10 Oct, 2018

Website Malware Removal Guide, Part 2: The Cleanup Process

Once you have completed the Website Malware Removal Guide, Part 1: Preparation, it's time to begin part 2, the cleanup process
Do not start the process below if you haven't performed the essential preparations in Website Malware Removal Guide, Part 1: Preparation before the cleanup.
Identifying the Infection
Use free tools to scan a CMS setup and locate the infection
Before starting manual identification of the malware problem, it's worth looking for existing security plugins or extensions for your CMS. Many such tools are available for free. Be sure to use only tools from trustworthy sources. We provide a free scanner for WordPress to help you to identify infections in your WordPress installation.

Unfortunately, free plugins and extensions aren't always useful. Bad guys know about these plugins. Just as you use them for an initial investigation, they use them to verify that their malware is obfuscated in a way that these tools won't detect.
Examine the environment configuration files
If the free tools don't help you to identify and cure the infection, you need to start digging into the website internals. Many websites are built on a CMS that uses the PHP language and are hosted on the Apache Web server. The following assumes your site is based on PHP. With other Web servers, such as Nginx, there will be slight differences in the procedure.

PHP configuration files, such as php.ini and .user.ini, are used to customize PHP behavior. These files, if compromised, could preload or postload malicious PHP files. They could open up permission settings to provide cybercriminals with more capabilities through website access.
The Apache configuration file .htaccess contains rules for how the Web server will treat HTTP requests. Making changes to this file is a major tactic for traffic-stealing malware. Changing one line in .htaccess can redirect users to a scam site. For example, the following line will redirect all website pages to another domain:

Redirect 301 / http://scamwebsite.com/

Examine your .htaccess file for the presence of any suspicious "redirect" directives or other anomalies. Compare your current .htaccess file with the one shipped with your CMS. That will help you to identify all changes and detect any infection
Verify CMS Core Files
The CMS core files are the source files which contain the CMS's functionality. These files should never be replaced or modified, except through a version upgrade. If any of the core files are modified, it's very likely that they contain malware.

To compare the core files, download them to your desktop computer and download the official sources of the CMS, making sure to get exactly the same version. Use any available comparison tools, such as Meld, WinMerge, or Beyond Compare. If you detect a modified core file, replace it with the official source file.
Examine Files on the HTML Page Rendering Path
Malware creators like to target PHP source files which the PHP interpreter loads on every HTTP access to the infected website. Every access to a WordPress site will load wp-config.php, settings.php, and other files. The target files include CMS configuration files, themes, core files, and library files. If any of these files have recently been modified, they may be infected. The following command will list any files modified in the last seven days, which may help to point at the infection:

find . -type f -mtime -7
Review the CMS upload directory
The CMS upload directory typically contains images and other media files to use on your website. They can be accessed directly through a URL. For example, on WordPress platforms, any image could be accessed using this pattern:


Some vulnerable plugins or extensions fail to verify the type of uploaded files. They could allow PHP source files to be uploaded and then accessed, letting an attacker run arbitrary code on your site:


Any PHP files found in the upload directory should be a serious red flag. It's very likely that they're there to attack your site. Remove them, and try to figure out how they got there.
Investigate CMS database rows
A modern CMS depends heavily on its database. The database tables hold custom configuration, website pages, theme settings, statistics, and much more. Malware authors can use this functionality to inject malicious content such as JavaScript, PHP shells, and backdoors. A full website audit requires dumping the content of the CMS database and investigating it for signs of malware.
Tools for performing a database dump include mysqldump, phpMyAdmin, and Adminer. Any PHP code in the database needs special scrutiny for possible malware. Search for the following symbols to find PHP:
  • $_POST
  • $_GET
  • eval
  • exec
  • system
  • passthru
  • gzdecode
  • gzuncompress
  • base64_decode
  • file_get_contents
  • file_put_contents
  • strtoupper
Look at suspicious PHP functions and long strings
Certain PHP operations are suspicious because they can perform system-level actions or unpack disguised code. Their presence may point to a PHP infection. The following grep command will let you list all files which contain them:

egrep -rHn "(eval|exec|system|passthru|gzdecode|gzuncompress|base64_decode|str_rot13)" ./*

The output of this command will be a list of the files which contain the specified keywords. They aren't always malicious, but you should go through each file and investigate the matched strings.
Watch out for multiple sites and permissions sharing
If you have multiple sites under the same hosting account, all of them run under the same user permissions. A PHP script invoked as a part of one site can freely access files on the other sites under the same hosting account. It can modify or infect each of them. Thus, one site can be a source of infection for all the other websites.

You need to perform the same investigation procedure on all the sites you have under that account. Just a single malicious file on your hosting account can lead to full reinfection of all the sites.
Editing the Infected Files
Be very careful when cleaning the website manually. Any missing or incorrect character can break the website’s integrity and make it stop working. Don’t forget to make a website backup before starting to remove malicious content.

PHP source files are ASCII text files. You can make changes and fixes with any text editor. If you clean an infection from the CMS core files, you can use any diff tool, such as Meld or WinMerge. If you know the exact pattern of the infection, you can use the sed tool to remove the infection in one shot. Here are some examples of how to use sed to remove strings from files. Don't use word processing software such as Microsoft Word; it will add formatting and mess your files up badly.
At this point, your site should be free of malware and suspicious code. Now it's time to make sure it's protected against reinfection by performing essential protective steps. These are covered in Website Malware Removal Guide, Part 3: Post cleanup and hardening.