How to clean an infected site

Where should I start?

Analyze the possible ways of infection:

  • A hacker can get passwords to CMS admin panels, FTP or SSH accounts. Passwords are usually hacked or stolen using Troyan programs that infect the webmaster's computer.

  • Vulnerabilities in a web app may allow outsiders to put their own code on the site.

  • Due to an infected external resource (a partner program, banner system, or tracker), the code provided to you may become a threat to users.

Find browser-based malicious code

Analyze the infection information in Yandex.Webmaster, in the Security tab. The section contains a list of infected pages, dates of checks, and verdicts issued by antivirus. Follow the link in the verdict title to see its description and an example code corresponding to the verdict (the code that appears on site pages).

You can also reproduce the problem by using a virtual machine.

Find server-side malicious code

  1. Stop the web server to protect the site visitors from potential threat. Then use antivirus to scan all web server files and work stations used to administer the server (you can use free antivirus software) and change all the passwords: root, FTP, SSH, hosting administrative panels and CMS.
  2. If there is a backup copy made before the infection, restore it.
  3. Update all programs used by the site to their latest versions, and look for descriptions of fixed vulnerabilities. This may help you find out how the site was infected.
  4. Delete any unnecessary users with extended permissions and thoroughly check the server for the presence of a web shell that a hacker could use to change the site's code while bypassing authorization.
  5. Check for malicious code:
    • In all server scripts, CMS templates, and databases.

    • In config files for the web server or server script interpreter.

    • If you use shared hosting, check other sites on the same server – the entire server may be infected.

Signs of malicious code:

  • Strange or unfamiliar code that does not correspond to the backup copy or version control system.

  • Obfuscated (unreadable, unstructured) code.

  • File modification dates coinciding with the infection data, or later. (This parameter is not reliable, since the file modification date can be changed by the virus.)

  • Use of functions that are typical for malicious code. Examples of such functions for PHP:

    • Dynamic code execution (eval, assert, create_function).

    • Obfuscation (base64_decode, gzuncompress, gzinflate, str_rot13, preg_replace).

    • Loading remote resources (file_get_contents, curl_exec).

Malicious code removed, what's next?

The warning about the site posing a threat will be removed from search results if the Yandex robot does not detect an infection during the next scan. To speed up the recheck, click the I've fixed everything button in the Security and violations section of Yandex.Webmaster.

During the following weeks after infection, continue re-checking the files and site code on a regular basis, in case the vulnerability was not resolved or hackers still have access to the site.