Malware infections are without doubt is the most serious nightmare of every webmasters and blog authors. Most of the search engine bots detects if any malware is present in your site and they normally block the sites appearing in search results. Your site listing in the search engine results pages (SERPs) will either be completely omitted or the link to your site will be disabled.
A recent iFrame Attack Infected more than 300000 osCommerce Sites . The intruders injected an iFrame exploit in compromised osCommerce based web site pages and the malware redirected users of the web site to malicious web domains.
Related:
- 10 Top AntiVirus Software of 2011
- How to Check a Website for Malware and Virus Infection
Often attackers edit your HTML or script files to make calls to external, malicious content on servers they control. Even they can poison the external content on your site that will result in your site serving malware.
Once infected you need to take immediate actions to clean up the site. Temporarily take down the site for maintenance. Clean up all the files and upload the clean version to the server again. If the search engines already blacklisted your site then submit again for reconsideration. You can follow the instruction for Google reconsideration request and for Bing.
Next steps after malware detection
Once you identified that your site is compromised you can follow the below steps.
Take the site offline for maintenance
As soon as you detect a malware attack take the site offline. Your site should not server any content from your server other than “Under maintenance” page. This helps you to avoid putting site visitors at risk of malware infection.
What you need to check?
Start scanning all the files which is taken from your server. Do an antivirus anti malware scan. Usually attackers inject some malicious code to your pages. This can be JavaScript script code inserted into your pages, <iframe> codes <iframe> automatic redirects etc. Attackers normally does Obfuscation efforts to hide their exploitation work from quick inspections.
Identify files under attack – Source Code Analysis
Perform a detailed source code analysis. Here if you maintain any version control system then you life is much easier. Compare your safe version of the source code file system with the one from server. Do a file/folder comparison. It will reveal any changed files. You can use tools like BeyondCompare or TreeCompare etc to do the file/folder comparison.
Verify the modified files for any script/frame injection or the presence of any suspicious code fragments. Replace with the version you have in your local machine or version control system.
Verify your latest site backup and replace
Verify your last website backup (including database backup) of website or blog. Do a complete scan.Fully replace the web site with the last clean backup copy of it.
Read:
- How To Backup WordPress Blog and Database. Best Free Tools to Backup WordPress Blog
Change all password including Admin, FTP, Database passwords
As soon as you detect an attack change all the passwords including the administrator password (of CMS such as WordPress),FTP passwords, database passwords, web server password. Use Strong new passwords.
Read:
- Top Ten Tips to Keep Your Passwords Safe and Strong
- Password Protecting website Pages and Directories using .htaccess.
Verify Server folder permissions
This is very important. Check all the folder permissions. You should not give write permissions to anonymous users.
Read:
- Must Do Tips To Secure WordPress Blog and Site
You can also backup the infected version of your website for further analysis. As soon as you cleaned up the complete website and reconfirmed everything OK, you can change the maintenance mode. If your site is already blacklisted by search engines apply for reconsideration.
Before you go, subscribe to get latest technology articles right in your mailbox!.
One thing that needs to be done, before putting your previously infected website back online is forensic analysis. If you don't find out how the infection happened the first time, your site will be infected again.
We've seen where hackers monitor the websites they've infected. If the site is no longer infected, their (the hackers) have systems in place to attempt to re-infect the website the same way it did the first time.
You'll have to keep detailed log files for both access and FTP and analyze them to determine how the hackers broke in. It might be a vulnerable plugin/module/component or it might be you're running an outdated version or it could be stolen FTP passwords. You won't know until you analyze the log files.
Unfortunately, most hosting providers have the log files disabled by default. Be certain you turn on log file archiving for one month. Otherwise, you won't be able to review the log files.
Great information though.
Nice job.
Hi Thomas,
Many Thanks for sharing detailed and valuable information. Thanks for visiting Globinch and sharing your thoughts