How to scan a site for malware: tips from a professional admin

Viruses can get onto a website via vulnerable code or extension, in consequence of faulty host settings, as a result of a password mining attack, or infection of the host or computer.

A virus on a website threatens the owner’s reputation, search traffic, and online earnings. When there is a website to be cured, you start by making sure the site is indeed infected by a virus. Then you track down and remove malicious code, and finally you secure the site against similar attacks in the future. Let’s look at each of these steps in succession.

If you think the site may be infected but you aren’t sure, there are a couple of things you can do to make sure. I scan the site with online scanners, and I also engage multiple browsers and search engines.

Online scanners can track down malicious code pretty fast, but I never put all my eggs in the same basket: some viruses will evade automatic scanning. Here are a couple of online scanner services:

Unauthorized redirect action may indicate the presence of a virus. That’s when users on their way to your website end up on some other resource. An infected website may open normally from a PC. Meanwhile, users trying to access it from a phone may find themselves tossed over to a phishing page or mobile subscriptions page. Or vice versa.

So you need to see how the site behaves with different browsers, operating systems, and mobile gadgets.

Search engines scan websites for viruses by default. They will mark infected resources in gray and append an alert.

To have your own site scanned, enter its address in the Google search bar. When you see an alert, you will know your site is infected. Check out the verdicts and likely infection threads.

СThis is not the rule of thumb method though. A search engine may not be able to detect malicious code at first attempt. Moreover, a virus can be trained to verify the query source and hide from search engines. When a trained virus sees a query coming from a search engine, its scripts will stop in their tracks and the search engine will not smell a rat.

There’s this other type of malware called Doorways. They build their own content into websites. Again, you can use the search engine to have your site scanned for Doorways. Type in site:mysite.com and peruse all search results. Any pages you find that are not thematically relevant to your site are doorways.

When the fact of infection has been ascertained beyond doubt, you set out to find and eliminate malicious code. Tracking down the malware can be a challenge. I peruse all website files manually, and I also use a console.

Malicious scripts are often added to the website’s source code (press Сtrl+U in your browser). Check for the presence of extraneous JS scripts, iframe insertions, and spam links. If you find any, delete them.

Check all JS scripts that act up when a page loads to see if there are any extraneous insertions there. Those are typically programmed in at the beginning and the end of a JS script. Delete any extraneous insertions you find.

Sometimes code can be hard to unravel or it may be obfuscated. In this case, compare the script content on your site with the original script file from the control system, plugin or template archive.

If you know when the site was hacked, malicious code can be found in any and all files modified since.

Let’s say your site was hacked a few days ago. To pull up all PHP scripts modified in the past 7 days, use this command:

find . –name '*.ph*' –mtime -7

When the command yields results, check all the PHP scripts it returned for malicious insertions.

The

upload/backup/log/image/tmp

You can use this command to check the upload directory:

find /upload/ -type f -name '*.ph*'

It will show all PHP files in the upload directory.

Following the scan, any infected files can be deleted manually or by using this command:

find /upload/ -name '*.php*' -exec rm '{}' \;

Open the site directory. Find any files and folders with unconventional names and/or suspicious content and delete them.

All host folders are to be checked for multiple PHP and HTML files per directory. This can be done with the following command:

find ./ -mindepth 2 -type f -name '*.php' | cut -d/ -f2 | sort | uniq -c | sort –nr

When the command has finished running, the screen will show the list of directories and the number of PHP files in each one. If you see too many files in a directory, check them all.

You can use this command to quickly scan the website for malware scripts:

find ./ -type f -name "*.php" -exec grep -i -H "wso shell\|Backdoor\|Shell\|base64_decode\|str_rot13\|gzuncompress\|gzinflate\|strrev\|killall\|navigator.userAgent.match\|mysql_safe\|UdpFlood\|40,101,115,110,98,114,105,110\|msg=@gzinflate\|sql2_safe\|NlOThmMjgyODM0NjkyODdiYT\|6POkiojiO7iY3ns1rn8\|var vst = String.fromCharCode\|c999sh\|request12.php\|auth_pass\|shell_exec\|FilesMan\|passthru\|system\|passwd\|mkdir\|chmod\|mkdir\|md5=\|e2aa4e\|file_get_contents\|eval\|stripslashes\|fsockopen\|pfsockopen\|base64_files" {} \;

Alternatively, you can use the ’grep’ without the ’find’.

grep -R -i -H -E "wso shell|Backdoor|Shell|base64_decode|str_rot13|gzuncompress|gzinflate|strrev|killall|navigator.userAgent.match|mysql_safe|UdpFlood|40,101,115,110,98,114,105,110|msg=@gzinflate|sql2_safe|NlOThmMjgyODM0NjkyODdiYT|6POkiojiO7iY3ns1rn8|var vst = String.fromCharCode|c999sh|request12.php|auth_pass|shell_exec|FilesMan|passthru|system|passwd|mkdir|chmod|md5=|e2aa4e|file_get_contents|eval|stripslashes|fsockopen|pfsockopen|base64_files" ./

These commands will track down malicious code in the files of your current directory. They scan files recursively from the directory wherein they are initiated.

There will be many matches, but most of the files retrieved will not be malware: CMS plugins also use the same functions.

Just in case, analyze all PHP scripts you have found for malicious insertions. Make sure you view the file content before deleting the file.

It often happens that malicious code gets added to the database when a website is hacked or infected. To do a fast-track virus scan on your database, log in to phpmyadmin, and enter the following queries in the search bar, in succession:

<script , <? , <?php , <iframe

Delete every malware fragment you find.

You can use the following online scanners to auto-scan your website files for viruses, shell scripts, redirects and doorways:

Auto-scanners will typically nail up to 90% of malware scripts on an infected website, but the rest have to be chased manually, using the internal scan commands suggested above. Alternatively, have your website scanned using some antivirus software that performs heuristic analysis. This type of software will even identify unknown threats yet to be added to the malware database.

Once all shell scripts and malware insertions have been cleared away, the website has to be secured against hack attacks. This means making the website invulnerable to extraneous attacks.

It is common for malicious actors to break into websites by hacking the admin panel. Set up a panel access restriction via IP to deter them. To put it differently, allow access to the admin panel from a specific device only.

Add to the admin panel directory (administrator, bitrix/admin, wp-admin…) an .htaccess file with the following content:

Order Deny, Allow Deny from all Allow from 1.1.1.1

Where 1.1.1.1 is the IP address allowed access to the admin panel.

If it isn’t a static IP address, you can add an IP by area. Let’s say the provider has allotted an IP address that looks like this: 192.168.100.34. Accordingly, you can write ’allow from 192.168’ in the .htaccess.

Set up a supplementary login name and password for the site’s admin panel. To that end, add the files .htaccess and .htpasswd to the admin panel directory (administrator, bitrix/admin, wp-admin…).

You need to write the following code in the .htaccess file:

Where

home/site.com/admin/.htpasswd

In the

.htpasswd

You can have those credentials generated on Htpasswd Generator. Enter login and password and click

Create .htpasswd file

All of the website’s files and directories are open to writing by default. The danger here is that if the malicious actor found a vulnerability, they would be able to upload and run a shell script or rewrite a file in any website directory.

You need to harden the site to secure it - pour concrete on it, so to speak. Here is how you do it. You set up 444 rights for all CMS, plugin and template system files that need no write permissions to run smoothly, and you set up 555 rights for the directories.

The point is to prohibit writing to all site directories and prohibit the modification of all CMS files that require no modification during the site’s operation. The files will be available for reading and running with these rights. Here is what you do to make sure your site runs correctly:

While these rights are ideal for websites where the CMS, plugins and templates have been strongly modified and cannot be upgraded to the latest editions, they will also work for more basic websites where the CMS, plugins and templates are rarely updated.

In any event, when you absolutely have to update some plugins and templates, the rights can be recursively changed to 644 and 755. Then you go and update everything and change the rights back to 444 and 555.

For the comfort of regular users, two PHP scripts are created:

mysite.com/protect.php changes all file and folder rights to 444 and 555,

mysite.com/protect.php sets up the 644 and 755 rights.

In order to make it impossible to modify the file and directory rights with the aid of programming tools, add the following directive to the php.ini file:

disable_functions =chmod

For any directories (backup/log/image…)) that cannot take the 555 rights and have no scripts, you need to add an .htaccess file with the following content:

RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml

This code will block any potentially threatening scripts from running. It will forbid PHP code to run out of a directory where no runnable files are supposed to exist.