At Quttera, our goal is to provide the best level of services to our customers during the malware remediation process. Not all customers can give us the required level of access to carry it out ourselves, so we offer them this guide. Customers who need to take responsibility for malware cleanup and remediation should study the instructions in these three articles carefully before taking action.
Your Guide to Malware
In this series, we will provide instructions to help anyone with moderate computer skills to fix a hacked website. Even before that point, though, you need to know if your site has been hacked. It could be behaving erratically for other reasons. You can check this by running our free online website malware scanner.
If you think your site is being blocked because of malware, you can check Google's safe browsing site status page. It will tell you if Google's software has scanned the site and deemed it unsafe to visit.
These outside-in scans won't detect all malware. Attacks such as crypto-mining, email spam, and spyware won't be caught. To be really sure your site is uncompromised, you should run an internal scan of the site on your own server.
These instructions apply primarily to sites built on content management systems (CMSs) such as WordPress and Drupal. Much of the advice, though, applies to all types of sites, so long as you have full control of the server.
Follow the steps below, then continue to the next article, which will explain how to clean up the problem.
Take the Site Offline
If the site is clearly infected, take it offline. If possible, you may want to quarantine the Web server from your own network. However, some of the steps described here require Internet access.
Set up a temporary Web server with a static page saying that the site is experiencing problems and will be back up soon. This will prevent further damage. It will also guarantee that you aren't trying to fix a moving target.
Backup Before Starting Remediation
Manual cleanup of a website is a very error-prone procedure. Changing just one character incorrectly could make the whole site stop working. Removing something which looks unnecessary could turn out to be a serious mistake. What you're backing up may be compromised, but it could be the only point of reference you have when you're trying to get back to a recent working state. Knowing that you have the backup gives you confidence that you can't make things even worse and be unable to get back.
Be careful not to overwrite any good backups or to infect the backup volume. Don't mount a backup volume and copy to it. Use an offline backup instead.
Restore from Backup
You may be able to bring the site to a better state by restoring it from a recent backup, hopefully, one before the infection occurred. Keep in mind that the backup could be infected as well. Restoring it doesn't guarantee that you'll get rid of the malware, but it may reduce the extent of the damage. Even if it eliminates the visible problems, their source may not be in the website, so it could come back. Still, starting remediation work with a recent backup may make the job easier and seldom hurts.
Reset all Login Credentials
At this point, you don't know the source of the infection. It could have come through an account where the attacker discovered or guessed the password. First, look for any accounts in the CMS that should no longer be active or have no reason to be there. Deactivate all those accounts. Second, change the passwords of all legitimate accounts. This includes the administrative account. Make sure the new passwords are strong ones.
Remove or Uninstall all Unused Plugins or Extensions
Plugins and extensions that come from questionable sources could be malicious. Others could be badly written and have security holes, or they might be outdated versions with known weaknesses. Any of them might be the way an attacker got in. If they aren't removed, they could be a source of later reinfection after the problem appears to be cleaned up.
Go through your website's software and remove any components which are unused, unnecessary, or no longer supported. Check whether the legitimate components are the latest version which the publisher offers. That may or may not eliminate the source of the problem, but it will certainly make the site safer against later attacks.
Clean or Remove Cached CMS Files
A CMS such as Drupal or WordPress uses cached HTML files to improve performance. Its Web files contain executable code, usually in the PHP language, which takes time every time they are accessed. They may cache these files as static HTML so that they don't have to execute the code every time. The cache could contain infected versions of the files, which would stay around even after the problem is removed in the PHP. Users who received the cached files would continue to get malicious data. To make sure the problem is completely removed, all Web cache files should be cleared or deleted.
Look for directories called "temp" or "tmp". It should be safe to delete all files in those directories.
Disable User Self-Registration
Letting users self-register on your CMS is risky, and there is rarely a need for it. If letting people from outside register is a business requirement, screening requests and verifying the applicant's identity is a safer approach.
Privilege escalation is a severe risk from unknown users. If users can edit raw HTML on the site, they can introduce dangerous content such as cross-site scripting. In some cases, they can gain full control of the underlying server.
If reader comments are useful, registering only to comment should be safe. You could consider a third-party commenting service such as Disqus for extra safety. At a minimum, there should be a spam filter for incoming comments. It's the ability to create arbitrary HTML content which is dangerous.
After taking all these steps, you should be all set to start with the actual cleanup. We cover this in Website Malware Removal Guide, Part 2: The Cleanup Process.