How to check a website for viruses

In the current realities of the Internet, a rather frequent and big problem is the infection of sites with viruses. This happens, most often, in very popular systems and plugins, since due to the huge demand for their use, they are more carefully looking for vulnerabilities. Even at the moment, there are many unpatched security holes in popular CMS, for example, WordPress or OpenCart, as well as Joomla !. Using vulnerabilities, viruses can be downloaded to the site, which in turn record important information and transmit it to third parties. The behavior of viruses on the site may not be displayed in any way and it is often quite difficult to notice their presence, which is why antivirus utilities should be used for sites that can help in finding viruses that have already been found.

How antivirus programs work

Antivirus utilities work by comparing the scanned file code with the existing virus data in its signature database. That is, the antivirus can only find previously detected viruses, which is why completely new ones, which are well protected and have a completely new structure that is different from others, may simply not be found, but such situations occur quite rarely.

The principle of operation of antiviruses used to scan sites is very different from the utilities we are used to, since they, most often, only scan files and point to the code sections that most resemble virus signatures. Removal is carried out exclusively in manual mode, since this is a rather dangerous process, due to which it is possible to harm the operation of the site or completely disable it, since the virus can replace important sections of the program code.

You should also pay attention to the fact that standard anti-virus utilities used to scan for viruses on PCs or other devices may not detect viruses used on websites. It should be understood that there are several types of antivirus utilities that scan the site, in some sense, from different angles. Certain antivirus systems only scan files on the server, which is why malicious code in javascript files simply won't be found. There are also certain antiviruses that check the site, one might say, from the outside, checking all downloaded resources within the site. Such antiviruses work online and in them it is enough only to specify the site address, but since they do not have access to the site files, they only check for viruses within the javascript files or other files loaded on the page, which will not always help to eliminate the infection problem.

How to properly scan a website for viruses

If there is a suspicion that viruses have appeared on the site, then drastic measures should be taken to remove them and find the source of infection. It is important to remember that removing viruses is only a partial solution, since without finding the source of infection, it is a matter of time before viruses reappear.

It is impossible to fully describe the procedure for checking the site's infection and cleaning it, since any problem with viruses is extremely individual, and therefore only an approximate and general algorithm of actions can be used.

To check the site for malicious code, as well as its subsequent cleaning, a set of checks and actions should be carried out:

1. The very first site check should be to check the files on the server. This opportunity is provided by our built-in antivirus, as well as third-party tools such as AI-bolit. The most common problem with viruses occurs directly in the files that are used to operate the site system, since such files collect a lot of important information about visitors, actions, and more.
2. A secondary check should be the analysis of the downloaded site resources, with which online antiviruses can also help. When you go to the site, you should open the developer tools and in the Network tab check the downloaded resources for the presence of third-party plug-in scripts or files. Such files can often collect available information about visitors or perform multiple redirects to fraudulent services.
3. If viruses have been found, check the modification date of the infected files on the server. This date can roughly indicate when the infected file was last edited. Based on this information, you can proceed to subsequent checks and search for the problem.
4. It's worth backing up your site in case something goes wrong. When removing viruses, deleting important and necessary code that has been replaced by the malicious code itself can become a very real problem. Having a backup copy, you can restore the site's performance.
5. Having the approximate date of the last editing of the site files, you need to analyze the logs of requests to the site. In such logs, it is worth paying special attention to POST requests to files that are not intended for external access. At this stage, you should also restrict access to the site by IP addresses so that re-infection does not occur during cleaning. Based on the information received during the checks, we can conclude: how and when the site was infected.

What will help in verification

Analysis of possible vulnerabilities

In any situation of site infection, remember that the virus does not appear by itself and there is always a way to load it into the site files. In order to roughly understand the likely download methods, you can familiarize yourself with the public data on the vulnerabilities of popular CMS.

For example, the most common resources with this information are:

• WordPress Vulnerabilities - found vulnerabilities in WordPress plugins and themes.
• WordFence- found vulnerabilities of CMS WordPress and related products.
• CVE - found vulnerabilities of popular CMS and related products.

Virus code analysis

After finding a virus file, you should check which code was marked as virus. Most often, such a code can be obfuscated, which means it is encrypted and\or we don't read. Typically, this obfuscation occurs by encrypting the code, using Base64, or other methods to encode and decode sections of the code. If a lot of characters were found that do not in any way resemble the site code, then you should try to decode this section.

If functions such as eval, system, exec, base64 are observed in the file code_decode, urldecode and the like, be sure to check the input to this function. In the case of eval, system, exec

it's best to temporarily replace it with an output like print or var_dump to figure out exactly which code should be used.

Online services can best help with this, for example, base64.ru - Online decoder for Base64 encoded text.

We also recommend that you read the article regarding code deobfuscation -https://kaimi.io/2012/01/php-deobfuscate/.

What will not help in verification

Using online scanners

Online scanners perform one useful role, they help to find dangerous viral JS scripts or other elements of the virus in the frontend of the site, that is, in what is presented to the user when opening the site. Such checks can help to find only the consequences of the infection, but not its causes, as a result of which their use is extremely doubtful to resolve the situation with viruses.

Almost all viral elements in the frontend appear due to infection of the backend, and after their removal it will only be a matter of time before they reappear. In this connection, this method should be postponed to the very last stage of cleaning. You should use such utilities only after a full check of the entire backend of the site, when all viruses that created such scripts will be removed.

Restoring a site backup

Restoring site backups will help get rid of viruses, but it will become almost impossible to find the viruses themselves and the source of infection. But it should be borne in mind that the infection has already occurred with this version of the site and if no preventive measures are taken, then the reappearance of viruses will definitely happen.

You should always create a copy of the site in its current form before restoring, then download it and analyze the code on the already infected version of the site.

Cleaning of viruses before finding the source of infection

The situation is very similar to restoring a backup copy, but in addition to the fact that the viruses will be removed and their analysis will be difficult, an additional problem appears, which consists in the unresolved source of infection, as well as in possible additional virus files that were not detected by the antivirus or during manual analysis.

How to clean a website from viruses

It is important to understand that all these actions are only recommendations and their implementation may not be suitable for all cases of infection. It is always worth consulting with the site developer or using third-party specialists to analyze the site's security problems and eliminate the infection.

You should not hesitate to clean the site from viruses. This situation signals that site data and customer data may be at risk, not to mention their access data being compromised. An important point is that the site, with such delays, can be blocked by search engines, security systems in modern browsers or antiviruses\auxiliary plugins.

An approximate algorithm of actions when viruses are found on the site:

1. It is recommended to disable the site, this can be done both by standard means of the "maintenance mode" or "demo mode" type, which disable access to the site pages, and by setting access restrictions using the control panel (it is recommended to use this method of disconnection) or a file. htaccess.
2. You should make at least a minimal analysis of the site access logs for suspicious requests, for example, GET requests in which the syntax of PHP languages appears\SQL or long queries with encoded text. Typically, such requests can be made by cybercriminals while searching for site vulnerabilities. If such requests are found, then you should restrict access to the IP addresses sending such requests and check all actions performed from these IPs on the site. It is important to pay attention to POST requests to URLs, which should not be available, or other suspicious requests. It is also worth checking if there are any requests to files that are marked as viruses.
3. The viral code should be analyzed to understand what exactly it should do. Some viruses found on the site can only be an artificially created gap for further infection or gaining full control over the site.
4. If the source of the viruses was not found, then further actions can only reduce the risk of re-infection. In this case, only specialists from the field of website development can help to achieve greater security and accurately eliminate the gap.
5. Restoring a site backup before the infection. Even if the source was not found, restoring a copy can help eliminate it, and you should definitely follow these guidelines.
6. It is required to update the site core (CMS or Framework), all available plugins and used libraries. Often, vulnerabilities can appear in third-party add-ons used on the site, for example, a serious vulnerability was previously found in the Duplicator plugin, which allows access to the site's configuration file and many of its files. If a completely written site is used, then you need to check its code and update dangerous areas manually.
7. Unused themes and plugins should be discarded. If there are such additions, even if they are disabled, then they should be removed. You should not store unused code, as it can also have holes that will allow you to get into the site.
8. In no case should you use unofficial (pirated) add-ons, be it a theme, plugin, library, or even a single file. Very often, such "shareware" add-ons, which can only be obtained on a paid basis in the official source, have deliberately left vulnerabilities, which may later be used or even caused the current infection.
9. If it is possible to install security plugins that further filter requests to the site and restrict access to potentially dangerous files, then you should not neglect their installation. There are no paranoid measures in security.

What Hosting Ukraine can offer for website security

You should always remember that site security is a responsibility for which only the owner and developer of the site is responsible. Any hosting provider can provide only general recommendations or minimal tools for organizing site security, but unfortunately, it is impossible to foresee everything.

Hosting Ukraine provides quite extensive opportunities for the security of your sites.

These include:

1. Using the mod_security to filter potentially dangerous website requests or requests that exploit popular vulnerabilities.
2. Complete isolation of virtual and business hosting accounts between each other using CageFS CloudLinux.
3. The ability to organize closed access to the site by limiting third-party IP and additional configuration of the .htaccess file to filter requests from specific countries or UserAgent.
4. A system for filtering requests to static HotLink files, using a third-party referrer header or in its absence.
5. The ability to disable dangerous PHP functions for each individual site.
6. Automatic filtering of requests from many bots, as well as checking for suspicious user activity, followed by blocking or checking.
7. The functionality of installing protection against bots on certain pages of the site, adding various checks, for example, Captcha, elementary mathematical calculus, or checking the execution of JS.
8. Access to site logs for a fairly long period of time.
9. Regular data backup.
10. Analytical tools for accessing the site.
11. A useful and convenient technical check of the site.

24 useful tools from Hosting Ukraine developers

155

MySQL 8.0 Generated Fields

453

When is it worth taking hosting abroad?

1050