Avoid Catching the Ninoplas Base65 Virus!
This morning one of our associates called today in panic; saying that several of their WordPress websites that they host on GoDaddy had been hacked into and infected with the Ninoplas Base65 malware.
The client related that he had found out about the Malware injection when he logged into one of his sites using Google Chrome and it alerted him of that the site he was about to visit had a security vulnerability.
The client had been in contact with GoDaddy’s customer support and they related that they were aware of the WordPress vulnerability and they had been working with WordPress to find out how the intrusion was made and to work on a patch.
How We Removed the Malware
The client and I then went to work to track down and remove the mischievous code that was planted somewhere on his website(s).
We started by looking at all the .htacess files in his sites and did not find anything unusual there.
Then we move onto the actual pages of his website(s).
What we found on most of his pages was the inclusion of the following code on his php pages.
One line one, above head section of his HTML code we discovered one large line of code that started off with <?php /**/ eval (base64 decode(
At the bottom of the page we found a java script that called a js.php file that was in a folder called cechirecom
We first removed this code and then confirmed by using Google’s Chrome browser that we were not getting the same warning message that the website was unsafe.
Change Your Passwords and Check Your Permissions!
The next step was changing all the passwords on the WordPress site along with all FTP passwords for that account.
After this we then performed a security audit using Chmod on the files on the site and found several that were set as 755 and one that was set to 777, this is huge no no!
From our experience with consulting with other clients that have undergone similar attacks we found that one thing they each had in common was that they had permissions set to either 755 or 777.
To avoid attacks on your own websites, I would recommend that you set your file and directory permissions to 644. This allows the files to be readable to the group and public, but only writable by the owner.
Another tip is to keep all your WordPress plug-ins and files up-to-date.
More from SEO Training SW
- 5 Tips on Recovery from the Google Farmer Update
- He with the Most Backlinks Wins
- The Getty Images Demand Letter
SEO Training SW Recommends
- The 6 most frequent website design mistakes (LEADS Explorer)
- The end of the hegemony of search engines: Social stream (LEADS Explorer)
- Internet Marketing – The Process of Working with the SMB (Resource Nation Blog)
sweet spot.
Comments