27 March 2018

Victoria Fedoseenko

Content manager

Virus on website — how to remove and prevent

Nobody wants to find his website data stolen one day or discover that it became a source of infection for other websites. However, it happens.

Usually, a website gets infected thought content management systems (CMS) and plugins for them. There may be two different scenarios for this case. You may download an infected file from an unofficial source or an official plugin or update may contain errors that can be used by hackers. Such errors are called vulnerabilities.

Hackers keep information about vulnerabilities and scan different websites to find a victim. When they find it they can use a vulnerability to upload a malware in order to send spam, steal different data or redirect users to other websites.

Other scenarios are possible, but the chances are lower.

How can I understand that my website is infected?

In most cases, the alarm is sent by a browser, desktop antivirus or by a panel of webmaster. You may use the following free services to be sure:

What should I do if my website is infected?

Update your software.As soon as new vulnerabilities are discovered software developers release updates containing patches to fix them. We recommend using only official websites to download updates: WordPress, Joomla!, Drupal. You may also use KernelCare for an automatic updating of an OS kernel. The solution can install the newest patches without rebooting a server. The integration module for KernelCare can be installed in ISPmanager.

Delete unauthorized plugins. Install only the plugins developed by official developers. If you find “a free copy” of any commercial plugin there is a high chance that it contains a malware. It always better to pay for authentic software rather than curing an infected website.

Change passwords. It is a widespread scenario when a virus infects a website using an admin’s password for FTP or CMS that was stolen from email or desktop. Change passwords for accessing a server control panel, FTP/SSH-accounts, MySQL and CMS. Use only strong passwords containing more than 10 symbols with upper and cover-case letters, special signs and digits. You may refer to the free services to generate such passwords:1, 2.

Configure access rights to files. Use FTP or ISPmanager to configure access rights to the files of your website. The rights determine who can watch, write and edit code. We recommend choosing 644 value for files of a website (644 means that only admin can change code while watching and executing is available for any visitor of a website). For directories, it will be better to set 755 what means that an admin has read/edit rights when other users have read-only rights.

Restore a backup. If you know the moment when your website was infected you can restore the backup created prior to this date. It will allow you to avoid curing a virus.

Block the functions you don’t use in PHP configuration files. Open the PHP configuration (php.ini) and add “disable_functionst“ to the following functions if you don’t use them: passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source.

How to cure a website

You can do it manually or use a special anti-virus software.

If you have a good skill of working with a server’s console you can clean the code of a website manually. At first, you need to find a malware: open the files of your website and compare it with the same files from a backup. After that, you’ll be able to find the infected files and delete malware using file type and a fragment of a code.

Here is an example of the command for searching virus patterns in php* files and htm* directory /var/www/*/data/www/:

grep -Rils --include=\.{php,htm*} -e 'b=4594' -e 'e2aa4e' -e 'v58f57b98 = 0' -e 'forexam\@pandion.im' -e 'pathToDomains' -e 'if(navigator.userAgent.match(' -e 'var vst = String.fromCharCode' -e 'Menu\files\/jquery.js' -e 'i5463 == null' -e 'r57.gen.tr' -e '\/rsize.js' -e 'feelthesame.changeip.name' -e '40,101,115,110,98,114,105,110' -e 'c99sh' -e 'Shell by' -e ' sh_ver' -e '\.tcpflood' -e 'c999sh' -e 'Array(base64_decode' -e 'Attacker Perl File' -e 'bogel = ' -e '(\!function_exists(\"getmicrotime\"))' -e'\$d=substr' -e 'WSO ' -e 'r57shell' -e 'msg=@gzinflate(@base64_decode(@str_replace' -e '6POkiojiO7iY3ns1rn8' -e ' mysql_safe' -e 'sql2_safe' -e 'aHR0cDovLzE3OC4yMTEu' -e 'php function _' -e 'encodeURIComponent(document.URL)' -e '\; if(isset(\$_REQUEST' -e 'UdpFlood' -e 'udp\:\/\/1.1.1.1' -e '\ (md5(\$_POST\[' -e 'header(\"Location\: http' -e 'fx29sh' -e 'c999sh_surl' -e 'c99sh' -e '\/request12.php' -e 'NlOThmMjgyODM0NjkyODdiYT' -e 'semi-priv8' -e 'JHNoX25hbWUgPSAiIj' -e '$shell_name' -e 'UvUbjYH4eJNgF4E1fedl' -e 'killall \-9' -e 'Angel Shell' -e 'c100.php' -e 'c2007.php' -e 'c99 mod Captain Crunch' -e '\$c99sh_updatefurl' -e 'C99 Modified By Psych0' -e 'php-backdoor' -e 'r577.php' -e 'wso shell' -e 'backdoor' -e 'eval(stripslashes(' -e 'Backdoor' -e 'Set WSHshell' -e 'WSHshell.Run DropPath' -e /var/www/*/data/www/

Anti viruses

If are not experienced in working with a server’s console you can use special software. The following antiviruses contain the biggest databases containing patterns of virus widespread among the web: Virusdie and AI-Bolit.

Virusdie

It is a commercial software designed for automatic search and deleting of malware. It can be used for removing sanctions from a browser as well. Thanks to the integration with ISPmanager control panel working with Virusdie will be easy even for inexperienced users. The module has a free version that can scan websites for viruses every three hours.

ImunifyAV

A free virus scanner for scanning a website for hacking, viruses and malware scripts. ImunifyAV Antivirus is available in ISPmanager Lite starting from version 5.182 instead of Revisium Antivirus that was used in earlier versions of the control panel.

How to avoid the infection

  1. Use only trusted sources for a software download.
  2. Create strong passwords and don’t save it in a browser.
  3. Configure the backup schedule.
  4. Isolate different sites from each other by creating a separate user for every website.
  5. Always use Virusdie.
  6. Use Softaculous for synchronous updating of installed scripts, for higher convenience install the integration module with ISPmanager.

Victoria Fedoseenko

Content manager