Activities

April 2010
M T W T F S S
« Mar   May »
 1234
567891011
12131415161718
19202122232425
2627282930  

Godaddy site hacked : ninoplas Base64

I sudently called, some of developers are complaining that their sites are redirect to somewhere (Open a search link on Bing) and landing pages taking very lone time to load.

Sooner I found that index page is infected with a script and header page was modified also While after deleting the encoded/Unicode which is starting the string “base64_decode” and continues for long lines and found that same is happend all the php files on the same hosting. Suppose if a programmer is remove first line virus affected code and iit will appear a script injected on the output html page which is redirecting to something like “klkskdskjdks.com” which is registered domain on March 15th 2015.
Actions,
1. I changed the hosting to other server restored with a backup copy.
2. I reset the password of all ftp users immediately
3. Restore the file permission with 644 or 754 permission.
4. Executed the following command to remove the first line entry of unicode line from all the .php files.

find . -type f -name “*.php” -exec sed -i ‘/base64_decode/d’ {} ;

Same also useful for removing malicious code inserted on all the html, js files.
ssh to the documentroot directory,

$find .  -type f  -name "*.html" -exec sed -i '/BDJSDJDS/d' {} ;

$find .  -type f  -name "*.js" -exec sed -i '/BDJSDJDS/d' {} ;

You can also use this scripts to identify the infected files which containing malicious scripts.

<strong>#grep -H -r  "var sSecureQ='';var aV=function(){};var checkL;var" html/ -R | cut -d: -f1</strong>

Where,
“var sSecureQ=”;var aV=function(){};var checkL;va is a first lines of that code.
html = the path where search will occur.

This time that script is no longer appear on the index page and we escaped temporarily.
5. Review the webserver access logs but noting found on it. I also noticed that some of the html pages were affected at the same time.

I found site was hacked because one of the add one domain/ ftp users account was compromised or hacked. Since the Godaddy using virual ftp user alias name which means an alias name is mapped to a web location and each read/write operation done by the alias user is executed on behalf of actual primary ftp user.

So if a hacker knows about the location of the web files placed on the same hosting, he can easily able to access the files and executed the code using the privileges of the primary ftp user name.

2 comments to Godaddy site hacked : ninoplas Base64

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>