What do I do ?
Usually, popular CMS (Content Management System) like WordPress, Magento, Joomla and Drupal are more prone to face malware issues compared to custom developed web applications. This is mainly because many developers across the world know more about these popular CMS. The rich eco system of open source CMS allows developers to contribute features and functionalities in the form of modules, extensions and plugins. Some of these plugins may not have been adequately tested for security vulnerabilities.
How do you know if your website is hacked or has malware?
– You’ve noticed your website is disfigured or shows warning message browsers
– Your customers have called you saying the browser is displaying malware alert
– You’ve received notification from your website hosting company
– You’ve received notification from Google webmaster
If your WordPress, Joomla, Drupal or Magento website is hacked for the first time and Google is showing malware warning message, we recommend contacting your website developer immediately.
An experienced web developer could start investigation by performing the following steps:
– Analyse domain logs
Check your website’s access log, ftp logs and error logs. Access log will give an indication as to which pages were accessed, when and which IP address is repeatedly making abnormal requests. Error logs will provide some information as to which IP address is making unusual request that is throwing errors. Sometimes, there is a possibility of your ftp account being compromised and checking the ftp logs will show you the IP address that was the last to login using your ftp credentials. If any of the investigation looks suspicious, block the offending IP address or change your ftp login immediately.
– Check for file permission
Whether it is WordPress, Drupal, Magento or Joomla, all CMS have their own file structure and there are certain directories that require write permission for CMS to operate effectively. Web developers normally are familiar with CMS specific file structures and permissions. For eg. in Magento “var” directory needs to have read/write/execute directory permission. This directory is where Magento by default stores cache, session and Magento specific logs. Similarly in wordpress “wp-content/uploads” needs to have read/write/execute permission as this folder is where users normally uploads media content. With Magento and WordPress, besides these two directories, other files and folders can be locked down with a higher security of directory and file permission.
– Check CMS login for unusual users, pages and content
CMS like WordPress, Magento, Joomla, Drupal provides administration login interface for managing content, plugins and pages. Check for any unusual pages created or unusual users. Remove any unwanted login username and pages associated with them.
– Check for latest uploaded or modified file.
If your hosting allows SSH (Secure Shell) access to the website then you can perform this tasks fairly easily using the shell command:
To list directory and file details and sort by date starting from the latest.
$ “ls -alt”
The command below finds files from the current directory that were edited or uploaded in the last 24 hours and creates a new file investigate.txt with links to investigate later.
$ “find . -mtime -1 – print > investigate.txt”
With FTP (File Transfer Protocol) login you can perform the above tasks. It takes a lot longer than using SSH access.
– Check for malware insertion on your scripts
The command below recursively checks for instances of malware insertion across all files.
$ “grep –R malware *”
The above tasks should have shown positive results of malware being inserted on the scripts or new scripts uploaded.
If no results are found from the above commands then it is time to go to the next step and that is database. It is likely that the malware is in the database and it is time to investigate that.
– Investigate database
Start your database investigation first by creating a SQL dump and a backup of the database.
Create SQL dump of your database using the command below:
$ “mysql –uusername –ppassword database_name > mydatabase.sql”
Create a backup copy of your database:
$ cp mydatabase.sql mydatabase_backup.sql
Once you have taken a backup of the database, we will need to scan the database for any keyword and malware related terms.
To scan the database using keyword terms:
$ grep “malware” mydatabase.sql
If any malware terms are found we can manually remove the malware insertion from the database using search and replace features of your editor. Database these days have large file size and removing manually could be time-consuming. We can perform this task using a single SSH command.
Open the mydatabase.sql using your favourite unix editor.
To open file using unix vim/vi editor:
$ vim mydatabase.sql
Remove or replace malware:
If you have followed the steps then by this stage you should have been able to identify the malware whether it is on the web directory, scripts or database. You should now be able to identify and clean the website.
Once you have removed the malware and cleaned the website, advice your client to upgrade the CMS or extensions/plugins that has been used.
Perform the following action after cleaning the website:
– Upgrade CMS and any used plugins and extensions
– Set proper file and directory permission
– Remove unwanted CMS users or unwanted pages and posts
– Remove any unused plugins/extensions/modules
– Implement CMS specific WAF (web application firewall)
– Change default username and login URL to discourage brute force attack
Once you have tested and confirmed that the website is clean, explain the tasks you took to clean the website and request a review using Google webmaster login. If you do not have webmaster login you can create a new webmaster login and then submit a review. Having webmaster login will also provide additional information about the website and is useful for the future. Alternatively, you can ask for a review from StopBadware.org. Browsers like Mozilla Firefox and Google Chrome share data with StopBadware.org.
I cleaned my website but the Malware is back again after some time. What do I do now?
During your first malware attack, you must have made contact with your web developer and your hosting agency. If you are paying the hosting cost to your web developer or web design company, it is time to ask your web developer the hard question. Ask them if your developer or web design company manage their servers. Most web design companies resell hosting services where servers, in reality, are managed by other agencies.
Identifying the root cause of malware issue could take more time than usual, only because your web developer does not have root access to the server or information about server setup, firewall and softwares installed. Your hosting company simply provides hosting platform and does not know about scripts running on individual domains.
This lack of communication and information exchange between your web developer and hosting company could be frustrating and a time-consuming process.
At the end of the day, you and your business are suffering the most and it is time to act fast.
Businesses today make significant investments on their websites and depend on their website for new sales and leads generation. Repetition of malware attack will hurt your company’s reputation, damage search engine ranking and adversely affect online marketing initiatives.
The root cause of your website getting infected could be due to other reasons.
Some of the reasons could be:
– Other websites/scripts on the same server could be vulnerable and actually infecting your website
– The server could be infected and as a result, attacking your website
– Server operating system and software are not patched and make your script vulnerable
– Unused ports are open and software configuration is not properly set
If it is due to the above reasons, then it is time to contact a digital agency who understands the development of your CMS website and more importantly manages their own servers. Premium digital agencies are more likely to manage their client’s website development and additionally manage their own servers. Premium digital agencies have a hands-on understanding of their server infrastructure and have a development team with experience and knowledge about the development aspects of your CMS platform. They will be able to keep your scripts on quarantine mode, configure and set database query log and have access to server logs and monitor your website specific activities. With these expertise and experience, they will be able to identify the root cause of the issue and fix the issue permanently. Most importantly, they can resolve your issue fast.
Netable has a team of developers and system administrators. We manage our own servers and have successfully helped businesses when their websites were hacked or showed malware warning.
Please contact us on 03 9553 0449 or firstname.lastname@example.org if you are experiencing malware warning.
Author: Suraj Rai
Suraj started as a web developer 15 years ago. He has over 10 years of experience as a unix system administrator and is AWS (Amazon Web Services) Certified Solutions Architect.