The last two WordPress websites that we dehacked, infected with the Ninoplas Base64 malware, were both hosted at *Godaddy with many similarities.
How to remove the Ninoplas Base64 virus? This can be done by using the Godaddy's Linux hosting restore feature. On average, it takes around 14 to 20 hours to restore your website, depending on the size of your website.
If you have SSH access on your Godaddy Linux shared hosting account, then you can try the clean-ninoplas.sh script written by krkhan. Since these webmasters didn't have SSH enabled, I had to resort to the restore method or wait up to 72 hours to try the script. If you've tried this script, please let me know your results by leaving a comment below.
The last website was quiet cumbersome to restore. The webmaster has many large files (.mp3, .mov, etc.) in the wp-content directory. Many files had to be restored one at a time and took us many extra hours.
Tip: Try storing your uploads in a separate directory outside of WP's core installation files. I like to store mine in a folder called images or media in the root. This will make site restoration much easier by not bogging down the server. By doing this, I can easily restore the WordPress installation and then add the uploads afterwards. Also, try to limit the amount of plugins you use, this also makes your wp-content folder much larger.
Here's what they had in common...
- The WordPress sites redirected to http://www[DOT]bing[DOT]com/search?q=freevirusscan&go=&form=QBRE&filt=all
- Located near the bottom of the source code was
- Inability to log into the wp-admin area
- Malicious code was injected at the top of EVERY .php file that started with this... < ?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGF.
- Linux shared hosting at *Godaddy running PHP Version 4.x.
- Each site used weak passwords for their hosting account, FTP, database and admin username. Plus, they used one password for all of them. (Please don't do this!)
- No Authentication Unique Keys were added to the wp-config.php files.
Then we ran our WordPress Security Audit. I was surprised to find so many vulnerabilities. I looked at their website snapshot from two weeks prior to the hacker attack. And I found that EVERY file had permissions set to 755, including .php, .html, jpg, gif, .txt, etc., gif, etc. This is a major no no!
You need to set the correct permissions (Chmod)...
When you self-host WordPress on your own domain, you need to set certain permissions of who and what can read, write, modify and access them. This is necessary for WordPress to run properly and enable certain functions. Do not overlook this step!
Dependent on your WP plugins or theme requirements, permissions may vary. You can find out more about setting file permission for WordPress here.
Caution: Never use 777 permissions (world-writable). This is dangerous and you're asking for trouble. Someone can gain access to your files by hijacking any process on your server. If a plugin says to use 777, ask the developer why it's necessary and avoid it at all costs.
Unless you are told otherwise, here's what your file permissions should be...
All Files (.html, .php, .txt, .jpg, .js, etc): Set all files to 644. What this means is that the file is readable and writable by the Owner, and only readable to the Group and Public.
Note: To make your files more secure, try setting permissions to 604 first, this removes Group readability and is more secure. If it doesn't work, then go with 644.
All Directories (wp-admin, wp-content, wp-includes, wp-content/plugins, etc.): Set all directories to 755. It has the same permissions as 644, but the directory/folder can be executed by everyone. Directories need this setting in order for the files inside to be accessed.
Note: To make your directories more secure, try setting permissions to 744, which removes the Execute action from Group and Public. If it doesn't work, then go with 755.
For more security, always start with the lowest permissive settings possible.
Godaddy Hosting Configuration
Always keep your hosting account up-to-date. If you're using Godaddy, make sure your using the lasted Hosting Configuration. At the time of this post, Godaddy's latest version is 2.2. You can learn more about Godaddy's Hosting Configuration here and instructions on how to upgrade are here.
Your current Hosting Configuration Version is located inside your Hosting Control Panel, see Image below (#1).
Make sure you're using PHP Version 5.x (#2 above) because...
- The development of PHP 4 ceased at the end of 2007.
- Critical security updates for PHP 4 stopped in August, 2008.
- PHP 5 has a number of improvements over PHP 4 that make it more robust, run faster, it's easier to work with and has more security features.
Instructions on how to upgrade your PHP Version at Godaddy can be found here.
Check to make sure your database is running MySQL 5.x...
For better performance, scalability and security, your database should be MySQL Version 5.x (5.x = 5.0 or higher).
Here's how to check what MySQL version you have...
- Login to your Godaddy Hosting Account.
- Click on "Hosting" from left menu.
- Click on "Manage Account."
- Mouse over "Databases" from top nav bar.
- Click on "MySQL" from dropdown.
- You can see the version for your WordPress database in the first column or you can click on the "Pencil" icon next to your database and view it there (see image below).
More information can be found on our article, "WordPress Site Hacked - Ninoplas Base64 Virus."
If you've experienced any of these similarities of the Ninoplas Base64 virus or have any questions, please share them by leaving a comment below. Help us spread awareness to help webmasters stop this malicious hacker attack.
UPDATE 4/24/2010: We just restored another site on Thursday (4/22) with this same exact malware hack. This morning that same site was hit again with similarities, but had a different script above the this time, which looks like...
< script src="http://cechirecom.com/js.php">< /script>
At this moment, we have yet to determine how they're getting in the sites at Godaddy. Unfortunately these 2 websites did not have our security packages installed, so we hopefully will be doing that for them soon.
UPDATE 4/25/2010:We have just posted an article about WordPress blogs being hacked on Godaddy with
. We believe this SQL injection is more dangerous than the ninoplas base64. Be sure to read...
MONITOR YOUR SITES: While this epidemic seems to be spreading rapidly, we suggest that you have your sites on auto monitor with Sucuri Web Integrity Monitoring. Get notified first if you're site's been compromised before your clients tell you! Use our *special affiliate link and save. It's only $7.99/month or $79/year. (Normally $9.99/month & $89.99/yearly).
If you know any information about his particular virus, please leave a comment below.
*Denotes our affiliate link, see our Disclosure.