This week has been challenging for many self-hosted WordPress site owners. I've seen numerous posts all over the Internet of people plagued with the dreaded Ninoplas Base64 Virus.
This virus isn't pretty. It attacks EVERY .php file on your server! If not removed properly, it will replicate itself and you'll spend endless hours trying to remove all the malicious code.
If you suspect that your site's been hacked with the Ninoplas Base64 virus, you need to take action now before your site infects your visitor's computer, gets blacklisted from search engines, or you lose your website all together.
Here's some of the symptoms:
1. Your WordPress site and your wp-admin/dashboard are redirected to:
http://www[DOT]bing[DOT]com/search?q=freevirusscan&go=&form=QBRE&filt=all
or
http://scaner24[DOT]org/?affid=318&subid=landing
2. Your site is trying to load http://kdjkfjskdfjlskdjf[DOT]com
3. You can't login to your wp-admin area.
Yesterday, I got to see this virus firsthand, along with my Deputy in Training, Allen Dresser. We helped someone repair the damage left by this malicious attack.
What I found…
At the top of EVERY .php file on the server contained 3,077 characters of ugly code injected. And close to the bottom of every page had this script injected…
< script type="text/javascript" src="http://kdjkfjskdfjlskdjf[DOT]com/js.php" >
Plus, I found a mysterious file in the root named…
opposite_watched.php
I did a search on the database for malicious code and, luckily, it was not affected.
It is yet to be determined on how malicious hackers are getting onto people's server and injecting this mess.
Who's to blame…
I've heard many people say that WordPress has security vulnerabilities causing this. Others are blaming their hosting companies. You can read an article over at wordpress.org about it – Secure File Permission Matter.
Rather than playing the blame game, it's time for you to take action to protect yourself. As a website owner, it's your responsibility to take all the necessary security measures. This includes using a reliable hosting company, setting permissions, strong passwords, securing vulnerabilities, updating software, etc.
Some thoughts…
When installing WordPress, did you use an instant installer like Fantastico?
Do you have your permissions set correctly on your server? Is your wp-config.php file set to 644 or can the whole world see it because it's set to 777?
If you're one of the unlucky website owners that has had your website hacked, spending the time to remove the ugly code from your .php files is a waste of time unless you remove ALL of the virus. Are there any mystery files on your server? This Ninoplas Base64 virus is hard to locate, seems to replicate itself and is well hidden.
How to remove the Ninoplas Base64 virus…
I've found an article on how to remove it using SSH access, you can check it out here. (Note: I have not tried this script, so I can't say whether it works or not.)
Many webmaster's don't have SSH access enabled or they're unsure how to use it. So maybe you can try restoring your website, if you're lucky enough to have a website snapshot before the hack happened. By restoring your website to the day before it happened will elevate the virus, but…
Change your passwords immediately! And I can't stress this enough…use STRONG passwords for your hosting account, ftp account, wp-admin, database, and ANY place else you login. And change them every 30 days. And DON'T use the same password for more than one account.
My suggestion…your password should be at least 14 characters in length (I prefer 18) with a combination of upper and lower case letters, numbers and symbols. I've got some of the ugliest passwords on the planet!
Here's where I generate mine – http://www.strongpasswordgenerator.com.
Make sure your computer is clean by running a virus scan. Keep your Windows and programs up-to-date.
Download my free “7 Plugins for WordPress Security” eBook.” This will help you start the security process and harden your website up a bit.
UPDATE: As David commented below, change your site's Authentication Unique Keys. These can be found around line 35 of your wp-config.php file. Instructions can be found here. Many thanks to Sucuri for their work in web-based integrity monitoring.
UPDATE 2: In an effort to spread awareness about this virus and protect others, we are asking for your help. If you learn any new information, like where it came from, if it affects the database, new symptoms, cookie setting, etc., please leave a comment below.
Still need help?
If your site has been hacked and you need help, contact me. I'll do my best to get your website up and running ASAP.
And better yet, we can help you make your WordPress site more secure now. Check out our Services available.
I'd love your feedback…
If this post has helped you or you've found another way to get rid of this virus, please leave me a comment below.
Securely yours,
Regina Smola
Follow on Twitter
Friend on Facebook
Ninoplas also sets a cookie so infected blogs only redirects once every 20 days. A couple of my friends have been caught out this week so I’ll point them here 🙂
I hadn’t heard about the cookies being set. Thanks so much for sharing that with me. Any ideas what part of the code does that? I certainly want to look into that.
If your friends have Godaddy using Linux, it’s easy to restore their websites inside of the Control Panel > File Manager. Using the “History” tab has all their backed up files. Here’s a link on how to do that:
http://community.godaddy.com/help/2009/02/02/restoring-a-linux-hosting-account/
Please keep me posted if you hear anything else.
I think the virus sneaked into my blog, but it was settled in my footer.php.
I think I deleted it correctly.
That cookie how does it look like or better what’s the common file name. Don’t know much about cookies, I’m using WordPress for half a year now but I’m learning 🙂
Regards
One thing to remember is that even if you changed your passwords and cleaned your site, the attackers can still be logged in to your blog. So change your secret keys! This post explains how to do so:
http://sucuri.net/?page=docs&title=changing-wordpress-key
thanks,
Good point, David. Thanks for bringing that up. I have updated this post with your suggestion. It’s amazing to me how many webmasters don’t even add their secret keys, let alone change them.
How do they obtain access to my secret codes and database?
If you use WordPress the .htaccess file should it be under the root file or under wp-admin?
Cause if I want to put it under wp-admin, I’m having troubles getting acces myself so I’m guessing the code within .htaccess needs to be changed???
Thanks for the help.
I’ve had a fair share of hacking experience but the good thing is that my site survived and was never compromised since. A fresh install is always the best since SQL injection allows vulnerabilities to stay acquainted with the site if databases are just recycled. Secret keys do help, strong passwords and brute force prevention from the backend.
I’m glad to hear your site’s been safe since it was compromised.
Over the years, I’ve had my share of sleepless nights cleaning up my hacked websites. That’s why I decided enough was enough! I asked myself, How can I stop this from happening to me? I spent countless hours doing research and learning. Now it’s my goal to spread awareness and help others do the same.
We are unsure, at this time, if this particular virus infects the database at all. Or how they are getting in. My experience so far helping others is weak passwords, but that may not be the only culprit.
I agree, a fresh install is the best bet. What’s your suggestion for those that have numerous posts, comments, etc. so they don’t lose them?
My (up to date) WordPress site on GoDaddy was compromised. I used the file manager Restore feature to take everything back to April 29, and it has cleared things up for now. Have also changed passwords, secret keys, etc. The whole process took less than an hour.
Thanks for posting the resources and keeping track of this problem!
I had a real issue with a .htaccess file that was so hidden I could not see it, when I could I could not delete it, rename it or edit it. This occurred in my HTML editor, my FTP program and GoDaddy file browser.
I even over wrote the file from FTP and I could still not take control of it. So if you delete everything and you are having file folders remain because FTP says that they are not empty then you have this same problem.
This is one way I theorize they can come back.
Also most of your files will be set to 755 or 777 permissions if you have been hacked. WordPress runs fine with everything locked down to 644. However the directory a blog is installed in will bot run WP with out a 755 so far in my testing.
Got any better advice on these potholes along the security path that I found?
Also there is a WP security update available in the GoDaddy MyInstalls app. Anybody got any feedback on that.
Lastly GoDaddy just called me as they are every WP blog owner to point out that we need to secure our WordPress installs. Cool, but ain’t it a little late GoDaddy? My rep already took a big hit and my entire email list is now unresponsive.
This may have cost me a few bucks, but if you get blocked by major anti virus makers you can kiss your butt and your business goodbye. If you can’t secure it take the blog down until you can pay someone that can. That’s what I did, testing my new installs now.
It isn’t just WordPress sites that are vulnerable, just as a note. I have a site running SMF on GoDaddy servers.
One thing I want to mention that hasn’t been so far is on the root HTML directory there was an unknown and seemingly randomly named file that contained two base(64) pieces of code. I’ve echoed it out but its still compressed instructions that doesn’t really tell me anything.
Everyone infected will want to take a look at their root directory and see if there is an odd file and get rid of it, or at least rename it until you know for sure.