We use cookies
We use cookies to optimize our website. By continuing to browse the site, you agree to our use of cookies.
New design
Control panel
  • Русский
  • Українська
  • English
  • UAH
  • USD
  • RUB
  • EUR
  • 0-800-307-307 Hotline
  • +38 (044) 392-74-33 Kiev
  • +38 (057) 728-39-00 Kharkiv
  • +38 (056) 794-38-31 Dnipro
  • +38 (032) 229-58-93 Lviv
  • +38 (048) 738-57-70 Odessa
  • +38(093) 170-15-42  Life
  • +38 (067) 400-88-44 Kievstar
  • +1(888)393-24-51  USA, Toll free
  • +44(131)507-01-14  Great Britain
  • +7 (499) 348-28-61 Moscow

2.18.5. Virus cleaning

When antivirus on the hosting, when scanning, it finds malicious code, a notification is sent to the owner of the hosting account with information about the problem. It is imperative to remove the malicious code, as its presence may cause problems with the data security of both the infected site and neighboring sites in the same hosting account.

Removal of malicious code should be done after reading antivirus report and analysis of the malicious code itself. Quite often, the removal of malicious code can lead to problems in the operation of the site due to its injection into important scripts of the site system.

To perform a complete cleaning of viruses, in most cases, is not enough to ensure the security of the site, since it is necessary to detect the source of infection and eliminate it. Without such action, re-infection may only be a matter of time.

It is recommended to use additional services for checking the site for viruses, for example, the service WPScan.

There are several ways to remove viruses:

To clean your hosting account from malicious code, you need to read antivirus report and eliminate all found comments. It is necessary to open each of the infected files, carefully examine its contents and delete from it fragments of malicious code (the antivirus highlights only found signatures in the file, the virus code may be in other parts of the file and not be selected, it is important to check the entire file and delete suspicious data)... Completely delete infected files. only if they consist entirely of malicious code.

You can make a complete replacement of site files with identical ones from your own backup copy or from official sources. For example, most WordPress files can be found in the repository at GitHub.

To search and edit files, you can use filemanager control panel or any FTPclient.

Pay attention to the code that is encrypted in Base64... It is in this form that malicious code is often placed. You can decrypt such an encoded area, for example, using ofthis service.

Dangerous PHP functions include: eval, exec, shell_exec, system, passthru... When finding such functions, you should pay special attention to them, as they are often used in malicious code.

To find the source of infection, you should analyze site logs for suspicious requests to him. In the logs it is worth checking the data for the date of the last changes of the virus files.

Important:

The date of the last modification cannot accurately indicate the date of creation of the virus files and it is impossible to focus only on it. The site could have been infected much earlier, but the appearance of virus files detected by our antivirus was due to some kind of "trigger"1).

Suspicious requests include:

  • POST and PUT requests.
  • Requests to the site admin panel from third-party IP addresses.
  • Queries to protected directories like system or storage2).
  • Queries that include encoded text in the form of Base64, etc., or SQL queries.
  • Queries for recently installed plugins.

Besides checking server logs worth checking also FTP logs, outgoing connection logs and authorization logs in the control panel. If suspicious entries were found, it is worth changing passwords FTPusers, database users3) and account, additionally setting two-step authentication... You can generate new complex passwords at this page. If outgoing connections were found that should not be made, you can set limits for all or certain outgoing connections for the entire hosting account for the duration of the problem.

After checking the logs, you need to check the site files for the presence of third-party code. First of all, it is worth checking the files of recently installed plugins and modules. It is important to beware of unofficial plugins and modules, especially if they are paid but were obtained for free from third party sites. If there are any, then they should be removed or restore backup site until they are installed.

Discard any file managers on the site itself. For the most part, they are unsafe and can pose a great threat.

To ensure the safety of the site, you should read protection recommendations.


1)
Sending specific requests, running scripts, updating files from remote servers, etc.
2)
Depending on the used CMS some directories can be systemic for the site and must be protected from outside access
3)
After changing the database passwords, you will need to reconfigure the connection to them in the site configuration files, which can be done by this instructions.