What is malicious code. Maintaining Internet Security and Protecting Confidential Information How to Find Malicious Code in WordPress Core Files

No one is immune from such a disaster, but “forewarned is forearmed” - isn’t it time to arm yourself...?!

How to prevent, find and remove malicious code!

Lately, I’ve been wary of visiting the sites of my visitors - Avast loudly, in a gentle female voice, warns: “Virus attack blocked!” (Soon, you see, he will start swearing!).

And in my browser I often come across a warning: “This site may threaten the security of your computer.”

Where do we find THIS or who gives us THIS?
I don’t know all the secrets, but I’ll share what I know.

The main culprits for the appearance of malicious code on a website are the website owners themselves! Ignorance of the laws does not exempt you from the consequences of non-compliance!

• You cannot store your passwords on your computer or in your memory.
• You cannot allow the browser to remember login details for websites (password, login)
• You cannot (not recommended!) use names, dates, readable phrases as a password
• You cannot work in the site’s admin panel or activate an FTP connection with a disabled antivirus or no antivirus installed at all.
• You cannot install third-party code on your website without at least visually verifying its “honesty” - if there are links in the code, check where and why they lead.
• When publishing or editing an article, it is not recommended to copy text and paste it directly from an Office Word document - paste it into the editor “as plain text” (button)

You obviously know about the consequences of site infection - a warning is posted in the search results
that it is dangerous to access the site:
“Don’t go there - come here...!”

Attendance drops sharply, and if the administrator does not remove the malicious code for a long time, search engines may regard this as an “abandoned” site or a resource deliberately infected by the owner. As a result, it will be very, very difficult to restore your “good name” and good position.

In order to keep abreast of all events,
be sure to register in the panel and .

Go to “Settings” and turn on “Message delivery” to email. mail. In the Yandex panel, you can also choose which messages to send and which ones to simply save in the correspondence database.

What does it look like, can you find it, and how can you remove it yourself?

To be honest, I have only seen one with my own eyes so far (photo 1).

It was located in the “header” file (Heading – header.php) of the selected and downloaded template,
found the code.

photo – 1 – click to enlarge

You should pay special attention to:

• codes that you did not add yourself;
• script tags, which contain links to resources unknown to you; the text in which is confused or encrypted (photo 1);
• scripts or banners, but also with incomprehensible, confusing code or with external links to sites unknown to you;
• strange links or items left in comments.

But what can and should be done at the first stage of treatment?
what if such trouble has come?

check your computer for viruses (preferably with various anti-virus programs);

We change all passwords - hosting, site admin panel, FTP access. And we never save them in the browser again – we enter them manually every time;

in the Yandex and Google webmaster panel, we get acquainted with tips and notifications regarding infected pages;

we check the site for a “ban” from Google seobuilding.ru/google-banned.php;

- check the site with a scanner sitecheck.sucuri.net/scanner;

To independently search for malicious code in files, you can go to the hosting via FTP and view the files by the last date of modification (don’t forget to make a copy of the site!);

you can view the page code in Google Webmaster - “diagnostics” - “View as Googlebot” - and compare it with the original code, mark third-party codes and find out where they come from and why;

download the files and the site database (via FTP) to your computer and check it with antiviruses - I recommend the healing utility Dr.Web CureIt

Remove suspicious codes if you are confident in your actions

If you can’t cure your site with your own hands, ask for help - on forums, to freelancers, to your hosting... Just don’t procrastinate, remember - your site is not recommended for viewing and search engines expect active actions from you!

Happy and safe work everyone!

What is malicious code and how to get rid of it

Every webmaster who discovers malicious code on his website receives a lot of not very pleasant experiences. The site owner immediately, in a panic, tries to find and destroy the virus, and understand how this nasty thing could get onto his site. But as practice shows, finding malicious code on a website is not so easy. After all, a virus can be registered in one or several files, a huge number of which make up a website, be it an engine running on WordPress or a regular one on html.

Yesterday, while checking my email, I discovered a letter from Google stating that visiting certain pages of my site could lead to the infection of users' computers with malware. Now, users who access these pages via links in Google.ru search results are shown a warning page. This site was not added to my Google Webmaster Panel, so I was notified by email. I had several more sites in the webmaster panel; when I went there, I was horrified to see a warning about malicious code on two more of my sites.
As a result, malicious code settled on three of my sites, which I had to find and destroy. One of the sites ran on WordPress, the other two consisted of regular PHP pages.

It is worth noting that Google reacted much faster than Yandex to the presence of malicious code. In the Yandex webmaster panel, a warning about the presence of a virus on the site did not appear. Fortunately, within a few hours I managed to find this unfortunate virus.

As a rule, most often sites are infected by the so-called iframe virus. Essentially, this virus consists of code... . The virus steals all passwords from Total Commander or another ftp client. In my case, the same thing happened; the iframe code was written into several dozen files on my site. On the site, which ran on WordPress, the malicious code managed to settle only in footer.php.

And so, how to find malicious code if you find that your site is infected:

1. Go to your hosting control panel and change your password. If you have several sites, then we do this with all of our sites.

2. Change and delete passwords in the ftp client. We never store passwords in ftp clients anymore; we always enter them manually.

3. You can go to the hosting via ftp and see what has changed in your files. Sort files by last modified date. Those files that are infected must have the latest and the same date. Open these files and look for the iframe code, usually this code is located at the very end. Basically, malicious code is written in the following files: index.php, index.html, and files with the .js extension. Often, this infection lives between tags... .
For self-written sites, look very carefully at all files and folders of scripts; the virus is often written there. Also, the favorite habitat of this virus is in counter codes for the site, and in advertising codes.

As for WordPress files or other CMS, as a rule, any CMS consists of many files and folders, and it is very difficult to find malicious code in them. For example, for WordPress I can recommend the TAC plugin. This plugin checks files in all themes in the themes folder for third-party code. If TAC finds unwanted code, it will show the path to this file. Thus, it is possible to calculate the masking virus.
Download TAC plugin: wordpress.org

In general, you should constantly keep in mind all the actions that you performed with your site files. Remember what was changed or added to this or that code.

Once you find and remove malicious code, it doesn’t hurt to check your computer for viruses.
And if your site was marked by Google or Yandx as infected, then you need to send a request for re-check through the webmaster panel. As a rule, search engines should remove all restrictions from your site within 24 hours. It didn’t take long for Google to process my request for re-verification, and after a few hours all restrictions were removed from my sites.

Periodically checking your site for harmful viruses is necessary; this is the first commandment of any self-respecting webmaster. Even if you use a clean Twenty Eleven theme, it is not a fact that over time it also did not become infected. This phenomenon can (and most often does) occur due to the fact that the WordPress engine itself was originally designed for online publishing. So it never hurts to check again and make a copy of the site and database.

For example, I (after some time, of course) made one conclusion for myself - you just need a good hoster, and your problems with backup will disappear by themselves. I don’t need to make database or website backups now - the hoster does everything for me, and automatically. At any time, if you wish, you can order a copy of any section of your blog (and not only), download this copy, or restore the blog directly from the control panel. That is, I don’t need to download a backup, everything happens automatically - backup, restore, etc. This is convenient because I can track, not just daily, but hourly, when a virus appeared on my blog and, accordingly, take measures to eliminate it.

I'll start with the good news - at least two plugins that I have used give good results in detecting and localizing malicious code. These are AntiVirus and Exploit Scanner plugins. You won't believe how much harmful code is on your blog! But don't take all the resulting information after checking as dogma - many of the lines that these plugins detect don't actually mean anything bad. The plugin just questions some lines, that's all. To make sure of this, manually check those fragments that the plugin has identified as malicious. So, when checking with the AntiVirus plugin, it turned out that even a simple call to function get_cache_file () is already considered suspicious by the plugin. So all check results will have to be tracked manually. But this, for example, is a really infected link, and it needs to be removed:

How do you know if it's a virus or just how it should be? Everything is very simple - compare your clean template (if you have one), and compare it (file by file) with the one that is installed and has already undergone some changes. It is not necessary to make a direct comparison directly, just use a search to check if your blank template contains the line that the plugin highlighted. If there is, click the “This is not a virus” button, and this line will not be taken into account during the next scan.

And here is an example of the second plugin we tested - Exploit Scanner

As you can see, everything is much more neglected here. For me, this result was shocking. But that's not all. The plugin has a function called check. So, if you turn it on, it turns out that the blog should consist of text and, at most, a couple of CSS tables. So, it seems to me that the author of the plugin clearly overdid it with security here. It’s good that the plugin simply shows suspected infected fragments and does not clean them.

After analyzing all the lines highlighted in yellow, you can easily detect malware (malicious code), well, decide for yourself what to do with it next. The cleaning method is still the same - compare the selected code with a site backup (see) and, if you find discrepancies, find out whether you did it yourself, or someone did it for you, which means that this is no longer good and may turn out to be virus. Even WordPress developers recommend checking your site for malicious code with this plugin. But there are such harmless inserts, for example, into the body of an iframe, which the plugin can also identify as infected code. But in reality, without these lines, this area of ​​your blog will not work correctly.

How can malware even get into blog files and what is it by definition? The word malware literally means - malicious software, from English malicious software. This is any software that can be used for unauthorized access to the site and its content. You probably imagine that for an average hacker, hacking a website will not be difficult, especially after registration. After this, you can modify the blog content as you wish - it would be educational.

Malicious malware can be inserted into plugins that you install from an unknown source, and into scripts that you also sometimes take without checking, but trusting the author. The most harmless malware is a link to the author of any module that you installed on the site. And if the author himself did not warn you that such a link exists, then this is a pure virus.

So, I installed a new theme on a test blog, and after deleting one harmless link to some kind of men’s club in the basement of the site, it stopped opening at all, and on the main page there was an inscription - “You do not have the right to delete links.” Here's a free theme for you. You can read about how to rip out such left-wing links.

Your database can also be used to run virus-containing code. Spammy links are also very often added to posts or comments. Such links are usually hidden using CSS so that an inexperienced administrator will not see them, but the search engine will recognize them immediately. Of course, here any antispam comes into play, for example, the same one that is licensed, tested and double-checked many times. A hacker can download files with image file extensions and add them to the code of your activated plugins. Therefore, even if the file does not have a php extension, the code in that file can be executed.

There is another simple tool with which I started getting acquainted with malware - the Theme Authenticity Checker (TAC) plugin. This is a lightweight and quite effective tool, but it only checks your topics, even inactive ones. It doesn’t touch the rest of the directories, and that’s its downside. This is what testing my current theme with this plugin gave me:

Two warnings in the active thread, and nothing more. There is no malicious code. By the way, these are the links that I inserted myself on the advice of Google - to improve the quality of the snippet (displaying personal data, organization address, etc.). But this is only checking the theme files, and you will have to find out what is being done in other directories either using other plugins or online services. For example, a service (it’s really trustworthy) like Yandex Webmaster or a similar one at Google. They have the function of checking any web resource for the presence of malicious inclusions, and they do it efficiently. But if this is not enough for you, then compare the results with the results on other services and draw conclusions.

For some reason I want to trust Yandex, not plugins. Another good resource is http://2ip.ru/site-virus-scanner/. After checking one of my blogs, this is what I found:

Here you can also check individual files for malicious code if you have any doubts. In general, the service is not bad.

From all that has been said, I would draw the following conclusions:

1. To prevent the appearance of malicious code, you must first of all use proven services for downloading files - plugins, themes, etc.

2. Regularly make backup copies of everything that the site contains - databases, content, admin panel, including downloaded third-party files.

3. Take advantage of the updates that WordPress offers. At least they do not contain viruses, although they are not always functionally justified. But by updating, you thereby remove any viruses that may be present.

4. Delete unused themes, plugins, images and files without regret - this is another escape route for malware that you may never even guess about.

5. Properly password-protect your FTP accesses, login to PhpAdmin, the admin panel, and generally where no one but you should have access.

6. Try (even if your desire is as great as the sky) not to change or replace WordPress core files - developers know better what should work and how.

7. After detecting and removing viruses, change all passwords. I think you will have a great desire to make a password of 148 characters in different registers and with special characters. But don’t get carried away with too complex passwords, you may lose it, and then you’ll have to restore everything, which is not very pleasant.

All these methods and components that I have described that will help you get rid of viruses are, of course, free, of course, almost homemade, and of course, they do not provide a 100% guarantee that your site will be cleaned of malicious inserts. Therefore, if you are already concerned about cleaning your blog, then it is better to contact professionals, for example, the Sucuri service (http://sucuri.net/). Here your site will be thoroughly monitored, practical recommendations will be given, which will be sent to you by letter, and if you do not want to clean up the site yourself, then specialists are at your service who will do everything in the best possible way within 4 hours:

Well, this is what my test blog looks like after monitoring, and this despite the fact that other methods (home-grown) always show different results. As you can see, the test is free, but if viruses are detected, you should pay to remove them without harm to the site (unless, of course, you are a guru in cleaning your blog from malware).

Let me emphasize once again - hackers do not sleep, viruses are constantly being updated, and it is impossible to keep track of everything on your own. All innovations are so carefully hidden and disguised that only the team can reveal them! professionals, and not the self-taught blogger that many are. This is why manual detection and removal of malware is so ineffective: no experience means no result, but there is a virus. Use licensed programs and entrust the removal of danger to professionals

The other day, the hosting provider reg.ru suspended the operation of some PHP functions (in particular mail - sending messages) on the site of one of my clients, explaining this by the fact that malicious software was found in the account that sends spam. It stopped working and orders stopped coming, and this is already a loss. In this regard, I decided to tell you, site readers, how to check your site for viruses and remove malicious code in a timely manner.

The situation is not uncommon, even this blog of mine has twice become a victim of hacking. It is impossible to completely protect your resource from viruses, but it is necessary to minimize the risk. As a rule, attackers use CMS vulnerabilities, design templates, or incorrect hosting settings to penetrate.

What to do if you suspect your website is infected with viruses:

Check the site for viruses and find files containing malicious code (this will be half of the article),

Delete or disinfect detected files (second half of the article),

Close the “holes” in the site through which bad scripts have penetrated.

All 3 cases of hacking that I encountered (2 mine and 1 client) occurred for one reason - on the hosting, some folders had public access rights 777, allowing everyone to write any information there, so point No. 3 about closing “holes” is the most important. I'll tell you about him at the end.

Why online antiviruses are ineffective for a website

When real problems arise in the operation of the site or messages appear from Yandex Webmaster about infection, many begin to look for online antiviruses for sites. Sometimes they help, but most of the time they don't do it completely.

The problem is that services such as antivirus-alarm.ru, virustotal.com, xseo.in, 2ip.ru, etc. only have access to the external side of your site. This means that they will only detect malicious code if it gets out and shows some signs.

What to do if infected files do not manifest themselves in any way and are still inactive, or the result of their activity does not give obvious signs of infection. Well, for example, they simply display extraneous links on web pages - for an online service this will be , and the virus itself is hidden deep in the PHP code and acts only at the server level when processing requests.

Advantages of online antiviruses: Ease of use - write the site URL, click a button and get the result. But it’s not a fact that a virus was found.

The only effective way to identify all problems is to completely scan all the files hosted on the hosting where the site is located. This can be done with access to the hosting, which means that the antivirus must work directly inside the files and folders of your site.

Antivirus plugins

By the way, fans of popular CMSs have a little more luck in fighting viruses, since there are plugins that can detect and eliminate them in a timely manner. I talked about one such plugin in an article about it; it automatically monitors changes in engine and template files. But even it is not always able to help, since viruses can not only penetrate existing files, but also create their own, against which the plugin will be powerless.

In a word, in a critical situation, a full scan of all hosting files, including those that do not relate to the CMS, may be required.

So, let's move on to the section “How to check a website for viruses using professional methods?”

Checking website files with AI-Bolit antivirus

As with regular computers, websites are checked for viruses by antivirus programs. But for these purposes, ordinary antivirus programs, which I’m talking about, are not suitable. You need a special one that works for the hosting and is designed for threats to sites.

Lately I have been using Revisium’s AI-Bolit antivirus for these purposes. In addition to its antivirus for websites, this service participated in the joint development of an antivirus for Yandex.

Let's go through all the stages of search and treatment using AI-Bolit step by step.

Installing AI-Bolit antivirus

From this page you download the archive with the hosting program – https://revisium.com/ai/ (small file).

There is a version for Windows - to use it you need to download all the site files from the hosting to your computer.

There is a version for hosting - virus checking takes place right there (on the server with the site). I will talk about how the hosting version works, download it.

Unpack the downloaded archive, as a result, you will have a folder with a name similar to the name of the archive - ai-bolit, a tools folder and 2 files.

To work, you only need the contents from the first folder (ai-bolit), consisting of 5 files. You need to upload these 5 files to the root folder of your site (where your index.php is located) via FTP or through a file manager.

Setting up the program

By default, the antivirus is already ready to work, but it has two settings that you can use to optimize the program to suit your needs. All settings are made in the ai-bolit.php file.

1. Setting the scanning depth. It can be of 3 degrees: 0 – quick check, 1 – expert, 2 – paranoid, default value is 1. The line responsible for this parameter is:

Define("AI_EXPERT_MODE", 1);

2. Password to access the program. If you plan to keep the antivirus on your hosting permanently, then you need to set the most complex password possible instead of the default one, otherwise attackers will be able to damage the site through the antivirus itself. If you are interested in a one-time scan, after which the antivirus files will be deleted from the hosting, then you can leave the default password. The line responsible for the password is:

Define("PASS", "1122334455");

After saving the settings, proceed to launching the scanner.

Starting the program

Further actions will be carried out through the browser. In the address bar you need to type the URL leading to the ai-bolit launch file - your-site/ai-bolit.php?p=specified-password.

After some time, scanning all files on your site will be completed and you will receive a report like this:

Startup problems

Since anti-virus scanning of a website creates a considerable load on the hosting server, hosters often prohibit the operation of such programs. In this case, you may encounter error messages such as the following:

In this case there are 3 options:

The hoster itself scans for viruses and warns clients about their appearance.

The hoster may allow you to check after requesting technical support.

Download the site files to your computer and check with the antivirus version for Windows.

Analysis of results

The report received during scanning can be used in two ways - transfer it to a specialist so that he can understand its contents or independently review each suspicious line. Often, features of templates or specialized scripts are mistaken for viruses (especially at a paranoid level of verification).

After all checks and removal of malicious scripts, antivirus files can be deleted from the hosting.

Closing site vulnerabilities

Now about eliminating the causes of infection. I said above that most often viruses are uploaded through folders that have general access to everyone - access rights 777 (rwxrwxrwx).

If some folder on your site has such rights, you can upload a virus file there and use it to spread malicious code throughout the site.

To ensure that the infection does not recur after your treatment, you need to check each folder in which Manul found infected files and, if necessary, change the rights - deny public access - set the properties to 755 (rwxr-xr-x).

In some cases you can make even stricter rules, but 755 is the minimum security level.

That's all I have for today - good luck to your projects.

The truth of life is that the site can be hacked sooner or later. After successfully exploiting the vulnerability, the hacker tries to gain a foothold on the site by placing hacker web shells and downloaders in system directories and introducing backdoors into the script code and CMS database.

To detect malicious code in files and databases, there are specialized solutions - antiviruses and scanners for hosting. There are not many of them; the popular ones are AI-BOLIT, MalDet (Linux Malware Detector) and ClamAv.

Scanners help detect loaded web shells, backdoors, phishing pages, spam emailers and other types of malicious scripts - all that they know and are pre-added to the malicious code signature database. Some scanners, such as AI-BOLIT, have a set of heuristic rules that can detect files with suspicious code that is often used in malicious scripts, or files with suspicious attributes that can be downloaded by hackers. But, unfortunately, even if several scanners are used on the hosting, there may be situations where some hacker scripts remain undetected, which actually means that the attacker is left with a “back door” and can hack the site and gain full control over it at any time. moment.

Modern malware and hacker scripts are significantly different from those of 4-5 years ago. Currently, malicious code developers combine obfuscation, encryption, decomposition, external loading of malicious code, and other tricks to fool antivirus software. Therefore, the likelihood of missing new malware is much higher than before.

What can be done in this case to more effectively detect viruses on the site and hacker scripts on the hosting? It is necessary to use an integrated approach: initial automated scanning and further manual analysis. This article will discuss options for detecting malicious code without scanners.

First, let's look at what exactly you should look for during a hack.

Hacker scripts.
Most often, when hacking, files that are downloaded are web shells, backdoors, “uploaders”, scripts for spam mailings, phishing pages + form processors, doorways and hacking marker files (pictures from the hacker group’s logo, text files with “message” from hackers, etc.)

Injections (code injections) into existing .
The second most popular type of hosting malicious and hacker code is injections. Mobile and search redirects can be injected into existing site .htaccess files, backdoors can be injected into php/perl scripts, and viral javascript fragments or redirects to third-party resources can be embedded into .js and .html templates. Injections are also possible in media files, for example.jpg or. Often malicious code consists of several components: the malicious code itself is stored in the exif header of the jpg file, and is executed using a small control script, the code of which does not look suspicious to the scanner.

Database injections.
The database is the third target for a hacker. Here, static inserts are possible, , , , which redirect visitors to third-party resources, “spy” on them, or infect the visitor’s computer/mobile device as a result of a drive-by attack.
In addition, in many modern CMS (IPB, vBulletin, modx, etc.), template engines allow you to execute PHP code, and the templates themselves are stored in the database, so the PHP code of web shells and backdoors can be built directly into the database.

Injections in caching services.
As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data “on the fly” are possible. In some cases, a hacker can inject malicious code into a site's pages without directly hacking the site.

Injections/initiated elements in server system components.
If a hacker has gained privileged (root) access to the server, he can replace elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time introduce dynamic redirects and malicious code into the site’s pages. As in the case of an injection into a caching service, the site administrator will most likely not be able to detect the fact that the site has been hacked, since all the files and the database will be original. This option is the most difficult to treat.

So, let’s assume that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the virus is still on the page or the mobile redirect continues to work when opening pages. How to search further?

Manual search

On unix, it's hard to find a more valuable pair of commands for finding files and fragments than find / grep.

find . -name ‘*.ph*’ -mtime -7

will find all files that have been changed in the last week. Sometimes hackers “twist” the modification date of scripts so as not to detect new scripts. Then you can search for php/phtml files whose attributes have changed

find . -name ‘*.ph*’ -сtime -7

If you need to find changes in a certain time interval, you can use the same find

find . -name ‘*.ph*’ -newermt 2015-01-25 ! -newermt 2015-01-30 -ls

To search files, grep is indispensable. It can search recursively through files for a specified fragment

grep -ril ‘stummann.net/steffen/google-analytics/jquery-1.6.5.min.js’ *

When hacking a server, it is useful to analyze files that have the guid/suid flag set

find / -perm -4000 -o -perm -2000

To determine which scripts are currently running and are loading the hosting CPU, you can call

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ ( if(!str) ( str=$1 ) else ( str=str”,”$1))END(print str)’` | grep vhosts | grep php

We use our brains and hands to analyze files on hosting

We go to the upload, cache, tmp, backup, log, images directories, into which something is written by scripts or uploaded by users, and scan the contents for new files with suspicious extensions. For example, for joomla you can check the .php files in the images:find ./images -name ‘*.ph*’ directory. Most likely, if something is found, it will be malware.
For WordPress, it makes sense to check the wp-content/uploads directory, backup and cache theme directories for scripts.

Looking for files with strange names
For example, php, fyi.php, n2fd2.php. Files can be searched

• by non-standard combinations of characters,
• presence of numbers 3,4,5,6,7,8,9 in file names

We are looking for files with unusual extensions
Let's say you have a website on WordPress or for them files with extensions .py, .pl, .cgi, .so, .c, .phtml, .php3 will not be quite ordinary. If any scripts and files with these extensions are detected, most likely they will be hacker tools. The percentage of false detections is possible, but it is not high.

We are looking for files with non-standard attributes or creation date
Suspicion may be caused by files with attributes that differ from those existing on the server. For example, all .php scripts were uploaded via ftp/sftp and have the user user, and some were created by the user www-data. It makes sense to check the latest ones. Or if the script file creation date is earlier than the site creation date.
To speed up the search for files with suspicious attributes, it is convenient to use the Unix find command.

We are looking for doorways using a large number of .html or .php files
If there are several thousand .php or .html files in the directory, this is most likely a doorway.

Logs to help

Web server, email service and FTP logs can be used to detect malicious and hacker scripts.

• Correlating the date and time of sending a letter (which can be found from the mail server log or the service header of a spam letter) with requests from the access_log helps to identify the method of sending spam or find the spam sender's script.

• Analysis of the FTP xferlog transfer log allows you to understand which files were downloaded at the time of the hack, which were changed and by whom.

• In a correctly configured mail server log or in the service header of a spam email, if PHP is correctly configured, there will be a name or full path to the sending script, which helps determine the source of spam.

• Using the logs of proactive protection of modern CMS and plugins, you can determine what attacks were carried out on the site and whether the CMS was able to resist them.

• Using access_log and error_log, you can analyze the actions of a hacker if you know the names of the scripts that he called, the IP address or User Agent. As a last resort, you can view POST requests on the day the site was hacked and infected. Often the analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hack.

Integrity control

It is much easier to analyze a hack and look for malicious scripts on a website if you take care of its security in advance. The integrity check procedure helps to timely detect changes in the hosting and determine the fact of hacking. One of the simplest and most effective ways is to put the site under a version control system (git, svn, cvs). If you configure .gitignore correctly, the change control process looks like calling the git status command, and searching for malicious scripts and changed files looks like git diff.

Also, you will always have a backup copy of your files, to which you can “roll back” the site in a matter of seconds. Server administrators and advanced webmasters can use inotify, tripwire, auditd and other mechanisms to track access to files and directories, and monitor changes in the file system.

Unfortunately, it is not always possible to configure a version control system or third-party services on the server. In the case of shared hosting, it will not be possible to install a version control system and system services. But it doesn’t matter, there are quite a lot of ready-made solutions for CMS. You can install a plugin or a separate script on the site that will track changes in files. Some CMS already implement effective change monitoring and an integrity check mechanism (For example, Bitrix, DLE). As a last resort, if the hosting has ssh, you can create a reference snapshot of the file system with the command

ls -lahR > original_file.txt

and if problems arise, create a new snapshot in another file, and then compare them in WinDiff, AraxisMerge Tool or BeyondCompare.

Epilogue

In most cases, antivirus software developers and scanners do not keep up with malware developers, so when diagnosing and treating sites, you cannot rely only on automated software solutions and scripts. Using a heuristic approach, the rich operating system tools and CMS capabilities, you can find malicious code that antiviruses and scanners could not detect. Using manual analysis makes the website treatment process better and more efficient.