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching.

    I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder.

    THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!!

    Comment by Adam — May 19, 2010 @ 9:43 am

  16. I uninstalled every copy of WordPress that I had on my site and deleted my WordPress database after backing it up and moving the backup off of my server, and guess what? I STILL got hacked again. And then I found out that I had a folder in the top level directory that was publicly writable. I deleted that and I haven’t had any problems so far.

    Comment by spo — May 19, 2010 @ 7:46 pm

  17. i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching.

    I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder.

    THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!!

    Comment by Bruce — May 19, 2010 @ 9:24 pm

  18. Long time viewer / first time poster. Really enjoy reading the blog, keep up the good work. Will definitely start posting more in the near future.

    Comment by Robena Eng — October 23, 2010 @ 2:17 pm

  19. godaddy is not always the best registrar, the private registration of godaddy is too expensive –

    Comment by Concrete Molds · — November 8, 2010 @ 3:30 pm

  20. Hi Our server was hacked with all our WordPress sites infected with this redirect:
    indoforexraiding.com
    index.htm / index.html and index.php files, htaccess on all domains, CPanel redirects everything on wordpress pages, headers were cleaned and their URL replaced. All except deeper Joomla and Moodle.

    Comment by Mignon — June 19, 2015 @ 4:13 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

One small verification for man, one giant PITA for bots: