When malware infects your website, finding and removing the infected components can be a delicate process. Here's a step-by-step guide to help you identify malware in your website's source files and safely clean it.
1. Dump Website Source Files and Scan with Antivirus The first step in identifying malware is to download a copy of your entire website source files onto your local machine. Here's how to proceed:
- Dump the Files: Use FTP, SFTP, or your hosting control panel to download all the files from your website's server.
- Scan the Files Locally: Once the website files are on your desktop, run a full scan using the same antivirus software that has flagged your website as infected. The antivirus should be able to detect the same malware locally and provide information about the infected files.
- Compare CMS Files: If your website uses a Content Management System (CMS) like WordPress, Joomla, or Drupal, compare the infected files with clean versions from the CMS's source. For example, if a theme or plugin file is flagged, download the original version and replace the corrupted files with clean ones. Most CMS platforms provide access to their core files, which can help with the comparison and cleanup process.
2. Compare Website Files with Old Backup If the antivirus scan does not locate the malware or cannot clean it, the next step is to compare your website's current state with an older, clean backup.
This method can reveal new or modified files injected with malicious code.
Use File Comparison Tools: Tools like WinMerge, Beyond Compare, or DiffMerge can help you compare the current files to those from a previous backup.
These tools highlight differences between the two versions, making it easier to spot files that have been modified or added.
Identify Suspicious Changes: Pay close attention to new files or unexplained changes to core CMS files, configuration files, or scripts that weren't present in your previous backup.
Malware often comes in the form of unfamiliar file names or strange code within existing files.
This comparison process helps you zero in on malicious changes that antivirus software could have missed.
3. Search for Obfuscated JavaScript or PHP Code A common characteristic of malware, especially within the JS/Agent family, is the use of obfuscated JavaScript or PHP code. Obfuscation is a method where the code is deliberately made unreadable to hide its true purpose.
- Look for Signs of Obfuscation: Obfuscated code typically looks like random strings, unreadable variables, or functions with complex and nonsensical names. It may also include base64-encoded strings, often used to hide malware payloads.
- Common Locations: Malicious JavaScript is frequently injected into HTML files, theme or plugin files, or even core CMS files. PHP-based malware is often embedded in files like functions.php, header.php, or index.php in WordPress or other CMSs.
- Decode Obfuscated Code: If you find code that appears obfuscated, try decoding it to understand its purpose. You can use online tools like JS Beautifier or PHP Unobfuscators to clean up the code for review. Be cautious with manual removal. Manually removing malware from infected files requires extreme caution, as one wrong deletion could break your website.