Comments on: GoDaddy/WordPress ninoplas Base64 virus and the fix http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix krkhan's blog Mon, 06 Feb 2012 18:55:18 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Concrete Molds · http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-37416 Concrete Molds · Mon, 08 Nov 2010 10:30:51 +0000 http://inspirated.com/?p=268#comment-37416 godaddy is not always the best registrar, the private registration of godaddy is too expensive - godaddy is not always the best registrar, the private registration of godaddy is too expensive -

]]> By: Robena Eng http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-36937 Robena Eng Sat, 23 Oct 2010 09:17:37 +0000 http://inspirated.com/?p=268#comment-36937 Long time viewer / first time poster. Really enjoy reading the blog, keep up the good work. Will definitely start posting more in the near future. Long time viewer / first time poster. Really enjoy reading the blog, keep up the good work. Will definitely start posting more in the near future.

]]> By: Bruce http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33791 Bruce Wed, 19 May 2010 16:24:14 +0000 http://inspirated.com/?p=268#comment-33791 i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching. I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder. THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!! i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching.

I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder.

THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!!

]]> By: spo http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33788 spo Wed, 19 May 2010 14:46:54 +0000 http://inspirated.com/?p=268#comment-33788 I uninstalled every copy of Wordpress that I had on my site and deleted my Wordpress database after backing it up and moving the backup off of my server, and guess what? I STILL got hacked again. And then I found out that I had a folder in the top level directory that was publicly writable. I deleted that and I haven't had any problems so far. I uninstalled every copy of WordPress that I had on my site and deleted my WordPress database after backing it up and moving the backup off of my server, and guess what? I STILL got hacked again. And then I found out that I had a folder in the top level directory that was publicly writable. I deleted that and I haven’t had any problems so far.

]]> By: Adam http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33779 Adam Wed, 19 May 2010 04:43:14 +0000 http://inspirated.com/?p=268#comment-33779 i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching. I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder. THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!! i have also been victim of the ninoplas virus, but am haPpy to say i was able to remove it by doing a little searching.

I was looking for an alternative to reinstalling all the original wordpress files, plugins, themes, etc., so i looked through a number of different files and didnt find anything until i got to the files in my themes folder.

THE ONLY FILE THAT WAS INFECTED WAS THE HEADER.PHP FILE IN THE NAKED_HTML5 THEME. THERE WAS A LONG STRING OF CODE ADDED TO THE TOP ABOVE THE OPENING TAG. ONCE I REMOVED THE STRING OF CODE THE PROBLEM WAS FIXED!!!

]]> By: serena http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33754 serena Mon, 17 May 2010 12:51:21 +0000 http://inspirated.com/?p=268#comment-33754 Hi. I have had my godaddy website hacked with this virus 5 times in the last 3 weeks. I am now savvy enough to backup a clean copy (at least I think its clean) every night, and as I make constant daily changes have virtually been able to pick the exact time the virus infects again and quickly grab my backup and upload straight away which seems to delete the virus from ALL my websites infected but then it comes back within a few days. As these websites are not WP sites as most people seem to have had problems with, can I do the SSH thing above to get rid of it or any suggestions as I can't do the restore with godaddy due to the amount of changes done during the day and any restore could have part of the malicious code on it anyway. I manually go through and clean every .php page but wonder if I am missing something on other types of pages. I need some layman terms in what I need to do to clean it off forever. I have deleted any databases I had, all forum stuff everything to try not to let it come back including changing all passwords on hosting, ftp and account with godaddy Appreciate any advice thanks Serena Hi.
I have had my godaddy website hacked with this virus 5 times in the last 3 weeks. I am now savvy enough to backup a clean copy (at least I think its clean) every night, and as I make constant daily changes have virtually been able to pick the exact time the virus infects again and quickly grab my backup and upload straight away which seems to delete the virus from ALL my websites infected but then it comes back within a few days.

As these websites are not WP sites as most people seem to have had problems with, can I do the SSH thing above to get rid of it or any suggestions as I can’t do the restore with godaddy due to the amount of changes done during the day and any restore could have part of the malicious code on it anyway.

I manually go through and clean every .php page but wonder if I am missing something on other types of pages.

I need some layman terms in what I need to do to clean it off forever. I have deleted any databases I had, all forum stuff everything to try not to let it come back including changing all passwords on hosting, ftp and account with godaddy

Appreciate any advice thanks
Serena

]]> By: carcus http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33675 carcus Fri, 14 May 2010 00:24:06 +0000 http://inspirated.com/?p=268#comment-33675 Glad I could help. Here's a tip: make it non writeable after you use it and make sure to comment out what you don't want to be run again. Our clean up script got hit and run again removing the first like of every file recursively from root. Client did not keep good backups. Use at your own risk! Glad I could help. Here’s a tip: make it non writeable after you use it and make sure to comment out what you don’t want to be run again. Our clean up script got hit and run again removing the first like of every file recursively from root. Client did not keep good backups. Use at your own risk!

]]> By: Justin http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33668 Justin Thu, 13 May 2010 20:21:47 +0000 http://inspirated.com/?p=268#comment-33668 @carcus - Thanks a ton for the php script. Just used it to clean up a whole slew of infected WP sites. You're a life-saver! @carcus – Thanks a ton for the php script. Just used it to clean up a whole slew of infected WP sites. You’re a life-saver!

]]> By: krkhan http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33636 krkhan Wed, 12 May 2010 09:48:00 +0000 http://inspirated.com/?p=268#comment-33636 @sergio: AFAIK, this JS script does nothing like that. It just redirects. We still don't know how it got there in the first place. @carcus: Thanks for the script. Hope it helps the others. @sergio: AFAIK, this JS script does nothing like that. It just redirects. We still don’t know how it got there in the first place.

@carcus: Thanks for the script. Hope it helps the others.

]]> By: carcus http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix/comment-page-2#comment-33633 carcus Wed, 12 May 2010 08:10:30 +0000 http://inspirated.com/?p=268#comment-33633 Here's my php code that can be run from the browser. You MUST edit this to suit your situation. You must have safe mode off in php for it to work. Please read the comments inline. <pre lang="php"> <?php //You will have to change this to your specific base64_encode $needle='aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJ . . . . edit this for your specific base64_encode'; //Uncomment if you need to find your path //$output = shell_exec("pwd"); //Uncomment to check for infected files edit the path here //$output = shell_exec("grep -rl $needle /home/content/your/path/to/html"); //Uncomment to cleanup infected files edit hte path here //$output = shell_exec("grep -rl $needle /home/content/your/path/to//html | xargs sed -i '1d'"); //Output echo "$output"; ?></pre> Here’s my php code that can be run from the browser. You MUST edit this to suit your situation.

You must have safe mode off in php for it to work. Please read the comments inline.

<?php
//You will have to change this to your specific base64_encode
$needle='aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJ . . . .  edit this for your specific base64_encode';
 
//Uncomment if you need to find your path
//$output = shell_exec("pwd");
 
//Uncomment to check for infected files edit the path here
//$output = shell_exec("grep -rl $needle /home/content/your/path/to/html");
 
//Uncomment to cleanup infected files edit hte path here
//$output = shell_exec("grep -rl $needle /home/content/your/path/to//html | xargs sed -i '1d'");
 
//Output
echo "$output";
?>
]]>