It can come as quite a surprise when a site owner is notified that their site has been compromised with malware. After the shock wears off, and the immediate impact understood, it’s important to take stock of what has actually happened behind the scenes and then clean it up. The best advice anyone can give you is to make frequent, downloaded backups of your site in the event something happens to the live version so that the clean backup can replace the live, hacked version.

But what if there is no clean, viable backup available? In a world where websites have hundreds, if not thousands of files, how can any one person go about cleaning out an infection in just a small number of those files?

How to Look for Malware in Files

When looking for malware in files, there are generally a few options available to a site administrator. When deciding which path to choose, it’s important to understand how each enables (or disables) one from being able to really find the nasty stuff we’re looking for.

File Manager

The most easily accessible, but usually least versatile, is the “file manager” offered by most web hosts. These tools are generally engineered for basic file modification and are not geared towards searching for specific content, like we’ll need to do. Nonetheless, you can always refer to your host’s local knowledgebase to see what they might be able to do for you.

Local Search

Another option is to download your live site to your local computer and run a search in an environment you’re more familiar with. In a Windows environment, for example, there is a simple way to search your site files’ content. First, we’ll need to make sure Windows knows to search file contents and not just their properties:

  1. Navigate to the folder you downloaded your site into
  2. If there are no menu options available in the window, press the “Alt” key on your keyboard and then select the “Tools” menu, and then the “Folder Options” option
  3. A new options window will open up with a few tabs – Click on the “Search” tab
  4. At the top is a “What to Search” section with a couple of options. Select the second option to “Always search file names and contents”
  5. Click the “OK” button and we’re all set

*Note that this type of search can noticeably slow your computer down, so you’ll want to make sure it’s only for your website files and then disable it altogether when you’re done with the search

Now that Windows knows to search the contents, you can use the search bar available in the upper-right corner of the folder’s window to search for any content you want to find.

Command Line

The most effective option when searching for malware is the command line of the server your site resides on. While somewhat rare to have access to a command line in a shared hosting scenario, those who do have this level of access will find it much more versatile when performing a “needle in a haystack” search like this one. Assuming the command line is from a UNIX-based operating system, we can both search for files that have been recently modified, in addition to searching for specific contents within files.

Using the “find” command with some specific options will allow us to locate any and all files that have been modified within a specified timeframe. First, make sure you’ve navigated to the folder in which your website resides, then consider the following example of the “find” command:

find . –mtime -7

Breaking this down, first the “find” command is specified, followed by a simple period to indicate we’ll be searching in the current directory. Next we use the “mtime” option to indicate the modified time, and the “-7” indicates less than 7 days. Put it all together and we’ll get a list of all files in the website directory that have been modified in the last 7 days. Of course, that number can be changed to suit your needs. The output will simply be a list of filenames preceded by their location:

./some/directory/filename.php

./some/other/directory/anotherfile.php

For more information on the “find” command, read its manual page by using the “man find” command.

The other, more specific approach is to use the “grep” command, which will search for the content within files. Again, we’ll want to be in the directory that contains the website files and from there we can consider the following usage of the “grep” command:

grep –Hn “search” ./*.php

In this example, first we have the “grep” command, and then we specify the “H” option to include the matching filename in the output, and the “n” option to include the specific line number of code where a match is found. Next, in the quotes is the phrase that we’re searching for. Last, the “./*.php” indicates we’re searching in the current directory for all files with a name that with “.php”. The output of this command will look something like this, with the filename, line number and then matching line’s content separated by colons:

./directory/file.php:57:random php code that matches search

For more information on the grep command, take a look at it’s manual page by running the “man grep” command.

 How to Look for Malware in Databases

Searching for content within a database can be a little trickier than searching files, but the options are pretty similar.

Database Admin Tool

In most cases, a web host will offer a web-based database administration tool that makes it relatively easy to search through the contents of a database. Further, the most widespread offering in this arena is called phpMyAdmin. For information on how to search the content of your database with phpMyAdmin, take a look at this page. If your host offers a different tool, you may want to check their local knowledgebase for further support.

What to Look For:

Now that we know how to look for files and content related to a recent hack, let’s take a closer look at what exactly we’re looking for. The following is a short list of common syntax used by hackers when they inject malware in a site. While it is not comprehensive, and may very well turn up a number of false positives, it is a great start when trying to perform a manual search.

eval

This is a PHP function that attempts to process any string as valid PHP itself. It becomes dangerous when user-defined variables are included within it. It’s also dangerous as most fail-safes included within the code of an application are disregarded within an “eval” statement. For these reasons, they are not only a prime target for hackers, but also a common destination of their injected code.

base64_decode

This PHP function is used to decode base64-encoded text for further processing within the PHP engine. Open source applications do not typically have encoded text within their source code as that then makes them not open source. More importantly, it’s an easy way for hackers to disguise their nefarious code. If this function is found and shouldn’t be there, you may have found your culprit.

gzinflate

Very similar to “base64_decode”, the “gzinflate” function is used to inflate (decode) a deflated (encoded) string of text. Again, if this function is being used to disguise code and isn’t a typical part of your site’s code, chances are it’s a problem.

shell_exec

This function can be particularly dangerous if a server is not properly locked down. In short, it allows PHP to run commands at the server level and then feed their output into the PHP code of the site. Like we’ve talked about in previous articles, hackers are more interested in taking over a server than just one site, so this is a prime vector for them to take advantage of.

GLOBALS

Disabled by default in versions of PHP since 2002 (v. 4.2.0), “GLOBALS” can pose a security risk when not implemented thoughtfully and carefully. If used in conjunction with user input, there is a much higher risk of unintended variable manipulation, which can lead to a compromised site. As a result, most applications and sites these days do not use global variables.

error_reporting(0)

When set to “0”, the “error_reporting” directive in PHP will effectively disable any code errors from being displayed in the browser or log. It is very unlikely that a stable release of an application or site would require such a directive. Instead, this exact directive might be used by a hacker who is testing out different bits of code within your site to see what might work.

Please note that this is by no means a comprehensive or complete list, but it does briefly outline some of the most common bits of PHP code that can be found in website hacks today.

How Can SiteLock Help?

SiteLock offers a couple of different daily scanning options designed to find malware and vulnerabilities in sites. The first is a Daily Malware Scan that essentially browses all of a site’s pages similar to an automated web browser, but with the sole intent of finding any known malware through various identification methods. If a problem is found, the site’s owner is notified to advise further action be taken.

While that daily option is fantastic for being notified about problems, it’s important to ensure you have a clear path to getting those problems cleared up as quickly as possible. This is where the Secure Malware Alert & Removal Tool (SMART) comes into play. SMART will actually download a copy of your live site to thee SiteLock servers, scan every line of code for any problems and fix them right there on the spot. And of course, SiteLock will also notify you of any events that fall into this category. This is one of the quickest and easiest ways to ensure your site stays clean of malware.