How to clean an infected site

Where should I start?

Analyze the possible ways of infection:

  • A hacker can get passwords to CMS admin panels, FTP or SSH accounts. Passwords are usually hacked or stolen using Troyan programs that infect the webmaster's computer.

  • Vulnerabilities in a web app may allow outsiders to put their own code on the site.

  • Due to an infected external resource (a partner program, banner system, or tracker), the code provided to you may become a threat to users.

Find browser-based malicious code

Analyze the information about infection on the Security and violations page in Yandex.Webmaster. The section contains a list of infected pages, dates of checks, and verdicts issued by antivirus. Follow the link in the verdict title to see its description and an example code corresponding to the verdict (the code that appears on site pages).

You can also reproduce the problem using a virtual machine.

Find server-side malicious code

  1. Stop the web server to protect the site visitors from potential threat. Then use antivirus to scan web server files and work stations used to administer the server and change all the passwords: root, FTP, SSH, hosting administrative panels and CMS.
  2. If there is a backup copy made before the infection, restore it.
  3. Update all programs used by the site to their latest versions, and look for descriptions of fixed vulnerabilities. This may help you find out how the site was infected.
  4. Delete any unnecessary users with extended permissions and thoroughly check the server for the presence of a web shell that a hacker could use to change the site's code while bypassing authorization.
  5. Check for malicious code:
    • In all server scripts, CMS templates, and databases.

    • In config files for the web server or server script interpreter.

    • If you use shared hosting, check other sites on the same server – the entire server may be infected.

Signs of malicious code:

  • Strange or unfamiliar code that does not correspond to the backup copy or version control system.

  • Obfuscated (unreadable, unstructured) code.

  • File modification dates coinciding with the infection data, or later. (This parameter is not reliable, since the file modification date can be changed by the virus.)

  • Use of functions that are typical for malicious code. Examples of such functions for PHP:

    • Dynamic code execution (eval, assert, create_function).

    • Obfuscation (base64_decode, gzuncompress, gzinflate, str_rot13, preg_replace).

    • Loading remote resources (file_get_contents, curl_exec).

Malicious code removed, what's next?

The warning about the site posing a threat will be removed from search results if the Yandex robot does not detect an infection during the next scan. To speed up the recheck, open Yandex.Webmaster, go to the Security and violations page, and click I fixed it.

During the following weeks after infection, continue re-checking the files and site code on a regular basis, in case the vulnerability was not resolved or hackers still have access to the site.

Tell us what your question is about so we can direct you to the right specialist:

In this case, read the recommendations in the Unwanted programs and dangerous files section. You can also contact support from that page.
If you see a message about another issue related to the site security, choose the violation type.