Malware harms website performance, compromises website security and hurts user experience. There are many third-party malware removal services that automatically scan your website and enlist suspicious files and code on your website. However, you can also manually find and remove malware from your website. In this article, we will look at how to remove malware manually from website.
How to Remove Malware from Website
Here are the steps to remove malware from website.
1. Scan files
First of all, look for files that have been modified in the last few days. Open terminal and run the following command to look for php and phtml files that have been modified in last 7 days.
$ find . -name '*.ph*' -mtime -7
You can change the file extension above as per your requirement. You can also run the following command to find files whose attributes have been modified in last 7 days.
$ find . -name '*.ph*' -ctime -7
Look into the modified files to check if they have been injected with malicious code. Also identify and remove malicious links, if any.
Bonus Read : How to Protect Website from Malware
2. Permission Change
Run the following command to check if any file permissions have been changed recently.
$ sudo find / -perm -4000 -o -perm -2000
Again, analyze the result to check if any file’s content have also been changed, and revert back its permissions, based on your last backup.
Bonus Read : Top Web Analytics Tools For Website
3. Check for Active processes
Run the following command to list all active PHP processes.
$ lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php
Change php above to some other script name such as py (python) or pl (perl).
Bonus Read : Top CDN providers for Websites
4. Check File Upload Directories
Most websites have a folder such as /uploads, /downloads, or /images where user uploaded files are stored. Look for any kind of scripts (php/python/perl) in those folders.
Hackers might upload and execute scripts from these folders. Here’s a command to look for php files in /images folder.
$ find ./images -name '*.ph*'
You can modify the folder name and file extension above as per your requirement.
Bonus Read : How to Choose a Web Hosting Service
5. Files & Directories with unusual names
Look for files & directories with unusual names in your website code folder. Most web frameworks such as WordPress, Joomla, Drupal have usual file names that are publicly available in their source code. Most of them have intuitive file names such as wp-config.php. Look for files and directories that have non-intuitive names such as dfdlfl.php, jruhr.py
Similarly, look for unusual file extensions. For example, WordPress uses php so you shouldn’t find any python or perl scripts in it.
Bonus Read : Top 5 Log Management Tools for Monitoring
6. Look for Large Directories
Hackers fill directories with large number of files to hide malicious scripts and payloads.
Run the following command to identify all directories with more than 25 files.
$ find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -25
Bonus Read : Top 5 Broken Links Checker Software & Tools
7. Check Server Logs
Check server logs to look for unusual things like too many requests from same IP, other URLs requested by this IP, commonly requested URLs, sending of emails using PHP scripts, FTP logging, POST requests (form submissions) that were made at the time of attack.
Bonus Read : Top 5 Server Monitoring Tools
8. Leverage version control
If you use version control tools like GIT or SVN you can easily identify modified files in your codebase using a simple command such as git status and git diff
9. Upgrade Your Website
Make sure you run the most up-to-date versions of operating system (e.g. Ubuntu), web server (e.g. Apache, NGINX), web framework (e.g. WordPress, Joomla, etc.), plugins, libraries and other tools. Every update contains critical bug fixes and security patches that can go a long way in malware protection.
Hopefully, this article will help you remove malware from your website.