How to find a malicious link on a large site?

Started by maxikk, Jul 10, 2022, 07:46 AM

Previous topic - Next topic

maxikkTopic starter

It all started with the fact that our site was blocked in the social network Facebook. The essence of the blocking is that when you go from the social network following the link of our site, a window pops up with the message "You are trying to go to a site that steals Facebook logins and passwords ...". We got very tense about this and started looking, but neither we, nor any automated virus / code search services found anything. (However, the search was not so diligent, since not specialists in computer security).

In short, we didn't find anything. Therefore, we decided that we were blocked by mistake and began to download rights in support of FB. They answered us there again that "We checked you manually and there is no error, your blocking is eternal." After a few more days of finding out why the blocking was and how exactly we steal passwords, they explained to us "You still haven't fixed: ....... Please check the site more carefully."

Clearly, this site is a phishing site. The specifics appeared, but even knowing the address to which our site refers, we could not find which page links :( And we do not know what form this link can be.

Colleagues, please help me find a malicious link or tell me a service that can do this. Facebook support responds very briefly and reluctantly. Perhaps the link is in the form of html code, perhaps in the form of JS, or it may even be generated by a seemingly harmless script for a menu or a banner.


Here is a simple procedure:

grep search  on files in the site directory, execute the command:

grep -rl "bad_site_name" .

Then look for the same thing in the database, for example, through phpMyAdmin

If there is nothing, then the link can be encoded, for example, in base64 - here ai-bolit will come to the rescue in paranoid mode.
Carefully remove all base64 inclusions that should not be.


Hi! Malicious links are a terrible thing that is simply unbearable and prevents you from living in peace. I have faced such a problem myself. I most often check online in the service .


If it's hard to look for them yourself, there are plenty of sites that looking for malicious links automatically, but the easiest way is just find them in database (as an admin of course)


Most cPanel hosting providers contain a ClamAV virus scanner, which allows you to protect your web site from possible threats on the server.
Advantages: open source antivirus code, fighting Trojans, malicious scripts and programs.
Disadvantages: the scanner does not detect exploits well.

ISPmanager is a paid web hosting software with which you can manage web servers, database servers and other similar programs. Detection and treatment of Trojans, shells, phishing pages is carried out using ImunifyAV.

Maldet. Linux Malware Detect, abbreviated as LMD — a special site/exploit scanner. That group also contains CXS and ConfigServer eXploit Scanner.

Advantages: these are tools that run at the server level and are not limited to the PHP interpreter. Therefore, they can work more reliably and faster, and also find malicious code better. In addition, commercial CXS has a heuristic scan that detects suspicious objects.

Disadvantages: viruses are poorly detected. CXS relies on the free ClamAV for this, which has small databases of virus signatures. In addition, both scanners are console utilities. Therefore, in order to apply them, preparation is needed.

These tools are very rarely suitable for use on hosting. The ideal way to use both is on a VPS or a dedicated server.

Virusdie is a cloud-based antivirus and firewall for a site. The firewall is designed to protect resources from viruses, hаcker attacks and malware downloads. Antivirus allows you to quickly find and remove redirects, shels, Trojans on sites and servers.
Advantages: thanks to the software, you can find out that the web site is on a blacklist and remove these sanctions.
Disadvantages: the service is available on a paid basis, for correct operation it is better not to use the automatic resource treatment mode.

CloudScan.Pro is a hybrid or cloud scanner.
With such a scan, the web site files are moved to the cloud of the company providing the service, and the analysis is carried out in it. Unfortunately, we could not find cloud scanners that would allow free testing.

ClamAV, as well as Comodo, Kaspersky, Avast, belong to specialized virus scanners. Software in the likeness of Avast is commonly called and considered an antivirus. These programs are usually installed on most Windows PCs.

Advantages: common, well detect viruses.
Disadvantages: exploits are very poorly detected.

Virustotal is a file processing aggregator. That tool aggregates the processing of files by various antiviruses.

Advantages: it can be used for free to search for viruses in downloaded files.
Disadvantages: the same as in virus scanners.