WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Admin blown up & possible Virus?? (32 posts)

  1. kiddsock
    Member
    Posted 4 years ago #

    I wonder if my WP was hit by a virus. Not my computer though. Whenever I go to my website OR my admin, my Virus protection blocks a URL coming from both. http://kiddsock.com

    The object blocked is ninoplas.com/in.php Anyone know anything about this??

    Plus my Admin is not loading right at all. Some of the Widgets say they need JavaScript. I have it and it seems to be running fine everywhere else. (I will have to get a screenshot and post it.)

    I have used multiple computers and multiple browsers to check. Chrome, Firefox & IE. Even the WordPress Login page is having the same issue.

    Thank you in Advance.

  2. alism
    Member
    Posted 4 years ago #

    Sounds very much like you've been hacked. :-(

    Couple of links to get you started:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    You might want to scan your PC for malware now too by the way - just in case.

  3. Walker
    Member
    Posted 4 years ago #

    Seems like your admin pages (and probably your entire blog) is stuffed with trojan horses. Clean it up as fast as possible, so it won't affect your visitors.

  4. kiddsock
    Member
    Posted 4 years ago #

    Thanks gonna try those things to clean it. Ugggg FUN! Even the Login Page is doing the same thing. How is this even possible? computer is clean. Maybe it is in the code of the appearance and I can take out the offending code. Kinda new at this.

    Luckily I don't have many visitors yet. LOL

  5. dvwp
    Member
    Posted 4 years ago #

    your site has definitely been hacked, i had the same problem. if you view your page's source in a browser you will see the hacked code script at the bottom of the page. this is a pretty weak encoding as you can see, it inserts three characters between the actual code.

    ie, ....d*%@o*%@c*%@u*%@m*%@e*%@n*%@t... = "document"

    this is where the ninoplas.com crap is located.

    does anyone know what this code does? and who benefits? and who is ninoplas.com?

  6. tamilsweet
    Member
    Posted 4 years ago #

    Hi,
    Just replace all WordPress/Plugin files with newly downloaded files.
    Then edit all the PHP files in your theme and remove the first line.

    The issue is because an encrypted code(1st line) was added in all the PHP files in your server.

    Regards,
    Tamil

  7. tamilsweet
    Member
    Posted 4 years ago #

    The injection could be because of poor password selection. Please do change all your passwords and make them stronger.
    Its possible that one of the active plugin could be responsible for security leak.
    Can you provide the list of plugins you have active in your site??

    I just fixed same issue for a client. So, I want to compare the active plugins in both sites.

  8. krkhan
    Member
    Posted 4 years ago #

    The ninoplas crap is present on all pages on my website too. I believe a plugin has triggered it. Will post the list once I clean my installation.

  9. krkhan
    Member
    Posted 4 years ago #

    Even the theme files have the garbled PHP code. Will have to write a script to clean all PHP files :( .

  10. krkhan
    Member
    Posted 4 years ago #

    I have fixed my blog using a tiny BASH script which deleted the first line from all PHP files containing the dirty code.

    Active plugins:

    • Akismet
    • All in One SEO Pack
    • Configurable Tag Cloud
    • Content-negotiation
    • FeedBurner FeedSmith
    • Google XML Sitemaps
    • Limited Category Lists Widget
    • MoveComments
    • No Revisions
    • Ozh' Better Feed
    • Subscribe To Comments
    • TweetMeme Retweet Button
    • Twitter for WordPress
    • WP-Stats
    • WP-Syntax
  11. kiddsock
    Member
    Posted 4 years ago #

    Fixed... found it in the WP config file as a HUGE Hexcode.

    @tamilsweet Oh it is a good password.

    Anyone know how to get the Classic WP Theme back? it is not listed in the Themes.

    I used/modified that to create my website and have all the code to restore it back to what I want. I deleted plugins and themes to fix.

  12. Minda40
    Member
    Posted 4 years ago #

    SAME THING as kiddsock,

    thanks.

    "wonder if WP was hit by a virus. Not my computer though. Whenever I go to my website OR my admin, my Virus protection blocks a URL coming from both. http://kiddsock.com

    The object blocked is ninoplas.com/in.php Anyone know anything about this??

    Plus my Admin is not loading right at all. Some of the Widgets say they need JavaScript. I have it and it seems to be running fine everywhere else. (I will have to get a screenshot and post it.)

    I have used multiple computers and multiple browsers to check. Chrome, Firefox & IE. Even the WordPress Login page is having the same issue."

  13. kiddsock
    Member
    Posted 4 years ago #

    @Minda40 What's your website? does my site cause the virus issue anymore. Just hope it does not come back.

    Mine is Hosted on GoDaddy. I was able to logon on to the hosting and Edit the files w/out downloading them.

  14. krkhan
    Member
    Posted 4 years ago #

    Interestingly, my site is hosted on GoDaddy as well. @Minda40, what about you?

  15. Minda40
    Member
    Posted 4 years ago #

    Yes, on GoDaddy. Reported issues of blank admin / admin without styling-layout hours earlier. Soon as virus liklihood, reported that to them as well. I've taken off all WP files for now.

    Also had installed a patch recommended within the GoDaddy environment for all my WP installs.

    Had very few Plug-Ins:
    Akismet
    All in One SEO Pack
    Hello Dolly (never activated)
    Fast and Secure Contact Form
    Maintenance Mode
    Calendar (don't think ever activated)

  16. Samuel B
    moderator
    Posted 4 years ago #

    a look at "hack" threads and godaddy and their shared servers come up quite a bit
    maybe time to do some serious complaining because it's not just wordpress being hacked at godaddy

  17. krkhan
    Member
    Posted 4 years ago #

    because it's not just wordpress being hacked at godaddy

    Indeed, as I also found infected PHP files in a directory entirely different than WordPress'.

  18. kiddsock
    Member
    Posted 4 years ago #

    Hmm hopefully I got it all. It seems to be ok. I contacted GoDaddy support and I got pretty much a big long automated replay back stating the hazards of viruses and hacks AND that there was nothing they could do. Plus a recommendation to have a good password. Yeah, DUH!!

    NOw I just have to get the WordPress Classic_Theme back since I deleted it, but it is not in the Themes listed to Install.

    I did find an AntiVirus Plugin so hope that helps as well.

  19. jjm0109
    Member
    Posted 4 years ago #

    Hi Krkhan, I visited your blog about the bash script you made.
    I’ve changed the needle value to the base64 code found on all of my infected php files.
    Can you please tell me how do I execute this script?
    I’m a newbie in bash.
    Where do I input these commands: cd; wget; sh ?

    My blog too is hosted on godaddy. Not only wordpress, my SMF & vB Forums too are infected with same base64 code in 1st line. It decodes to some javascript. Bloody hell, someone please help. My company's reputation is on risk. Most of my client's websites are hosted on the same server.

  20. Samuel B
    moderator
    Posted 4 years ago #

    NOw I just have to get the WordPress Classic_Theme back since I deleted it, but it is not in the Themes listed to Install.

    just grab the new wordpress zip and get it from there

  21. dvwp
    Member
    Posted 4 years ago #

    our site is at godaddy as well, but a quick check showed other files and directories were untouched. a look at the logs during the days around the time the site got hacked show posts from china and korea. google analytics also shows a visit from germany. this is unusual as our site is just starting, so the logs are pretty easy to go through since we're not publicly known yet, especially internationally.

    it seems that this particular hack adds the base64 crap at the top of all your php pages. this (i'm guessing) is a coded script to add an encoded script at the end of your page. (this can be viewed by looking at your page source in a browser.)

    another way to check things is to make all plug-ins inactive. when this is done you will probably see the hacked script removed from your pages when checked with your browser.

    sorry not to be more helpful, but this is my first time hunting for hackers! :)

  22. dvwp
    Member
    Posted 4 years ago #

    ps. it is my theory that all wp blogs with weak passwords hosted at godaddy are probably victims of this hack.

    fyi all in one seo is the only plugin which i share with both of the above lists, if that is informative in anyway.

  23. kiddsock
    Member
    Posted 4 years ago #

    @samboll that is exactly what I did, and then uploaded it.

    Thanks!!

  24. krkhan
    Member
    Posted 4 years ago #

    @jjm0109: I replied to the comment too but anyways you need SSH access for using the script.

    And I don't believe this had anything to do with passwords being weak. My password was a random string of digits, mixed case characters and symbols (something like: 34faewSWASA_B).

    On my site, _every_ PHP file in existence regardless of its location (inside or outside WP directory) was infected. It seems pretty certain now that GoDaddy's severs were breached. Too bad they won't ever accept that.

  25. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    I'll second the godaddy issue...

    My problem that I documented here:
    http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

    Came back after cleaning. I know quite well that my files were all spotless, my DBs were all spotless, I had accounted for every file on my server, and my passwords were all good. I'd been hacked twice before and learned good and well how to take care of my personal security issues.

    I had removed all non-WP software, as other packages I wasn't as familiar with, and I didn't feel they were addressing security well enough.

    So I had everything clean and taken care of.....but then again all my php files were altered. Of course godaddy was no help with the issues.

  26. allenews
    Member
    Posted 4 years ago #

    The virus is on my site as well, allenews.com since yesterday, I cleaned all php files from the code but the virus code keeps appearing in the bottom of the site? Does anyone has suggestion of how i can clean the virus? Maybe i missed one of the php files and this is why the code is still there? Please Helpppp...

  27. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    have you read all the links on here?
    if you were thorough, you would be clean!

  28. dvwp
    Member
    Posted 4 years ago #

    allenews:

    do what i suggest and deactivate all your plugins. still get the virus code? then you missed a php file.

    virus code gone when plug ins deactivated?
    upload new versions of the plug-ins.

  29. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    as part of that reading suggested, if you've been hacked...

    ALL plugins need to be deleted and reinstalled
    ALL theme files also
    ALL WP core files also (a reinstall will take care of this except for wp-config.php which can be cleaneed by hand)
    .....see a pattern? It's all very clear in the linked reading....if you skip any of it, it will come back.

    Have you looked for php files that don't belong? That's often a culprit.... if you clean the code from every single php file, but leave the php file injecting the code, itll happen over and over!

  30. allenews
    Member
    Posted 4 years ago #

    dvwordpress - did what you said, now its all clean, hope it wont come back again. In case it does i guess ill have to do whatever RVoodoo
    sais, that wont be fun:) Thank You!!

Topic Closed

This topic has been closed to new replies.

About this Topic