Avoid Catching the Ninoplas Base65 Virus!

This morning one of our associates called today in panic; saying that several of their WordPress websites that they host on GoDaddy had been hacked into and infected with the Ninoplas Base65 malware.

The client related that he had found out about the Malware injection when he logged into one of his sites using Google Chrome and it alerted him of that the site he was about to visit had a security vulnerability.

The client had been in contact with GoDaddy’s customer support and they related that they were aware of the WordPress vulnerability and they had been working with WordPress to find out how the intrusion was made and to work on a patch.

How We Removed the Malware

The client and I then went to work to track down and remove the mischievous code that was planted somewhere on his website(s).

We started by looking at all the .htacess files in his sites and did not find anything unusual there.

Then we move onto the actual pages of his website(s).

What we found on most of his pages was the inclusion of the following code on his php pages.

One line one, above head section of his HTML code we discovered one large line of code that started off with <?php /**/ eval (base64 decode(

At the bottom of the page we found a java script that called a js.php file that was in a folder called cechirecom

We first removed this code and then confirmed by using Google’s Chrome browser that we were not getting the same warning message that the website was unsafe.

Change Your Passwords and Check Your Permissions!

The next step was changing all the passwords on the WordPress site along with all FTP passwords for that account.

After this we then performed a security audit using Chmod on the files on the site and found several that were set as 755 and one that was set to 777, this is huge no no!

From our experience with consulting with other clients that have undergone similar attacks we found that one thing they each had in common was that they had permissions set to either 755 or 777.

To avoid attacks on your own websites, I would recommend that you set your file and directory permissions to 644. This allows the files to be readable to the group and public, but only writable by the owner.

Another tip is to keep all your WordPress plug-ins and files up-to-date.


Certified Master SEO Instructor by the Search Engine Academy and CEO and founder of SEO Training SW.
Roy Reyer
Roy Reyer
View all posts by Roy Reyer
Roy's website
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

28th April 2010 No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

 

 

 

LATEST

WEBINAR

Webinar Replay How to Increase Conversions and Traffic to Your Website

October 16th, 2014

Webinar

Warning: Use of undefined constant php - assumed 'php' (this will throw an Error in a future version of PHP) in /home/customer/www/seotrainingsw.com/public_html/wp-content/themes/seoroadmap/sidebar.php on line 55
VIEW ALL WEBINARS >