Ninoplas or Cechriecom Base64 virus on Wordpress and all php files. How to remove via ssh (godaddy)!

Antivirus, Browser, Removal Tool, Wordpress Malware Removal April 25th, 2010

My story with the Cechirecom base64 hack/virus

Yesterday I saw that if I would access my website I would be redirected to another page where It tells me that I am infected and that I need to install the antivirus program they provide on that page. The thing is that this antivirus program was in reality an Rogue Antivirus (FakeAv), I had BitDefender installed on my PC so I wasn’t affected, but I am not sure for the hundreds of visitors I has yesterday on all my blogs and web pages.

First I checked all my php files in my main wordpress installation and I saw there is a <?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZ which would translate into a code that was loading a Javascript. I started to clean them up manually, I succeed to clean most of the files in my wp-content folder where all the plugins and themes are but there were also hundreds of other files in the core of the wordpress installation that were affected. So I removed all that files and installed wordpress again. Click here to see how to upgrade manually.

Now, this hasn’t cleaned up all my wordpress installations or other CMS installations I had on this hosting account. So I started searching the internet and found a script that would cleanup the mess here http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix (I am not sure why but my comments are not published there). The thing is that the code was a little different from what I had so it didn’t worked, also Godaddy said access denied when I tried it. I also tried to customize the code a little bit with what I had but still nothing. The following will work for all base64 viruses.

Ninoplas and Cechirecom Base64 Removal (Godaddy)

Now, if you have a GoDaddy account and a wordpress installation or this issue on any other CMS (php files) you can do the following ( I found the ssh command on wordpress.org in a comment and it worked for all infected files in few seconds):

1. Enable the SSH on your Godaddy account, it can take up to 24 hours. Read here how: http://help.godaddy.com/topic/58/article/4942

2 . Download PUTTY and install it.

3. After the SSH is enabled, start PUTTY and use the following:

Host Name or IP Address
Type your host name (domain name) or IP address.
Port
If prompted for the port, type 22.

4. A black screen will appear and you will have to log-in with the following:
User Name or Login as
The primary FTP user name for the account.
Password
This is the same as the primary FTP user password on the account.

5. Now, you have to type in the following to get to your folder where you have your html/php files and all the installations (don’t forget to hit enter after):

cd html

6. You almost cleaned up your website. The following code has to be copy pasted into the the PUTTY window:

find . -type f -name "*.php" -exec sed -i '/base64_decode/d' {} \;

For pasting into the PUTTY window, just press right click where you should insert the code. (The code here is searching all the php files for the base64_decode tag and if it finds it, then it removes it together with the entire malware code. This will check all files and folders under the one you have accessed earlier, in this case the “html” folder which is the root of your files)

7. Now check out the php files to see if it has cleaned up the malware code and tell me the result in a comment, or other tips and tricks to remove such malware from our sites.

Tips and tricks after the fix

If everything went ok after that, you should upgrade wordpress to the latest version which can be found here: http://wordpress.org/latest.zip . Checkout here how to upgrade: http://codex.wordpress.org/Upgrading_WordPress . Also upgrade all the plugins you have installed and remove all plugins that are inactive and which you don’t use.

Other tips regarding Cechirecom can be found here: http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/ (BTW, the restore feature didn’t worked for me, it simply said “Cannot access folder” on backups before 23 April)

For Users (also for infected website owners):

- Read how to remove Rogue AV on MalwareCity.com : http://www.malwarecity.com/blog/how-to-remove-rogue-security-software-274.html

- Use the BitDefender Online Scanner to remove viruses (access it with Internet Explorer):

Please let me a comment if it worked out for you, also please let a comment if you have other tips for removing the malware or for securing wordpress.

15 Comments to “Ninoplas or Cechriecom Base64 virus on Wordpress and all php files. How to remove via ssh (godaddy)!”

WPSecurityLock | April 25th, 2010 at 12:05 pm

Hi Rudi,

Thanks for this great post on how you fixed your hacked Wordpress using SSH. Very valuable information!

You’re the first webmaster on Godaddy that has said the restore feature is not working. HMMM.

In regards to the hack, I’m very happy you were able to fix your site. I hope your visitors, and web surfers, have an up-to-date antivirus program running to protect them.

As far as your comments not being shown on inspirated.com, it could be because they showed up in their spam folder. When I received your comment, yours was in there, so I moved it. Not sure why.

Securely yours,

Regina Smola
Cechriecom.com.js.php – WordPress Hacked on Godaddy | Case Study | WPSecurityLock | April 25th, 2010 at 12:08 pm

[...] UPDATE 4/25/10 AT 2:00pm: If you're unable to restore your site with the steps listed above and you have SSH access, be sure to read Rudi's post, "Ninoplas or Cechriecom Base64 virus on Wordpress and all php files. How to remove via ssh (godaddy)!" [...]
admin | April 25th, 2010 at 11:21 pm

@Regina: Could be because I also have an automated blog on one subdomain and akismet marked it as spam. I sent an e-mail to akismet regarding this.

Regarding the restore function it worked just for 24 April, this time the website was already hacked.

Regards,
Rudi
rduke15 | April 26th, 2010 at 11:48 pm

If you just copy / paste the code shown here, IT WILL NOT WORK. The published text uses “smart” quotes, which will not be seen as quotes by your shell.

To make it work, replace the quotes with straight double or single quotes (ASCII character 34 or 39).

I’m also surprised by the “cd home”, but not having a GoDaddy account, I don’t know. Do you really have a “./home” sub-directory under your account’s $HOME directory? Or was that supposed to be “cd $HOME” instead (without quotes).

Last: the suggested command will remove any line containing the string “base64_decode” in any .php file. But that is probably indeed what you want. So just change these quotes to make it work.
admin | April 27th, 2010 at 12:04 am

Hi rduke15,

I don’t have a code box, seems it changed when I pasted it into wordpress. Thanks for the comment.

For the cd home it was “cd html” instead, it seems I hurried up to write the article and forgot. I chanfed it.

Thanks!
Doug Smith | April 27th, 2010 at 8:04 pm

I added SSH to my godaddy account and used this string. It did nothing. I also fixed the quote issue above. You enter the command, the system thinks, and 2 seconds later back to the prompt. The first line of the inserted code reads: <?php /**/ eval(base64_decode

Any ideas?
admin | April 27th, 2010 at 11:45 pm

have you changed all the quotes? Wordpress seems to change them all even the single ones like this ‘.

Try to copy paste the code now, this time it is like I used it. Copy paste it first into notepad.

Tell me if it works. (It won’t tell you it worked, in 2 seconds the prompt will appear and you have to check the files via FTP)
Doug Smith | April 28th, 2010 at 2:59 am

Nothing so far. I tried it twice. No file dates changed and the virus remains in the theme files and plugin php files. I had already reinstalled WOrdPress. Have to go but I’ll be back later to try again. It did seem like it ran longer this time.
Doug Smith | April 28th, 2010 at 1:38 pm

It DID work! Here’s the deal. When GoDaddy activated SSH the site was actually at a new IP address. The new IP address needed time to propagate. I was still using the old IP address to examine the old files. Later in the day the site and the FTP address had finally changed. I was just able to verify the site was cleaned.

You rock dude!
admin | April 28th, 2010 at 10:43 pm

Great, happy it worked also for you
DrDoom | May 1st, 2010 at 9:40 am

Thank you, your one line solution, worked very well for me.
Just today I get infected in my godaddy linux hosting account.
mansoor | May 3rd, 2010 at 6:35 am

hey while going for ssh on godaddy i read this note:

NOTE: If you have databases on your account, you cannot setup SSH. We recommend backing up your database structure and data before deleting it and enabling SSH. After SSH is enabled, your databases must be recreated.

i certainly have database on godaddy. backing up db is no issue. backing up data means wp-content or more specifically wp-uploads? as rest of the data like posts etc are in db itself. What do you advise for this step?
admin | May 6th, 2010 at 4:50 am

Hmm, I had no problems when I updated my account to ssh, i just clicked the button and waited for it to be activated. As far as I know they just change the hosting servers for the files you have on there. Backup your sql then before updating to ssh.
Alson | May 7th, 2010 at 4:50 am

Great job!
Before I see this post,I had deleted the ” <?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZ " again and again in all my php files.I'm so tired,but in bright I finally got them cleaned up.
And i got some questions:

Is there a way to make sure that the virus has exactly gone away?

Could this happen again in my blog?

Thanks very very very much!
Apology for the dangerous malware problem in the blog | May 7th, 2010 at 6:17 am

[...] My story with the Cechirecom base64 hack/virus Cechirecom.com.js.php – WordPress Hacked | Case Study [...]