Sometimes when you try to visit a site, you get a warning from your browser or antivirus that your site may not be safe for your computer. This is because your site has been infected with a virus.

By infecting the pages of your site, the virus, ensures itself further propagation. Usually, it simply adds the tag `` to the end of the index files<iframe>, but sometimes it encrypts the code with JavaScript and can put itself in many different areas of the page.

Sometimes, attackers modify the contents of the .htaccess configuration files, which results in redirects from your site to malicious or unwanted pages. In the case of such an infection, the date of the last editing of the file is updated, suggesting that your site is infected.

Infection principle

How does a site get hacked and its files infected?

Very often intruders hack sites with programs in automatic mode. This means that they gather a large database of sites from search engines based on certain criteria, such as certain versions of popular CMSs (Joomla, Wordpress, etc.) and their plugins vulnerable to some known vulnerabilities. This database is then used to locate malicious code in the site's files. That is why you should always timely update your CMS and its plugins
Also, your site may be infected if your computer is infected with a virus. The virus may intercept logins and passwords from FTP and send them to intruders. Then, the attacker, having access to the files, places malicious strings in the scripts of the site
Thus, the main sources of infecting the sites are viruses on the computer, from which the site is downloaded, as well as outdated versions of the CMS. From the hosting side your sites are protected as much as possible, and even in case of infection of any site on the server, an intruder will not be able to get to your site and infect it.

Security measures

In order to protect your site from hacking, you should follow some simple tips

  • Do not store access credentials anywhere.
  • Set the correct permissions on directories and files. Set permissions on files to 644 and folders to 755.
  • Use the latest versions of CMS and plugins, it is advisable to subscribe to a mailing list or RSS, informing about security updates.
  • Always use long complex passwords and non-standard logins, change them periodically
  • Use antivirus software, and update antivirus databases regularly
  • Install operating system updates as they become available
  • Do not use outdated browsers, especially outdated versions of Internet Explorer (below version 7)
  • Do not upload unknown scripts to your hosting. Often, for example in hacked (nulled) versions of paid scripts have viruses
  • Do not use unknown links in messages, social networks and instant messengers (icq, jabber)
  • Don't keep passwords in FTP clients - very often viruses take information from FTP-clients
  • Have local backups of sites.

If site is already infected

If suddenly your site has been infected, check it for viruses by means of anti-virus software with up-to-date databases, for example
Lynis, Chkrootkit
Also you have the opportunity to request the restoration of the site from a backup copy
After the site is restored, change the password for access to the FTP account and databases
After restoration of a site from a backup update CMS to the current version, as well update its additions.

Manually search for viruses

Superficial inspection.

find /var/www/user/data/www/ -type f -mtime -10  

This command will help you find files that have been changed less than 10 days ago. To quickly find the files you want, you can change the mtime key to the approximate date of infection.

Examining the ftp log file /var/log/xferlog will also help in searching for viruses if the infection has occurred via ftp.

Tue Aug 28 09:32:22 22 2017 0 <IP>17151 /var/www/user/data/www/ a _ i r user ftp 0 * c  

This entry indicates that in the folder include, August 28, via ftp was downloaded virus.php file size 17kb, the user user with ip address <IP>. Pay attention to the key i in the entry, which tells us that the file was uploaded to the server.

Also, you can see the directories available to a range of users. These are directories such as uploads, images, etc. Those in which users of the site can write.

file /var/www/user/data/www/* | grep -i php  

will show the php files in the uploads folder, regardless of their extension. It is unlikely that you allow your visitors to upload php files to the server. And if it's a php file pretending to be a picture... For example

file in.jpg  
in.jpg: PHP script text  

Detailed inspection.

If nothing was found during a cursory inspection. Proceed to a detailed examination of the .htaccess

It happens that redirects are written in .htaccess files.

find /var/www/user/data/www/ -type f -iname '*htaccess'  

This command will help you find all .htaccess files for the site. Examine these files carefully for extraneous redirects.

Php/js code

Manually, malicious code can be searched by patterns. Most often it is either base_64 encoded code or obfuscated with a certain algorithm. It makes sense to look for the following, the most common, patterns:

FilesMan, try{document.body, String["fromCharCode"], auth_pass, fromCharCode, shell_exec, passthru, system, base64_decode, chmod, passwd, mkdir, eval(str_replace, eval(gzinflate, ="";function, "ev "+"al",md5=,ss+st.fromCharCode, e2aa4e

You can search for malicious code with the grep command, e.g

grep -ril base64_decode /var/www/user/  

will show all files in the folder that have base64_decode in them. Before you delete or clean a file, make sure that it is malicious code

If you find malicious code on a site, do not rush to fix the file. First take a look at it with the stat command

stat infected.js  

it can be used to see the date of the last access, modification and change of file attributes. This can help establish the time and date of the hack. From these dates, you can search for files and events in the logs, as shown at the beginning of the article.

In order to remove malicious code from a file you can use this example

sed -i "" 's/start_pattern.*end_pattern/g' infected.js  

For example, code @preg_replace ("\x40\50\x2e\53\x29\100\x69\145","\x65\166\x61\154\x28\142\x61\163\x65\66\x34 delete with

sed -i "" 's/@preg.*34//g'</IP></IP></iframe>

Updated April 13, 2021