What is malicious code? Finding and removing malicious code on WordPress Use a sentence as a password

This post was prompted by questions from several site owners about how to remove malicious code from their website. Below I will try to describe a sequence of simple steps that does not require any special knowledge and will primarily be useful to beginners in administering Internet resources.

How do you know if a website has become the victim of an attack during which it was hit with malicious code? The first and simplest thing is that the site has stopped working or does not look the way a “healthy” resource should look. This may manifest itself in the appearance of unwanted content or the disappearance of your content, pages do not load or load with errors. In addition, if your site is added to Yandex or Google webmaster, you are likely to receive a notification from these systems about malicious code. In some cases, you can learn about the vulnerability from your browser (screenshot from Google Chrome).

In such cases, it is highly undesirable to try to open the page further.

We are looking for malicious code on the site

We will not understand the motives of the person who installed malicious code on your site, much less search for it. Our main goal is to find "bad" code and remove it. First, you need to scan the resource to detect all “infected” pages. This allows you to narrow your search. For example, malicious code could be placed in the form of a Javascript script on some separate page, say, in the content of a post or a comment to it. In this case, the problem can be solved through the site admin by removing such code from the content/comment. Otherwise, you have to look for it in the source code of your resource.

To scan a site for vulnerabilities, you can use https://sitecheck.sucuri.net As a result, you can see the following:

As you can see from the screenshot, the “bad” script was found on several pages of the site, so you’ll have to look for it in the source code.

You can access the site's source code in several ways:

The easiest way is through the site admin panel. In Wordpress, for example, "Appearance" -> "Editor". This method is not entirely convenient due to the lack of a search for the contents of the files, so you have to very carefully look through them all separately and look for a “bad” script.

Many blogs, corporate resources, and online stores are located on servers that can be accessed through the hosting control panel. Often this panel is cPanel. To gain access you need to know your login and password. They are usually sent when purchasing hosting to the person making the transaction. After logging into the control panel, you can view absolutely all source files through the “File Manager” and try to find those that contain the detected malicious script.

The most convenient way is through an FTP client. If you “communicate” with your resource using an FTP client, you can easily run a search through the contents of the source files.

Do not try to find malicious code in the source files of your site, substituting it completely in the search. Select its unique part, such as googleleadservices.cn in our case, and repeat the search several times.

Removing malicious code

Once malicious code is detected, it simply needs to be removed. In our case, the site was running Joomla, and the “bad” script was inserted into index.php in the root directory. That is why the vulnerability was discovered on several pages at once, since this index.php is used when building all pages of the resource.

Immediately after removing the malicious code, I recommend changing the passwords of all users in the site control panel, and also trying to find the experiences of other administrators who have encountered this problem. It may be necessary to take some additional measures.

Prevention

Prevention is always better than cure, so I recommend:

Use “good” passwords for all site users (long, with numbers, uppercase and lowercase letters).

Take seriously and filter content that is not generated on the site by you (guest posts, comments).

Do not wait for notifications, but periodically scan the site for vulnerabilities.

Timely update the content management system (Wordpress, Joomla, Drupal, ...).

Please leave any questions or comments in the comments.

No one is immune from such a disaster, but “forewarned is forearmed” - isn’t it time to arm yourself...?!

How to prevent, find and remove malicious code!

Lately, I’ve been wary of visiting the sites of my visitors - Avast loudly, in a gentle female voice, warns: “Virus attack blocked!” (Soon, you see, he will start swearing!).

And in my browser I often come across a warning: “This site may threaten the security of your computer.”

Where do we find THIS or who gives us THIS?
I don’t know all the secrets, but I’ll share what I know.

The main culprits for the appearance of malicious code on a website are the website owners themselves! Ignorance of the laws does not exempt you from the consequences of non-compliance!

• You cannot store your passwords on your computer or in your memory.
• You cannot allow the browser to remember login details for websites (password, login)
• You cannot (not recommended!) use names, dates, readable phrases as a password
• You cannot work in the site’s admin panel or activate an FTP connection with a disabled antivirus or no antivirus installed at all.
• You cannot install third-party code on your website without at least visually verifying its “honesty” - if there are links in the code, check where and why they lead.
• When publishing or editing an article, it is not recommended to copy text and paste it directly from an Office Word document - paste it into the editor “as plain text” (button)

You obviously know about the consequences of site infection - a warning is posted in the search results
that it is dangerous to access the site:
“Don’t go there - come here...!”

Attendance drops sharply, and if the administrator does not remove the malicious code for a long time, search engines may regard this as an “abandoned” site or a resource deliberately infected by the owner. As a result, it will be very, very difficult to restore your “good name” and good position.

In order to keep abreast of all events,
be sure to register in the panel and .

Go to “Settings” and turn on “Message delivery” to email. mail. In the Yandex panel, you can also choose which messages to send and which ones to simply save in the correspondence database.

What does it look like, can you find it, and how can you remove it yourself?

To be honest, I have only seen one with my own eyes so far (photo 1).

It was located in the “header” file (Heading – header.php) of the selected and downloaded template,
found the code.

photo – 1 – click to enlarge

You should pay special attention to:

• codes that you did not add yourself;
• script tags, which contain links to resources unknown to you; the text in which is confused or encrypted (photo 1);
• scripts or banners, but also with incomprehensible, confusing code or with external links to sites unknown to you;
• strange links or items left in comments.

But what can and should be done at the first stage of treatment?
what if such trouble has come?

check your computer for viruses (preferably with various anti-virus programs);

We change all passwords - hosting, site admin panel, FTP access. And we never save them in the browser again – we enter them manually every time;

in the Yandex and Google webmaster panel, we get acquainted with tips and notifications regarding infected pages;

we check the site for a “ban” from Google seobuilding.ru/google-banned.php;

- check the site with a scanner sitecheck.sucuri.net/scanner;

To independently search for malicious code in files, you can go to the hosting via FTP and view the files by the last date of modification (don’t forget to make a copy of the site!);

you can view the page code in Google Webmaster - “diagnostics” - “View as Googlebot” - and compare it with the original code, mark third-party codes and find out where they come from and why;

download the files and the site database (via FTP) to your computer and check it with antiviruses - I recommend the healing utility Dr.Web CureIt

Remove suspicious codes if you are confident in your actions

If you can’t cure your site with your own hands, ask for help - on forums, to freelancers, to your hosting... Just don’t procrastinate, remember - your site is not recommended for viewing and search engines expect active actions from you!

Happy and safe work everyone!

The truth of life is that the site can be hacked sooner or later. After successfully exploiting the vulnerability, the hacker tries to gain a foothold on the site by placing hacker web shells and downloaders in system directories and introducing backdoors into the script code and CMS database.

To detect malicious code in files and databases, there are specialized solutions - antiviruses and scanners for hosting. There are not many of them; the popular ones are AI-BOLIT, MalDet (Linux Malware Detector) and ClamAv.

Scanners help detect loaded web shells, backdoors, phishing pages, spam emailers and other types of malicious scripts - all that they know and are pre-added to the malicious code signature database. Some scanners, such as AI-BOLIT, have a set of heuristic rules that can detect files with suspicious code that is often used in malicious scripts, or files with suspicious attributes that can be downloaded by hackers. But, unfortunately, even if several scanners are used on the hosting, there may be situations where some hacker scripts remain undetected, which actually means that the attacker is left with a “back door” and can hack the site and gain full control over it at any time. moment.

Modern malware and hacker scripts are significantly different from those of 4-5 years ago. Currently, malicious code developers combine obfuscation, encryption, decomposition, external loading of malicious code, and other tricks to fool antivirus software. Therefore, the likelihood of missing new malware is much higher than before.

What can be done in this case to more effectively detect viruses on the site and hacker scripts on the hosting? It is necessary to use an integrated approach: initial automated scanning and further manual analysis. This article will discuss options for detecting malicious code without scanners.

First, let's look at what exactly you should look for during a hack.

Hacker scripts.
Most often, when hacking, files that are downloaded are web shells, backdoors, “uploaders”, scripts for spam mailings, phishing pages + form processors, doorways and hacking marker files (pictures from the hacker group’s logo, text files with “message” from hackers, etc.)

Injections (code injections) into existing .
The second most popular type of hosting malicious and hacker code is injections. Mobile and search redirects can be injected into existing site .htaccess files, backdoors can be injected into php/perl scripts, and viral javascript fragments or redirects to third-party resources can be embedded into .js and .html templates. Injections are also possible in media files, for example.jpg or. Often malicious code consists of several components: the malicious code itself is stored in the exif header of the jpg file, and is executed using a small control script, the code of which does not look suspicious to the scanner.

Database injections.
The database is the third target for a hacker. Here, static inserts are possible, , , , which redirect visitors to third-party resources, “spy” on them, or infect the visitor’s computer/mobile device as a result of a drive-by attack.
In addition, in many modern CMS (IPB, vBulletin, modx, etc.), template engines allow you to execute PHP code, and the templates themselves are stored in the database, so the PHP code of web shells and backdoors can be built directly into the database.

Injections in caching services.
As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data “on the fly” are possible. In some cases, a hacker can inject malicious code into a site's pages without directly hacking the site.

Injections/initiated elements in server system components.
If a hacker has gained privileged (root) access to the server, he can replace elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time introduce dynamic redirects and malicious code into the site’s pages. As in the case of an injection into a caching service, the site administrator will most likely not be able to detect the fact that the site has been hacked, since all the files and the database will be original. This option is the most difficult to treat.

So, let’s assume that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the virus is still on the page or the mobile redirect continues to work when opening pages. How to search further?

Manual search

On unix, it's hard to find a more valuable pair of commands for finding files and fragments than find / grep.

find . -name ‘*.ph*’ -mtime -7

will find all files that have been changed in the last week. Sometimes hackers “twist” the modification date of scripts so as not to detect new scripts. Then you can search for php/phtml files whose attributes have changed

find . -name ‘*.ph*’ -сtime -7

If you need to find changes in a certain time interval, you can use the same find

find . -name ‘*.ph*’ -newermt 2015-01-25 ! -newermt 2015-01-30 -ls

To search files, grep is indispensable. It can search recursively through files for a specified fragment

grep -ril ‘stummann.net/steffen/google-analytics/jquery-1.6.5.min.js’ *

When hacking a server, it is useful to analyze files that have the guid/suid flag set

find / -perm -4000 -o -perm -2000

To determine which scripts are currently running and are loading the hosting CPU, you can call

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ ( if(!str) ( str=$1 ) else ( str=str”,”$1))END(print str)’` | grep vhosts | grep php

We use our brains and hands to analyze files on hosting

We go to the upload, cache, tmp, backup, log, images directories, into which something is written by scripts or uploaded by users, and scan the contents for new files with suspicious extensions. For example, for joomla you can check the .php files in the images:find ./images -name ‘*.ph*’ directory. Most likely, if something is found, it will be malware.
For WordPress, it makes sense to check the wp-content/uploads directory, backup and cache theme directories for scripts.

Looking for files with strange names
For example, php, fyi.php, n2fd2.php. Files can be searched

• by non-standard combinations of characters,
• presence of numbers 3,4,5,6,7,8,9 in file names

We are looking for files with unusual extensions
Let's say you have a website on WordPress or for them files with extensions .py, .pl, .cgi, .so, .c, .phtml, .php3 will not be quite ordinary. If any scripts and files with these extensions are detected, most likely they will be hacker tools. The percentage of false detections is possible, but it is not high.

We are looking for files with non-standard attributes or creation date
Suspicion may be caused by files with attributes that differ from those existing on the server. For example, all .php scripts were uploaded via ftp/sftp and have the user user, and some were created by the user www-data. It makes sense to check the latest ones. Or if the script file creation date is earlier than the site creation date.
To speed up the search for files with suspicious attributes, it is convenient to use the Unix find command.

We are looking for doorways using a large number of .html or .php files
If there are several thousand .php or .html files in the directory, this is most likely a doorway.

Logs to help

Web server, email service and FTP logs can be used to detect malicious and hacker scripts.

• Correlating the date and time of sending a letter (which can be found from the mail server log or the service header of a spam letter) with requests from the access_log helps to identify the method of sending spam or find the spam sender's script.

• Analysis of the FTP xferlog transfer log allows you to understand which files were downloaded at the time of the hack, which were changed and by whom.

• In a correctly configured mail server log or in the service header of a spam email, if PHP is correctly configured, there will be a name or full path to the sending script, which helps determine the source of spam.

• Using the logs of proactive protection of modern CMS and plugins, you can determine what attacks were carried out on the site and whether the CMS was able to resist them.

• Using access_log and error_log, you can analyze the actions of a hacker if you know the names of the scripts that he called, the IP address or User Agent. As a last resort, you can view POST requests on the day the site was hacked and infected. Often the analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hack.

Integrity control

It is much easier to analyze a hack and look for malicious scripts on a website if you take care of its security in advance. The integrity check procedure helps to timely detect changes in the hosting and determine the fact of hacking. One of the simplest and most effective ways is to put the site under a version control system (git, svn, cvs). If you configure .gitignore correctly, the change control process looks like calling the git status command, and searching for malicious scripts and changed files looks like git diff.

Also, you will always have a backup copy of your files, to which you can “roll back” the site in a matter of seconds. Server administrators and advanced webmasters can use inotify, tripwire, auditd and other mechanisms to track access to files and directories, and monitor changes in the file system.

Unfortunately, it is not always possible to configure a version control system or third-party services on the server. In the case of shared hosting, it will not be possible to install a version control system and system services. But it doesn’t matter, there are quite a lot of ready-made solutions for CMS. You can install a plugin or a separate script on the site that will track changes in files. Some CMS already implement effective change monitoring and an integrity check mechanism (For example, Bitrix, DLE). As a last resort, if the hosting has ssh, you can create a reference snapshot of the file system with the command

ls -lahR > original_file.txt

and if problems arise, create a new snapshot in another file, and then compare them in WinDiff, AraxisMerge Tool or BeyondCompare.

Epilogue

In most cases, antivirus software developers and scanners do not keep up with malware developers, so when diagnosing and treating sites, you cannot rely only on automated software solutions and scripts. Using a heuristic approach, the rich operating system tools and CMS capabilities, you can find malicious code that antiviruses and scanners could not detect. Using manual analysis makes the website treatment process better and more efficient.

Periodically checking your site for harmful viruses is necessary; this is the first commandment of any self-respecting webmaster. Even if you use a clean Twenty Eleven theme, it is not a fact that over time it also did not become infected. This phenomenon can (and most often does) occur due to the fact that the WordPress engine itself was originally designed for online publishing. So it never hurts to check again and make a copy of the site and database.

For example, I (after some time, of course) made one conclusion for myself - you just need a good hoster, and your problems with backup will disappear by themselves. I don’t need to make database or website backups now - the hoster does everything for me, and automatically. At any time, if you wish, you can order a copy of any section of your blog (and not only), download this copy, or restore the blog directly from the control panel. That is, I don’t need to download a backup, everything happens automatically - backup, restore, etc. This is convenient because I can track, not just daily, but hourly, when a virus appeared on my blog and, accordingly, take measures to eliminate it.

I'll start with the good news - at least two plugins that I have used give good results in detecting and localizing malicious code. These are AntiVirus and Exploit Scanner plugins. You won't believe how much harmful code is on your blog! But don't take all the resulting information after checking as dogma - many of the lines that these plugins detect don't actually mean anything bad. The plugin just questions some lines, that's all. To make sure of this, manually check those fragments that the plugin has identified as malicious. So, when checking with the AntiVirus plugin, it turned out that even a simple call to function get_cache_file () is already considered suspicious by the plugin. So all check results will have to be tracked manually. But this, for example, is a really infected link, and it needs to be removed:

How do you know if it's a virus or just how it should be? Everything is very simple - compare your clean template (if you have one), and compare it (file by file) with the one that is installed and has already undergone some changes. It is not necessary to make a direct comparison directly, just use a search to check if your blank template contains the line that the plugin highlighted. If there is, click the “This is not a virus” button, and this line will not be taken into account during the next scan.

And here is an example of the second plugin we tested - Exploit Scanner

As you can see, everything is much more neglected here. For me, this result was shocking. But that's not all. The plugin has a function called check. So, if you turn it on, it turns out that the blog should consist of text and, at most, a couple of CSS tables. So, it seems to me that the author of the plugin clearly overdid it with security here. It’s good that the plugin simply shows suspected infected fragments and does not clean them.

After analyzing all the lines highlighted in yellow, you can easily detect malware (malicious code), well, decide for yourself what to do with it next. The cleaning method is still the same - compare the selected code with a site backup (see) and, if you find discrepancies, find out whether you did it yourself, or someone did it for you, which means that this is no longer good and may turn out to be virus. Even WordPress developers recommend checking your site for malicious code with this plugin. But there are such harmless inserts, for example, into the body of an iframe, which the plugin can also identify as infected code. But in reality, without these lines, this area of ​​your blog will not work correctly.

How can malware even get into blog files and what is it by definition? The word malware literally means - malicious software, from English malicious software. This is any software that can be used for unauthorized access to the site and its content. You probably imagine that for an average hacker, hacking a website will not be difficult, especially after registration. After this, you can modify the blog content as you wish - it would be educational.

Malicious malware can be inserted into plugins that you install from an unknown source, and into scripts that you also sometimes take without checking, but trusting the author. The most harmless malware is a link to the author of any module that you installed on the site. And if the author himself did not warn you that such a link exists, then this is a pure virus.

So, I installed a new theme on a test blog, and after deleting one harmless link to some kind of men's club in the basement of the site, it stopped opening altogether, and on the main page there was an inscription - “You do not have the right to delete links.” Here's a free theme for you. You can read about how to rip out such left-wing links.

Your database can also be used to run virus-containing code. Spammy links are also very often added to posts or comments. Such links are usually hidden using CSS so that an inexperienced administrator will not see them, but the search engine will recognize them immediately. Of course, here any antispam comes into play, for example, the same one that is licensed, tested and double-checked many times. A hacker can download files with image file extensions and add them to the code of your activated plugins. Therefore, even if the file does not have a php extension, the code in that file can be executed.

There is another simple tool with which I started getting acquainted with malware - the Theme Authenticity Checker (TAC) plugin. This is a lightweight and quite effective tool, but it only checks your topics, even inactive ones. It doesn’t touch the rest of the directories, and that’s its downside. This is what testing my current theme with this plugin gave me:

Two warnings in the active thread, and nothing more. There is no malicious code. By the way, these are the links that I inserted myself on the advice of Google - to improve the quality of the snippet (displaying personal data, organization address, etc.). But this is only checking the theme files, and you will have to find out what is being done in other directories either using other plugins or online services. For example, a service (it’s really trustworthy) like Yandex Webmaster or a similar one at Google. They have the function of checking any web resource for the presence of malicious inclusions, and they do it efficiently. But if this is not enough for you, then compare the results with the results on other services and draw conclusions.

For some reason I want to trust Yandex, not plugins. Another good resource is http://2ip.ru/site-virus-scanner/. After checking one of my blogs, this is what I found:

Here you can also check individual files for malicious code if you have any doubts. In general, the service is not bad.

From all that has been said, I would draw the following conclusions:

1. To prevent the appearance of malicious code, you must first of all use proven services for downloading files - plugins, themes, etc.

2. Regularly make backup copies of everything that the site contains - databases, content, admin panel, including downloaded third-party files.

3. Take advantage of the updates that WordPress offers. At least they do not contain viruses, although they are not always functionally justified. But by updating, you thereby remove any viruses that may be present.

4. Delete unused themes, plugins, images and files without regret - this is another escape route for malware that you may never even guess about.

5. Properly password-protect your FTP accesses, login to PhpAdmin, the admin panel, and generally where no one but you should have access.

6. Try (even if your desire is as great as the sky) not to change or replace WordPress core files - developers know better what should work and how.

7. After detecting and removing viruses, change all passwords. I think you will have a great desire to make a password of 148 characters in different registers and with special characters. But don’t get carried away with too complex passwords, you may lose it, and then you’ll have to restore everything, which is not very pleasant.

All these methods and components that I have described that will help you get rid of viruses are, of course, free, of course, almost homemade, and of course, they do not provide a 100% guarantee that your site will be cleaned of malicious inserts. Therefore, if you are already concerned about cleaning your blog, then it is better to contact professionals, for example, the Sucuri service (http://sucuri.net/). Here your site will be thoroughly monitored, practical recommendations will be given, which will be sent to you by letter, and if you do not want to clean up the site yourself, then specialists are at your service who will do everything in the best possible way within 4 hours:

Well, this is what my test blog looks like after monitoring, and this despite the fact that other methods (home-grown) always show different results. As you can see, the test is free, but if viruses are detected, you should pay to remove them without harm to the site (unless, of course, you are a guru in cleaning your blog from malware).

Let me emphasize once again - hackers do not sleep, viruses are constantly being updated, and it is impossible to keep track of everything on your own. All innovations are so carefully hidden and disguised that only the team can reveal them! professionals, and not the self-taught blogger that many are. This is why manual detection and removal of malware is so ineffective: no experience means no result, but there is a virus. Use licensed programs and entrust the removal of danger to professionals

What is malicious code and how to get rid of it

Every webmaster who discovers malicious code on his website receives a lot of not very pleasant experiences. The site owner immediately, in a panic, tries to find and destroy the virus, and understand how this nasty thing could get onto his site. But as practice shows, finding malicious code on a website is not so easy. After all, a virus can be registered in one or several files, a huge number of which make up a website, be it an engine running on WordPress or a regular one on html.

Yesterday, while checking my email, I discovered a letter from Google stating that visiting certain pages of my site could lead to the infection of users' computers with malware. Now, users who access these pages via links in Google.ru search results are shown a warning page. This site was not added to my Google Webmaster Panel, so I was notified by email. I had several more sites in the webmaster panel; when I went there, I was horrified to see a warning about malicious code on two more of my sites.
As a result, malicious code settled on three of my sites, which I had to find and destroy. One of the sites ran on WordPress, the other two consisted of regular PHP pages.

It is worth noting that Google reacted much faster than Yandex to the presence of malicious code. In the Yandex webmaster panel, a warning about the presence of a virus on the site did not appear. Fortunately, within a few hours I managed to find this unfortunate virus.

As a rule, most often sites are infected by the so-called iframe virus. Essentially, this virus consists of code... . The virus steals all passwords from Total Commander or another ftp client. In my case, the same thing happened; the iframe code was written into several dozen files on my site. On the site, which ran on WordPress, the malicious code managed to settle only in footer.php.

And so, how to find malicious code if you find that your site is infected:

1. Go to your hosting control panel and change your password. If you have several sites, then we do this with all of our sites.

2. Change and delete passwords in the ftp client. We never store passwords in ftp clients anymore; we always enter them manually.

3. You can go to the hosting via ftp and see what has changed in your files. Sort files by last modified date. Those files that are infected must have the latest and the same date. Open these files and look for the iframe code, usually this code is located at the very end. Basically, malicious code is written in the following files: index.php, index.html, and files with the .js extension. Often, this infection lives between tags... .
For self-written sites, look very carefully at all files and folders of scripts; the virus is often written there. Also, the favorite habitat of this virus is in counter codes for the site, and in advertising codes.

As for WordPress files or other CMS, as a rule, any CMS consists of many files and folders, and it is very difficult to find malicious code in them. For example, for WordPress I can recommend the TAC plugin. This plugin checks files in all themes in the themes folder for third-party code. If TAC finds unwanted code, it will show the path to this file. Thus, it is possible to calculate the masking virus.
Download TAC plugin: wordpress.org

In general, you should constantly keep in mind all the actions that you performed with your site files. Remember what was changed or added to this or that code.

Once you find and remove malicious code, it doesn’t hurt to check your computer for viruses.
And if your site was marked by Google or Yandx as infected, then you need to send a request for re-check through the webmaster panel. As a rule, search engines should remove all restrictions from your site within 24 hours. It didn’t take long for Google to process my request for re-verification, and after a few hours all restrictions were removed from my sites.