How to clean an infected site

Where should I start?

First of all, analyze all the possible sources of infection:

  • A hacker can get access passwords to CMS and FTP administrative panels, or SSH accounts. Passwords are usually hacked or stolen using trojan programs that have infected the webmaster's computer.

  • Vulnerabilities in a web app may allow outsiders to put their own code on the site.

  • Due to an infected external resource (a partner program, banner system, or counter), the code provided to you may become a threat to users.

Find browser-based malicious code

Analyze the information about the infection in Yandex.Webmaster, on the Security tab. The infection information includes a list of infected pages, the dates of scans, and the verdicts issued by the antivirus. Follow the link in the name of a verdict to see its description and an example of what code with this verdict looks like (the code that directly appears on site pages).

You can also reproduce the problem yourself using a virtual machine.

Find server-side malicious code

  1. First of all, stop the web server in order to protect site visitors from potential threats. Then use antivirus to scan all web server files and all work stations that the server is administered from, and change all the passwords: root, FTP, SSH, hosting administrative panels, and CMS.

  2. If possible, restore the site from a reserve copy that was made before the infection. Update all programs used by the site to their latest versions, and look for descriptions of fixed vulnerabilities. This may help you find out how the site was infected.

  3. Delete any unnecessary users with extended permissions and thoroughly check the server for the presence of a web shell that a hacker could use to change the site's code while bypassing authorization.

  4. Check for malicious code:

    • in all server scripts, CMS templates, and databases.

    • in config files for the web server or server script interpreter.

    • if you use shared hosting, check the other websites that are on the same server – the entire server could be infected.

What to look for when searching code:

  • Strange or unfamiliar code that does not correspond to the reserve copy or the version control system.

  • Obfuscated (unreadable, unstructured) code.

  • File modification dates coinciding with the infection data, or later. (This parameter is not reliable, since the file modification date can be changed by a virus.)

  • Use of functions that are typical for malicious code. Examples of such functions for PHP:

    • dynamic code execution (eval, assert, create_function)

    • obfuscation (base64_decode, gzuncompress, gzinflate, str_rot13, preg_replace)

    • loading remote resources (file_get_contents, curl_exec)

The malicious code has been deleted. What next?

The warning about the site posing a threat will be removed from search results if the Yandex robot does not detect an infection during the next scan. To speed up re-checking, send a request via Yandex.Webmaster: click the Recheck button in the Security section.

During the following weeks after infection, continue re-checking the files and site code on a regular basis, in case the vulnerability was not resolved or hackers still have access to the site.

If you found something interesting

If you discovered malicious or just suspicious code on your website, send it to our specialists for analysis. This will help Yandex, as well as other webmasters.