How to remove malware from your website on your own

twitter.com facebook.com vkontakte.ru odnoklassniki.ru mail.ru digg.com blogger.com liveinternet.ru livejournal.ru google.com yahoo.com

If you happen to have any questions, do not hesitate and contact our tech support. We are always glad to help you.

This article applies to most site management systems (Joomla, Bitrix, DLE, Drupal, vbulletin, ipb, phpBB and so on). Before you start cleaning you website, make sure to check and remove all viruses from your computer, as well as all computers you use to access website management. After website cleanup you'll need to change all website access passwords(ftp, mysql database, administrator password and password for administrator mailbox you've set in site settings, if any). Before you start working with site, always make a backup.

Warning! Never save passwords in your browsers or FTP client settings!

If you are a novice webmaster, we recommend you to start cleaning with a new, slightly simplified version of this article: free website malware removal.

1. Diagnostics.

Diagnostics is performed using this scheme, from simple to complicated:

1.1 Search files and html pages source codes for entries of "iframe" and "javascript". Analyse discovered code sequences and external javascripts for being heterogenous. Special attention should be given to iframes of zero or small dimensions, and obfuscated one-line javascripts that use functions "unescape", "eval", "String.fromCharCode". Also harmful scripts often contain construction "document.write" that inserts other iframe or javascript, or a meta tag(or javascript) with a redirect. If a javascript or a redirect has any unknown domain (not yours and not placed there by you) - this is alert flag, even if the domain is epty or has some ordinary site. Malware is usually spread in a "cascade", when harmful code appears only on third-fifth frame or redirect.

1.2 Conduct similiar analysis on loaded external javascripts. Look for behavior with heterogenous code in external css.

1.3 In case your website has images loaded from other sites - check what happens when you open these image with your browser. Use same referer and user-agent as ones that are usually used when a page of website with said image is opened. If instead of a picture you get a redirect, password request of some other heterogenous content - you have most likely found a virus.

1.4 Actions in points 1.1-1.3 with page and script requests must be performed several times, ideally - using several different IP's, different cookies, with different user-agents(browsers), because virus code can be targeting specific vurnerable browsers, specific search engine, some other criteria, or randomly.

1.5 Add your site to Yandex-webmaster or Google-webmaster. In some cases these services give indications of specific harmful code or domains it is loaded from.

1.6 If you have entered an infected website with javascript turned on in your browser (you really shouldn't be doing that), you antivirus software may give you full list of threats that were discovered at said website. In that data you may be able to find a list of virus domains.

1.7 Check server http-answer codes for redirects with different user agents from different ip-s, as quite often redirects are shown randomly or use cloaking. Sometimes virus makes logs and shows a redirect or popup only once for every user.

 

2. Malware removal.

The knowledge of what code virus shows to website visitors may help you locate source of the problem. If, however, you weren't able to concretize harmful code, do not despair as malware removal can be done without it, except it will get much more complicated.

2.1 Download to your local PC all website files and make a backup before starting the cleanup.

2.2 Execute full-text search (files' contents, not just their names) looking for occurences of what you've found in p. 1.1-1.3 and virus domains you've found in p. 1.5 and 1.6. As an alternative, you can do the search on server using a special server script.

2.3 Using ssh commands or server script, you need to find all files that were modified at the date of your site's infection and scrutinize them for unwanted additions. Those may be:

  • "include" files from virus domains (regardless whether remote include is allowed in phpinfo);
  • "eval" of data recieved from other websites;
  • "eval" of data decoded by "base64_decode" function;
  • obfuscated php code;
  • redefined functions;
  • "include" or "eval" of external data passed to script bu global arrays GET, POST, COOKIE, SERVER ('HTTP_REFERRER', 'HTTP_USER_AGENT' and others), that is usually a backdoor;
  • foreign reference exchange codes (often the purpose of hacking a website is to sell links from it);
  • http-headers with redirects to virus domains, sent by "header" function;
  • "exec", "system", "popen", "passthru" and other functions that execute programs, unless their utilization is expected by cms. If your cms does not use these functions, and "eval" function, you will be better off disabling them in php.ini;
  • mysql trigger backdoors;
  • "auto_prepend_file" or "auto_append_file" in php, with backdoor or viral code;
  • in rare cases, command to execute viruse located in tmp folder is launched by user crontab.

 

While you analyse for unwanted modifications, the knowledge of code you've located in p.1 may be useful.

Apart from showing harmful contents to users, all external modifications listed above may be a web shell or a backdoor, that miscreants may use to control your website.

2.4 Make database dump and, like 1.1, analyse it. Notice that in base dump code can be converted into mnemnics and instead of "<iframe>" you'll have "&lt;iframe&gt;".

2.5 Remove all occurences of foreign code you've located during activities in points above.

2.6 Check your website functionality. Sometimes virus erases important files or corrupts their syntax so you'll have to restore it after a cleanup. In very rare cases virus erases everything in such a way that you can't restore anything at all. It's very helpful when your hoster has a copy or you use a backup service.

2.7 Make a backup copy of a clean site. In case of subsequent infection you will have an option to restore your site from this copy.

If you stop right here, then next day or friday night your site will get infected again and you'll have to start from scratch. So keep reading.

 

3. Locate and eliminate cause of infection.

3.1 First of all you'll need to analyse web server and ftp logs from time before infection occured. If you have php error log or command interpreter log, check them as well. Sometimes logs have enough data to determine cause of site infection. However, only complex approach may provide consistent results.

The most common ways of infecting are:

  • ftp password theft;
  • cms engine vulnerabilities;
  • infection from neighbour websites, located on the same server;
  • website or server utilities' vulnerabilities.

 

3.2 FTP password theft. The reasons are many:

  • you've used ftp in a free wifi network infected with password stealing virus or on a machine plugged into infected local network. To avoid such password leaks, you can use paid encrypted VPN over said free wifi or suspicious local network.
  • theft of passwords from ftp-client (for example, stealing wcx_ftp.ini from Total Commander) using a virus site, virus in a pirate software or virus on a flash drive.
  • ftp-password pfishing - when you enter seo-utility site or some similiar service, you are prompted to enter your ftp login and password, or masking as a hoster representative for various reasons you are asked to visit some page to supposedly change your ftp password.

 

3.3 CMS engine vulnerabilities.

Many CMS still have vulnerabilities like SQL injection, source include, xss and others. Usually notices of such vulnerabilities' discovery is posted in CMS support websites, for example http://dle-news.ru/bags/. During website cleanup you must fix all vulnerabilities described on CMS developer's website and check your engine for vulnerabilities added by plugin setup or some other modifications. As an example of engine free of such explicit problems, we can recommend UMI CMS.

Apart from implicit holes in engine security, some vulnerabilities may be a result of certain engine and/or server settings. For example, if your website allows its users to post pictures from other sites, risks of encountering problems from p. 1.3 automatically increase. Some CMS have no explicit vulnerabilities, yet in case of a mismatch between server settings and CMS security requirements become easily exploitable. During website cleanup, make sure to specify if your server meets security requirements of CMS you use.

3.4 Infection from neighbouring sites on the same server.

If you access your site via ftp and can't see other sites except your own, it doesn't necessarily mean that you have no access to your neighbours or that they have no access to you. Connect to server using ssh (if your host provides you with such option) and check if you can see other users' files. Also try to move to parent of your home folder using php file manager, or perl, or program in any other language that is supported by ther server. If you can do that and you can move to other users' folders, you need to change your hosting provider, as cleaning a single website in such conidtions is impossible.

 

3.5 Website engine might be really good, but your hoster may turn out to have database management tools or statistics scripts that are vulnerable or susceptible to brutforce. This can be phpMyAdmin with unified authorization for all clients, which in combination with short passwords can lead to succesfull hacking of database management and as a consequence - addition of viral code to articels and templates stored in the database. These vulnerabilities should be eliminated as well if possible. Sadly, most often it means changing your hoster.

 

4. Changing all passwords: ftp, ssh, mysql, website management (cms) passwords..

 

Why so complicated? I've just removed this line with a virus code from a template, and now it's all ok.

You've got lucky. But you shouldn't consider hacker a naive fool. Usually, if virus is not removed completely, it will return in a significantly more intricate and encrypted version and its removal will become a significantly more complicated task.

 

If you weren't able to succesfully remove malware on your own, the infection is quite grave. Our website malware removal service is at your disposal.

twitter.com facebook.com vkontakte.ru odnoklassniki.ru mail.ru digg.com blogger.com liveinternet.ru livejournal.ru google.com yahoo.com

© WebGuard.Pro
Your website securely protected, 2012-2025
Tech support:
+7 800 77-55-771