In the current realities of the Internet, a rather frequent and big problem is the infection of sites with viruses. This happens, most often, in very popular systems and plugins, since due to the huge demand for their use, they are more carefully looking for vulnerabilities. Even at the moment, there are many unpatched security holes in popular CMS, for example, WordPress or OpenCart, as well as Joomla !. Using vulnerabilities, viruses can be downloaded to the site, which in turn record important information and transmit it to third parties. The behavior of viruses on the site may not be displayed in any way and it is often quite difficult to notice their presence, which is why antivirus utilities should be used for sites that can help in finding viruses that have already been found.
Antivirus utilities work by comparing the scanned file code with the existing virus data in its signature database. That is, the antivirus can only find previously detected viruses, which is why completely new ones, which are well protected and have a completely new structure that is different from others, may simply not be found, but such situations occur quite rarely.
The principle of operation of antiviruses used to scan sites is very different from the utilities we are used to, since they, most often, only scan files and point to the code sections that most resemble virus signatures. Removal is carried out exclusively in manual mode, since this is a rather dangerous process, due to which it is possible to harm the operation of the site or completely disable it, since the virus can replace important sections of the program code.
If there is a suspicion that viruses have appeared on the site, then drastic measures should be taken to remove them and find the source of infection. It is important to remember that removing viruses is only a partial solution, since without finding the source of infection, it is a matter of time before viruses reappear.
It is impossible to fully describe the procedure for checking the site's infection and cleaning it, since any problem with viruses is extremely individual, and therefore only an approximate and general algorithm of actions can be used.
To check the site for malicious code, as well as its subsequent cleaning, a set of checks and actions should be carried out:
In any situation of site infection, remember that the virus does not appear by itself and there is always a way to load it into the site files. In order to roughly understand the likely download methods, you can familiarize yourself with the public data on the vulnerabilities of popular CMS.
For example, the most common resources with this information are:
After finding a virus file, you should check which code was marked as virus. Most often, such a code can be obfuscated, which means it is encrypted and\or we don't read. Typically, this obfuscation occurs by encrypting the code, using Base64, or other methods to encode and decode sections of the code. If a lot of characters were found that do not in any way resemble the site code, then you should try to decode this section.
If functions such as eval, system, exec, base64 are observed in the file code_decode, urldecode and the like, be sure to check the input to this function. In the case of eval, system, exec
it's best to temporarily replace it with an output like print or var_dump to figure out exactly which code should be used.
Online services can best help with this, for example, base64.ru- Online decoder for Base64 encoded text.
We also recommend that you read the article regarding code deobfuscation - https://kaimi.io/2012/01/php-deobfuscate/.
Online scanners perform one useful role, they help to find dangerous viral JS scripts or other elements of the virus in the frontend of the site, that is, in what is presented to the user when opening the site. Such checks can help to find only the consequences of the infection, but not its causes, as a result of which their use is extremely doubtful to resolve the situation with viruses.
Almost all viral elements in the frontend appear due to infection of the backend, and after their removal it will only be a matter of time before they reappear. In this connection, this method should be postponed to the very last stage of cleaning. You should use such utilities only after a full check of the entire backend of the site, when all viruses that created such scripts will be removed.
Restoring site backups will help get rid of viruses, but it will become almost impossible to find the viruses themselves and the source of infection. But it should be borne in mind that the infection has already occurred with this version of the site and if no preventive measures are taken, then the reappearance of viruses will definitely happen.
You should always create a copy of the site in its current form before restoring, then download it and analyze the code on the already infected version of the site.
The situation is very similar to restoring a backup copy, but in addition to the fact that the viruses will be removed and their analysis will be difficult, an additional problem appears, which consists in the unresolved source of infection, as well as in possible additional virus files that were not detected by the antivirus or during manual analysis.
It is important to understand that all these actions are only recommendations and their implementation may not be suitable for all cases of infection. It is always worth consulting with the site developer or using third-party specialists to analyze the site's security problems and eliminate the infection.
You should not hesitate to clean the site from viruses. This situation signals that site data and customer data may be at risk, not to mention their access data being compromised. An important point is that the site, with such delays, can be blocked by search engines, security systems in modern browsers or antiviruses\auxiliary plugins.
An approximate algorithm of actions when viruses are found on the site:
You should always remember that site security is a responsibility for which only the owner and developer of the site is responsible. Any hosting provider can provide only general recommendations or minimal tools for organizing site security, but unfortunately, it is impossible to foresee everything.
Hosting Ukraine provides quite extensive opportunities for the security of your sites.