Virus on the site?

Started by Ravina123, Aug 20, 2022, 12:15 AM

Previous topic - Next topic

Ravina123Topic starter

Generally, Google brought my website into the database of unsafe sites, although there were no apparent reasons, it opened as usual, the antivirus did not swear.
Since this happens infrequently, they did not immediately find .htacess infected, but that's not the point.
Tell me, please, how to find such rubbish, where can I see it scanned? so as not to wait to be thrown out of the search.


Quite often they add spam scripts. If you have ssh access, then you can log in as root and start the search from the account root:
grep -rl 'v3c6e0b8a' ./*
grep -rl 'FilesMan' ./*
grep -rl 'eval(base64_decode' ./*

Helps to detect spam scripts. It is also common to add .html extension pages with a link to "fun" websites. They can only be looked for with their hands, but usually no one bothers themselves, so they throw them at the root.
And so the general advice, keep the CMS of the latest version and hаcking tends to zero.


Preventive measures:
In order to protect yourself from hаcking as much as possible, it is advisable to adhere to the following rules:
1. Timely update the software on the server;
2. Timely update CMS;
3. Make backup copies in a timely manner;
4. Use strong passwords. It is desirable that the passwords you use contain at least 8 characters, including numbers and special characters ($%#/*);
5. If possible, do not store passwords in clear text;
6. Use the minimum possible access rights to folders and files.

Virus Scan

So, you suspect that you have a virus on your website. To begin with, it is worth finding out if this is so. It will be useful to study the website using, for example, Firebug. If, when loading a site / page on the network or console tabs, we see suspicious activity: a redirect, iframe loading, loading extraneous pages or files - there is reason to think. Next, you should try to "feed" your site's URL to online services, such as antivirus-alarm or They will help determine if your sites have malicious code. After the services work, you just have to look at the files that are indicated in the output. Most often, malicious code is written at the beginning or at the end of the file. So, the online service found something or did not find it, but you still have suspicions that the scripts are infected. It's time to start the manual inspection.

Surface inspection.
find /home/user/data/www/ -type f -mtime -20
this command will help you find website files that have been modified less than 20 days ago. If you know the approximate date of infection, by changing the mtime key parameter, you can quickly find the files you need.
Examining the ftp log file (/var/log/xferlog, for example) will also help in the search for viruses if the infection was carried out via ftp.

such a record tells us that on June 19, a 16kb virus.php file was uploaded via ftp to the include folder by user user with ip address <IP>. Pay attention to the i key in the entry, which tells us that the file has been uploaded to the server.
It is also likely to be useful to look at the directories available to the general public. These are such directories as uploads, image, etc. Those in which users of the site can write.
file /home/user/data/www/* | grep -i php
will show php files in the uploads folder, regardless of their extension. It is unlikely that you allow your visitors to upload php files to the server. And if it's a php file pretending to be a picture... For example
file in.jpg
in.jpg: PHP script text
Detailed inspection.
Let's say you didn't find anything on a superficial examination. Let's move on to a detailed study.

Post Merge: Aug 20, 2022, 01:16 AM

It happens that redirects are written in htaccess files.

find /home/user/data/www/ -type f -iname '*htaccess'
the command will help you find all htaccess files for the website Examine these files carefully for extraneous redirects.
php/js code
Manually malicious code can be searched by patterns. Most often, this is either code encoded in base_64, or obfuscated according to a certain algorithm. It makes sense to look for the following most common patterns:
FilesMan, try{document.body, String["fromCharCode"], auth_pass, fromCharCode, shell_exec, passthru, system, base64_decode, chmod, passwd, mkdir, eval(str_replace, eval(gzinflate, ="";function, "ev" +"al",md5=,ss+st.fromCharCode, e2aa4e
You can search for malicious code using the grep command, for example
grep -ril base64_decode /home/user/
will show all files in the folder that contain base64_decode. Generally speaking, some of these functions and variables can be used in code for quite legal reasons, so before deleting or cleaning a file, make sure that it is malicious code. Also, before deleting, I recommend making a backup copy of the site.

If you find malicious code on the website, do not rush to edit the file. Look at it first with the stat command
In the output, you will see the date of the last access, modification, and file attribute changes. This can help set the time and date of the breach. By these dates, you can search for files and events in the logs, as shown at the beginning of the article.
In order to remove malicious code from a file, the following construction can be used

Remember that the listed actions do not guarantee complete cleanup of your scripts!!! If there are still doubts, it is better to restore the nearest backup.
Actions after cleaning

After cleaning up your scripts, it is advisable to do the following:
- change passwords for access to your server;
- update the CMS you use and all related software (plugins, modules);
- make a clean backup of the website.
These actions will reduce the likelihood of subsequent hаcking and protect against data loss.


To prevent the "disease" of websites and computers, follow the following rules:

Refuse to use the password saving function in your FTP client. The virus steals passwords using this functionality of popular FTP clients.
Use secure FTPS or SFTP. A secure connection will help prevent third parties from accessing your data. Read more on this page.
Allow FTP access to your account only from known IP addresses. How to do this is described on this page. But we recommend disabling FTP access and enabling it only temporarily if necessary. How to do this, read our instructions for sites on virtual hosting and cloud for CMS.
Do not use unlicensed CMS and their plugins. Updates may be disabled in them, or even spyware and backdoors may be embedded for unauthorized site management. Use CMS versions and extensions downloaded only from official websites or from popular directory web sites.

Follow the updates of the CMS used and always install them on time. If there is no automatic notification of updates in the CMS, you can subscribe to the news on the official web site.
Update CMS plugins in a timely manner. If the author does not support the plugin, it is better to find an alternative. Delete extensions that you don't use. Pay special attention to plugins that are responsible for receiving information from site users: for example, for feedback or downloading files.
Keep an eye on the release of security patches ("patches") for CMS and their extensions.
Over time, various vulnerabilities may appear in the code, but updates will help fix them.

Do not use older versions of browsers. Update browser versions regularly.
Use an antivirus and firewall (firewall). Try to download security updates from Microsoft on time, update antivirus databases and check your computer.
Do not use the same and simple passwords.
Do not use the ability to remember passwords in the browser. Do not make life easier for intruders — try to remember your passwords or use special password manager programs.
These measures will help you protect your computer and website from hаcking and thereby save valuable information.

hаcking a website is not always prevented.  The program monitors running scripts and checks them for the presence of characteristic signs of malicious code. In case of finding matches, the system will block such a script.

What to do if your site is infected
Follow the steps below in the specified sequence:

Close FTP access to your account. How to do this is described on this page. Delete all saved connection accounts from your FTP client and recreate them without using the password saving feature.
Update your antivirus databases. If you don't have an antivirus, install it. Check your computer and remove any viruses found. If no viruses are found, make sure that the antivirus databases are updated or try another antivirus.

Delete the code that was inserted into the pages of your site without your knowledge, or restore the files from the backup. But first make sure she's not infected. If you are not sure that you have cleaned up to the end, contact technical support specialists.
Update the CMS version and its plugins, remove outdated extensions and those that you do not use.
If the site was accessed via FTP from several computers, then steps 2 to 6 points must be repeated on each of them.

The main reasons for the appearance of viruses on the site are the theft of the FTP password and vulnerabilities in CMS and plugins.
Google Search Console  will help you immediately find out about the site infection.
It is better not to save passwords in FTP clients, and enable FTP access only when it is needed.
You should update CMS and plugins in time, remove unnecessary extensions and periodically check web site with an antivirus.