Support » Fixing WordPress » Admin blown up & possible Virus??

  • Resolved kiddsock

    (@kiddsock)


    I wonder if my WP was hit by a virus. Not my computer though. Whenever I go to my website OR my admin, my Virus protection blocks a URL coming from both. http://kiddsock.com

    The object blocked is ninoplas.com/in.php Anyone know anything about this??

    Plus my Admin is not loading right at all. Some of the Widgets say they need JavaScript. I have it and it seems to be running fine everywhere else. (I will have to get a screenshot and post it.)

    I have used multiple computers and multiple browsers to check. Chrome, Firefox & IE. Even the WordPress Login page is having the same issue.

    Thank you in Advance.

Viewing 15 replies - 1 through 15 (of 31 total)
  • alism

    (@alism)

    Sounds very much like you’ve been hacked. 🙁

    Couple of links to get you started:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    You might want to scan your PC for malware now too by the way – just in case.

    Seems like your admin pages (and probably your entire blog) is stuffed with trojan horses. Clean it up as fast as possible, so it won’t affect your visitors.

    Thread Starter kiddsock

    (@kiddsock)

    Thanks gonna try those things to clean it. Ugggg FUN! Even the Login Page is doing the same thing. How is this even possible? computer is clean. Maybe it is in the code of the appearance and I can take out the offending code. Kinda new at this.

    Luckily I don’t have many visitors yet. LOL

    dvwp

    (@dvwordpress)

    your site has definitely been hacked, i had the same problem. if you view your page’s source in a browser you will see the hacked code script at the bottom of the page. this is a pretty weak encoding as you can see, it inserts three characters between the actual code.

    ie, ….d*%@o*%@c*%@u*%@m*%@e*%@n*%@t… = “document”

    this is where the ninoplas.com crap is located.

    does anyone know what this code does? and who benefits? and who is ninoplas.com?

    tamilsweet

    (@tamilsweet)

    Hi,
    Just replace all WordPress/Plugin files with newly downloaded files.
    Then edit all the PHP files in your theme and remove the first line.

    The issue is because an encrypted code(1st line) was added in all the PHP files in your server.

    Regards,
    Tamil

    tamilsweet

    (@tamilsweet)

    The injection could be because of poor password selection. Please do change all your passwords and make them stronger.
    Its possible that one of the active plugin could be responsible for security leak.
    Can you provide the list of plugins you have active in your site??

    I just fixed same issue for a client. So, I want to compare the active plugins in both sites.

    krkhan

    (@krkhan)

    The ninoplas crap is present on all pages on my website too. I believe a plugin has triggered it. Will post the list once I clean my installation.

    krkhan

    (@krkhan)

    Even the theme files have the garbled PHP code. Will have to write a script to clean all PHP files 🙁 .

    krkhan

    (@krkhan)

    I have fixed my blog using a tiny BASH script which deleted the first line from all PHP files containing the dirty code.

    Active plugins:

    • Akismet
    • All in One SEO Pack
    • Configurable Tag Cloud
    • Content-negotiation
    • FeedBurner FeedSmith
    • Google XML Sitemaps
    • Limited Category Lists Widget
    • MoveComments
    • No Revisions
    • Ozh’ Better Feed
    • Subscribe To Comments
    • TweetMeme Retweet Button
    • Twitter for WordPress
    • WP-Stats
    • WP-Syntax
    Thread Starter kiddsock

    (@kiddsock)

    Fixed… found it in the WP config file as a HUGE Hexcode.

    @tamilsweet Oh it is a good password.

    Anyone know how to get the Classic WP Theme back? it is not listed in the Themes.

    I used/modified that to create my website and have all the code to restore it back to what I want. I deleted plugins and themes to fix.

    Minda40

    (@minda40)

    SAME THING as kiddsock,

    thanks.

    “wonder if WP was hit by a virus. Not my computer though. Whenever I go to my website OR my admin, my Virus protection blocks a URL coming from both. http://kiddsock.com

    The object blocked is ninoplas.com/in.php Anyone know anything about this??

    Plus my Admin is not loading right at all. Some of the Widgets say they need JavaScript. I have it and it seems to be running fine everywhere else. (I will have to get a screenshot and post it.)

    I have used multiple computers and multiple browsers to check. Chrome, Firefox & IE. Even the WordPress Login page is having the same issue.”

    Thread Starter kiddsock

    (@kiddsock)

    @minda40 What’s your website? does my site cause the virus issue anymore. Just hope it does not come back.

    Mine is Hosted on GoDaddy. I was able to logon on to the hosting and Edit the files w/out downloading them.

    krkhan

    (@krkhan)

    Interestingly, my site is hosted on GoDaddy as well. @minda40, what about you?

    Minda40

    (@minda40)

    Yes, on GoDaddy. Reported issues of blank admin / admin without styling-layout hours earlier. Soon as virus liklihood, reported that to them as well. I’ve taken off all WP files for now.

    Also had installed a patch recommended within the GoDaddy environment for all my WP installs.

    Had very few Plug-Ins:
    Akismet
    All in One SEO Pack
    Hello Dolly (never activated)
    Fast and Secure Contact Form
    Maintenance Mode
    Calendar (don’t think ever activated)

    Samuel B

    (@samboll)

    a look at “hack” threads and godaddy and their shared servers come up quite a bit
    maybe time to do some serious complaining because it’s not just wordpress being hacked at godaddy

Viewing 15 replies - 1 through 15 (of 31 total)
  • The topic ‘Admin blown up & possible Virus??’ is closed to new replies.