We all face daily cybersecurity challenges. No matter how hard you try, you’ll never reduce the chances of being hacked to zero. But server security solutions are here to help prevent and detect unauthorized access. Do you need help learning how to remove website malware?
There are always comfortable automated ways to manage these threats, like one of our most appreciated extensions for this purpose, ImunifyAV.
Alternatively, let us help you get one step ahead of the hackers with our guide to manually removing website malware.
Main malware strains
Hackers can get into your systems in various ways. One popular way is via injections attacks. Injections happen when an attacker inserts a file, in-memory cache or database entry into a system component.
Code injection
- You can insert code into existing PHP or Perl programs to create backdoors or automated uploaders.
- You can modify the contents of the .htaccess file to redirect visitors to other sites for the purpose of phishing or SEO hijacking.
- You can alter JavaScript (.js) and HTML files to insert unwanted advertising scripts or content (so-called malvertising).
- An attacker can modify and use Exif information (meta-data to add info to image files eg. JPG) to carry malicious payloads to other parts of the file system or other sites.
Hackers will often take full advantage of their position, and plant malicious code in multiple places.
Cache injection
A cache is a small, high-performance store of memory. If you don’t secure the server that maintains the caches, then memory can be overwritten in situ. If the affected portion of memory is a cached version of a web page, then a hacker can inject code or malicious content without changing website functionality.
Hacker scripts
Hacker scripts can take many forms, and serve many purposes. Scripts for back doors, uploaders, spammers, and phishing links can create web doorways, or site entry points to manipulate search engine indexes. Hackers can also create defacement scripts simply to cause damage, or prop up their own ego.
Replacing system components
Every hacker wants root access to your server, so they can replace any web server component with their own malicious version. Attackers can control entire sites, and add or modify their behavior as they need. They can also remotely control the script to issue redirects or new portions of malicious code. If an attacker hides this component carefully, then it’s difficult to detect. Because the website appears to be working normally.
How to manually remove malware and repair your website
Now let’s assume you’re scanning your site with your favorite cybersecurity software, like Imunify360 or ImunifyAV. Use the following manual inspection techniques to make sure it’s doing a good job and start to manually remove malware.
IMPORTANT: Before continuing, ensure you have a full and working backup of your entire system.
File scanning
Traditionally, Linux-type systems have limited facilities for detailed file scanning and inspection. So let’s use what we have, in the form of find and grep. First, by searching the file system for all modified files within the past 7 days, where the file name extension begins with ph (to cover .php
and .phtml
):
find . -name '*.ph*' -mtime -7
However, what if a hacker considers this first? And resets file modification dates. Then check to see if file attributes have changed. Here’s how to do that for .phtml and .php files.
find . -name '*.ph*' -ctime -7
We can narrow down the period we’re looking at, by using the newermt option of find. Eg. To look for a file changed between the 25th and 30th of January 2019:
find . -name '*.ph*' -newermt 2019-01-25 ! -newermt 2019-01-30 -ls
Now we can introduce the grep command. This can recursively scan for and report patterns in files. Eg. To look for a portion of a URL in any file in the current directory, or any within it:
grep -ril 'example.com/google-analytics/jquery-1.6.5.min.js' *
Permissions checks
If you suspect a breach in your web server or file system, check file permissions. You can do this with the following command:
sudo find / -perm -4000 -o -perm -2000
Check for active processes
If a file system scan shows nothing unusual, take a look at what’s running on the system. See what PHP scripts are running using:
lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php
Analyzing malicious code: what to look for
You now know some of the basic techniques to search for files and file content. To go deeper when you manually remove site malware, you need to know what to look for. Here’s a helpful checklist.
Check rarely visited directories
System administrators rarely look in directories like upload, cache, tmp, backup, log, and images, making them ideal locations for hackers to hide malicious files.
Note: On PHP-based CMSes such as Joomla, check directories for .php files in the wrong places. If you’re on a WordPress site, check the wp-content/uploads, and the backup and theme cache directories.
Here’s an example of a command that checks for PHP files in an images folder:
find ./images -name '*.ph*'
Treat any similar files in such places suspiciously.
Files with strange names
Even though file names come in a wide variety, certain names should raise a red flag. Here are some examples:
- php (no extension)
- fyi.php
- n2fd2.php
Note any unusual patterns or combinations in file names, letters, symbols and numbers. File names that are naturally unreadable are:
- srrfwz.php
- ath.php
- kirill.php
- b374k.php.php (double extension)
- tryag.php
Hackers also exploit the habit of some programs that append numbers to copies of existing files. So lookout for files like:
- index9.php
- wp3-login.php
Look for unusual file name extensions
You don’t normally associate certain file name extensions with CMSes like WordPress. So if you see any of these, take note:
- .py (Python code extension)
- .rb (Ruby code extension)
- .pl (Perl code extension)
- .cgi (CGI code extension)
- .so (Shared object extension)
- .c (C source code extension)
Moreover, you also wouldn’t expect to find files with extensions like .phtml or .php3. If you discover any of the above on a PHP-based CMS website, then you should inspect it closely.
Look for non-standard attributes and creation dates on files
Another sign of suspicious files involves the file owner attribute. So you need to watch out for the following:
If you see a number of .php files sent to a server via ftp or sftp were transferred with the owner attribute set to myuser. But in the same directory you see files where the owner attribute is www-data.
You must also check script creation dates. If the date is earlier than website creation, then you need to be suspicious.
Look for large numbers of files
Directories containing hundreds or thousands of files are good places for a hacker to hide malicious scripts and payloads. Such large numbers of files indicate a doorway, or a form of blackhat SEO.
You can detect such directories with the find command. We recommend you start in a specific directory to limit your search and avoid loading a system. The following example helps you find the top 25 directories with the largest number of files.
find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -25
(You can read more about file (inode) searching at StackExchange.)
Checking your server logs
You can also check any system through an inspection of the server log files. Here you can learn many things. For example:
- You can tell how the spam email was sent (when and where it was sent from, the access_log file, and what script invoked the mail command).
- You can check FTP logging. Tools such as xferlog tell you what was uploaded or changed, and who did it.
- You can discover the location of any mail-sending PHP scripts with the correct configuration of your mail and PHP servers.
- You can check to see whether your CMS has additional logs to help you track down the source of an attack. This might help you determine whether an attack was external or came in via a CMS plugin.
Both access_log and error_log files are good sources of information. If you know which scripts are the attack vectors, you may be able to find the source IP address, or the HTTP user agent value. You may also be able to see if a POST request was made at the same time of the attack.
Checking the integrity of files
You deal with attacks more easily if you have adequate preparations in place, like recording the state of files in their pristine state. You can then compare them to the same files after an attack. You can do this in various ways:
Use source code control systems such as git, SVN or CVS. In the case of git, you can simply utilize these commands:
git status
git diff
Using source code control ensures you have a backup copy of server files. You can restore these easily in the event of a cyber attack.
Tools that can alert you when anything on a file system changes include:
In some cases, version control isn’t possible. For example, when using shared hosting. One workaround is to use CMS extensions or plugins to monitor file changes. Some CMSes even have their own built-in file integrity.
You can keep track of what files you have at any one time with the command to catalog all the files on a system:
ls -lahR > original_file.txt
You can compare this file later with a fresher copy using comparison tools like WinDiff, AraxisMerge Tool, BeyondCompare, the Linux diff command, or even compare snapshots online. This lets you see what files have been added or removed.
This whole process certainly looks pretty complex. You can always choose to fully automatize it – using for this purpose ImunifyAV.
Comfortable Alternative to a Day’s Work – ImunifyAV
For added confidence, it’s good to know how to manually check your system for problems. And it’s a good way to learn some system administration techniques, like how to manually remove malware. Having a comprehensive server security solution such as ImunifyAV, a free antivirus and anti-malware scanner, is the first step towards a safe and secure website. You can easily upgrade to ImunifyAV+ and get a built-in, one-click, fully automated cleanup feature.
Content Write by Plesk Team