How to scan a site for malware: tips from a professional admin
I am a website administrator working since 2012. Security is my focus: I exterminate malicious scripts and fix vulnerabilities. I have cured small blogs, huge online stores, and everything in between. Today I am going to share about the tools I deploy to scan a website for viruses and eliminate them.
This piece is not for beginners: you have to be conversant with the basics of HTML, PHP and JP, and know how to use a console.
What are viruses and how they get on a website
A virus is malicious code that can do things like change the site’s look, place ads, redirect visitors to another site, give fraudsters access to the site, or draw on the host’s resources to mine crypto or perform other computations.
You know there is a virus on your website when:
- There is some content on the website you know the owner never added.
- The website has become slower.
- Visitors clicking through to your website land on some other resource.
- Attendance from search is down.
- There are some new folders on the hosting service.
Viruses can get onto a website via vulnerable code or extension, in consequence of faulty host settings, as a result of a password mining attack, or infection of the host or computer.
A virus on a website threatens the owner’s reputation, search traffic, and online earnings. When there is a website to be cured, you start by making sure the site is indeed infected by a virus. Then you track down and remove malicious code, and finally you secure the site against similar attacks in the future. Let’s look at each of these steps in succession.
Making sure the site is infected
If you think the site may be infected but you aren’t sure, there are a couple of things you can do to make sure. I scan the site with online scanners, and I also engage multiple browsers and search engines.
Scanning for viruses using online scanners
Online scanners can track down malicious code pretty fast, but I never put all my eggs in the same basket: some viruses will evade automatic scanning. Here are a couple of online scanner services:
Behavioral signs across browsers and devices
Unauthorized redirect action may indicate the presence of a virus. That’s when users on their way to your website end up on some other resource. An infected website may open normally from a PC. Meanwhile, users trying to access it from a phone may find themselves tossed over to a phishing page or mobile subscriptions page. Or vice versa.
So you need to see how the site behaves with different browsers, operating systems, and mobile gadgets.
Search look
Search engines scan websites for viruses by default. They will mark infected resources in gray and append an alert.
To have your own site scanned, enter its address in the Google search bar. When you see an alert, you will know your site is infected. Check out the verdicts and likely infection threads.
СThis is not the rule of thumb method though. A search engine may not be able to detect malicious code at first attempt. Moreover, a virus can be trained to verify the query source and hide from search engines. When a trained virus sees a query coming from a search engine, its scripts will stop in their tracks and the search engine will not smell a rat.
Number of pages in search results
There’s this other type of malware called Doorways. They build their own content into websites. Again, you can use the search engine to have your site scanned for Doorways. Type in site:mysite.com and peruse all search results. Any pages you find that are not thematically relevant to your site are doorways.
Find and destroy the cybervermin
When the fact of infection has been ascertained beyond doubt, you set out to find and eliminate malicious code. Tracking down the malware can be a challenge. I peruse all website files manually, and I also use a console.
Analyze the HTML and the JS scripts.
Malicious scripts are often added to the website’s source code (press Сtrl+U in your browser). Check for the presence of extraneous JS scripts, iframe insertions, and spam links. If you find any, delete them.
Check all JS scripts that act up when a page loads to see if there are any extraneous insertions there. Those are typically programmed in at the beginning and the end of a JS script. Delete any extraneous insertions you find.
Sometimes code can be hard to unravel or it may be obfuscated. In this case, compare the script content on your site with the original script file from the control system, plugin or template archive.
Check the modification dates of files and folders.
If you know when the site was hacked, malicious code can be found in any and all files modified since.
Let’s say your site was hacked a few days ago. To pull up all PHP scripts modified in the past 7 days, use this command:
find . –name '*.ph*' –mtime -7
When the command yields results, check all the PHP scripts it returned for malicious insertions.
Check these directories: upload/backup/log/image/tmp
The
upload/backup/log/image/tmp
directories are potential threats, because they are usually open to writing. More often than not, it is these directories that become receptacles for shell scripts through which the site files and database will be infected later. These directories must by all means be checked for malicious PHP scripts.You can use this command to check the upload directory:
find /upload/ -type f -name '*.ph*'
It will show all PHP files in the upload directory.
Following the scan, any infected files can be deleted manually or by using this command:
find /upload/ -name '*.php*' -exec rm '{}' \;
Find files and folders with non-standard names
Open the site directory. Find any files and folders with unconventional names and/or suspicious content and delete them.
Find files and folders with unconventional names
All host folders are to be checked for multiple PHP and HTML files per directory. This can be done with the following command:
find ./ -mindepth 2 -type f -name '*.php' | cut -d/ -f2 | sort | uniq -c | sort –nr
When the command has finished running, the screen will show the list of directories and the number of PHP files in each one. If you see too many files in a directory, check them all.
Detecting malware scripts by content
You can use this command to quickly scan the website for malware scripts:
find ./ -type f -name "*.php" -exec grep -i -H "wso shell\|Backdoor\|Shell\|base64_decode\|str_rot13\|gzuncompress\|gzinflate\|strrev\|killall\|navigator.userAgent.match\|mysql_safe\|UdpFlood\|40,101,115,110,98,114,105,110\|msg=@gzinflate\|sql2_safe\|NlOThmMjgyODM0NjkyODdiYT\|6POkiojiO7iY3ns1rn8\|var vst = String.fromCharCode\|c999sh\|request12.php\|auth_pass\|shell_exec\|FilesMan\|passthru\|system\|passwd\|mkdir\|chmod\|mkdir\|md5=\|e2aa4e\|file_get_contents\|eval\|stripslashes\|fsockopen\|pfsockopen\|base64_files" {} \;
Alternatively, you can use the ’grep’ without the ’find’.
grep -R -i -H -E "wso shell|Backdoor|Shell|base64_decode|str_rot13|gzuncompress|gzinflate|strrev|killall|navigator.userAgent.match|mysql_safe|UdpFlood|40,101,115,110,98,114,105,110|msg=@gzinflate|sql2_safe|NlOThmMjgyODM0NjkyODdiYT|6POkiojiO7iY3ns1rn8|var vst = String.fromCharCode|c999sh|request12.php|auth_pass|shell_exec|FilesMan|passthru|system|passwd|mkdir|chmod|md5=|e2aa4e|file_get_contents|eval|stripslashes|fsockopen|pfsockopen|base64_files" ./
These commands will track down malicious code in the files of your current directory. They scan files recursively from the directory wherein they are initiated.
There will be many matches, but most of the files retrieved will not be malware: CMS plugins also use the same functions.
Just in case, analyze all PHP scripts you have found for malicious insertions. Make sure you view the file content before deleting the file.
Check the database
It often happens that malicious code gets added to the database when a website is hacked or infected. To do a fast-track virus scan on your database, log in to phpmyadmin, and enter the following queries in the search bar, in succession:
<script , <? , <?php , <iframe
Delete every malware fragment you find.
Use online services
You can use the following online scanners to auto-scan your website files for viruses, shell scripts, redirects and doorways:
Auto-scanners will typically nail up to 90% of malware scripts on an infected website, but the rest have to be chased manually, using the internal scan commands suggested above. Alternatively, have your website scanned using some antivirus software that performs heuristic analysis. This type of software will even identify unknown threats yet to be added to the malware database.
Hack-proofing your website
Once all shell scripts and malware insertions have been cleared away, the website has to be secured against hack attacks. This means making the website invulnerable to extraneous attacks.
Securing website admin panel via IP
It is common for malicious actors to break into websites by hacking the admin panel. Set up a panel access restriction via IP to deter them. To put it differently, allow access to the admin panel from a specific device only.
Add to the admin panel directory (administrator, bitrix/admin, wp-admin…) an .htaccess file with the following content:
Order Deny, Allow Deny from all Allow from 1.1.1.1
Where 1.1.1.1 is the IP address allowed access to the admin panel.
If it isn’t a static IP address, you can add an IP by area. Let’s say the provider has allotted an IP address that looks like this: 192.168.100.34. Accordingly, you can write ’allow from 192.168’ in the .htaccess.
Securing admin panel by means of HTTP authorization
Set up a supplementary login name and password for the site’s admin panel. To that end, add the files .htaccess and .htpasswd to the admin panel directory (administrator, bitrix/admin, wp-admin…).
You need to write the following code in the .htaccess file:
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/ site.com /admin/.htpasswd require valid-user
<Files ~ ".(css)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(js)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(png)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(gif)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(jpg)$">
Allow from all
satisfy any
</Files>
Where
home/site.com/admin/.htpasswd
is the full path to the .htpasswd file of your server.In the
.htpasswd
file, you need to add an extra login name and password to be used to obtain panel access.You can have those credentials generated on Htpasswd Generator. Enter login and password and click
Create .htpasswd file
. Copy the result to the .htpasswd file.Securing website directories
All of the website’s files and directories are open to writing by default. The danger here is that if the malicious actor found a vulnerability, they would be able to upload and run a shell script or rewrite a file in any website directory.
You need to harden the site to secure it - pour concrete on it, so to speak. Here is how you do it. You set up 444 rights for all CMS, plugin and template system files that need no write permissions to run smoothly, and you set up 555 rights for the directories.
The point is to prohibit writing to all site directories and prohibit the modification of all CMS files that require no modification during the site’s operation. The files will be available for reading and running with these rights. Here is what you do to make sure your site runs correctly:
- 444 rights for all files.
- 555 rights for all folders.
- 644 rights for the files that have to stay open to writing.
- 755 for the directories that have to stay open to writing.
While these rights are ideal for websites where the CMS, plugins and templates have been strongly modified and cannot be upgraded to the latest editions, they will also work for more basic websites where the CMS, plugins and templates are rarely updated.
In any event, when you absolutely have to update some plugins and templates, the rights can be recursively changed to 644 and 755. Then you go and update everything and change the rights back to 444 and 555.
For the comfort of regular users, two PHP scripts are created:
mysite.com/protect.php changes all file and folder rights to 444 and 555,
mysite.com/protect.php sets up the 644 and 755 rights.
In order to make it impossible to modify the file and directory rights with the aid of programming tools, add the following directive to the php.ini file:
disable_functions =chmod
For any directories (backup/log/image…)) that cannot take the 555 rights and have no scripts, you need to add an .htaccess file with the following content:
RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
This code will block any potentially threatening scripts from running. It will forbid PHP code to run out of a directory where no runnable files are supposed to exist.