Removing malware from your website by yourself

twitter.com facebook.com vkontakte.ru odnoklassniki.ru mail.ru digg.com blogger.com liveinternet.ru livejournal.ru google.com yahoo.com

This article is intended for more or less exprienced webmasters or advanced users. It contains general algorithm and personal experience of cleaning malware from websites.

If you happen to have any additional questions, fell free to contact our tech supprt. We are always glad to help.

  • You must always start the cleanup with website administrator's computer. Half of all infections happen because of password thefts (FTP or hosting control panel). Better if you use not only antivirus that's installed on your computer, but another one as well, as the first antivirus might have missed the virus.
  • As the second step, download all website files to your PC, make sure to create a backup copy, then check working copy with antivirus. If you are using WebGuard hosting, it'll be better to use virus scanner integated in our hosting control panel file manager. It detects web-viruses significantly better than traditional antivirus software and in most cased finds 100% of malicious code on websites.
  • If your website is located on other hosting, you'll be checking your downloaded copy. It is recommended to use Avast or Nod32 antiviruses, as DrWeb and Kaspersky antiviruses often miss simple injections of foreign scripts. Worth noting that checking your site with desktop antiviruses will help you only in light infection cases. If after your cleanup your site has been infected again, consider using WebGuard antivirus next time you clean your website.
  • After scan is complete and you have a list of infected files in a report file, proceed to cleaning: 
  1. First of all check if report has viruses of following types: phpshell, webshell, hacktool, trojan and similiar. These are usually php files that hackers use to get full access to website data. Most often you can simply delete them.
  2. Next step is to remove malware attached to website data and core files. That would be all remaining viruses in the report. To do it you will need to employ any text editor that allows for search and replacing in files using regular expressions. We use PhpED. You can download full 30-day trial version at official website. Generally, remaining viruses will be attached either at the end or at the beginning of files. Quite often only index.php from website root folder is infected. In this case, remove malware code from index.php and skip step 3. If there are many infected files, move to the next step.
  3. Analyze infected files. Virus code will be either the same everywhere, or similiar in different files. If code is same everywhere, replace it with empty string using text editor of your choice in all website files potentially prone to infection (*.php;*.php4;*.php5;*.inc;*.class;*.js;*.html;*.htm;*.css;*.htc). If virus code slightly changes in different files, but has same basic structure, you'll need to execute regular expression search. The simplest option would be if beginning and ending of virus line is the same. In this case regular expression will look like:
  4. virus_start.*virus_end

    Before you start replacing, make a search with this regula expression and check if there are any "healthy" files in the list. If there are none, make the replacing.

  5. It's possible, that ordinary antivirus will not find all infected files. To search for unknown viruses, we use our own Webguard malware scanner (integrated to our hosting panel file manager) and a variety of signatures based on regular expressions or heuristic analysis, that require additional analysis while being used. A couple of safer examples are introduced in points 5 and 6.
  6. Searching for a hidden iframe:
  7. <\s*iframe[^<>]*src\s*=\s*('|"|)\s*http://[^<>]*(width|height)[^<>]*=('|"|)(1|0|2|3|4|5)('|"|)[^\d<>]*(width|height)[^<>]*=('|"|)(1|0|2|3|4|5)('|"|)[^\d<>]*>\s*<\s*/\s*iframe\s*>

    Analyze what you've found and remove all that wasn't added by you. There is a merit to search sql database dump for this regular expression.

  8. Using multistring search with regular expressions, check .htaccess files:
  9. .*(HTTP_USER_AGENT|REFERER).*
    .*(Rewrite|Redirect).*http(|s)://

    This allows you to find unconventional redirects to third-party websites that occur only when a specific condition is met. For example, redirect only users that come to the website from a search engine. It may take quite a while for site owner to notice such redirect as he would usually type website address in address bar.

  10. After you've completed all these operations, it is recommended to completely delete infected website folder on your hosting and upload clean copy from your computer.

After completing cleanup, it is recommented to analyze web-server logs to find out the cause of infection. However, it isnt's always possible - often logs from the day of infection are already deleted or website was infected using stolen FTP passwords (hence no informations in logs). Also make sure to fulfill several simple points that will significantly reduce risk of subsequent infections. Continue to article Website protection after malware removal.

If you weren't able to remove malware on your own or you don't want to deal with it this problem on your own, you can employ malware removal service by WegGuard.pro specialists.

Old version of this article is also available. However we consider it more complicated, though it does examine some aspects with more details.

twitter.com facebook.com vkontakte.ru odnoklassniki.ru mail.ru digg.com blogger.com liveinternet.ru livejournal.ru google.com yahoo.com

© WebGuard.Pro
Your website securely protected, 2012-2024
Tech support:
+7 800 77-55-771