As cybercrime grows and evolves, malware remains a constant weapon in a hacker’s arsenal. Malware, short for malicious software, is created with the intent of causing harm to a website or computer. Website malware can be used to steal sensitive customer information, hold websites for ransom, or even take control of the website itself. In many cases, victims of malware may not realize they’ve been attacked until it’s too late.
Over one million new malware threats are released daily. We offer automatic malware removal to protect all website owners. To keep your website secure, it is critical to take matters into your own hands and become proactive about website security issues. There are two primary ways to do this; the first is by learning to check for signs of malware manually. The second and most effective way to protect against malware is by using a website malware scanner that detects malicious content and automatically removes it. Follow these steps to check your website for malware, starting by recognizing the common symptoms of malware.
The signs of malware may not be immediately obvious to you or your visitors. For example, many website owners might assume that website defacement, an attack that changes the visual appearance of a website or web page, is the only way of knowing their site has malware. In reality, what makes malware so effective is its elusiveness and ability to hide.
If your site hasn’t been defaced, you might still have malware if:
Your account login information was changed without your consent
Your website files were modified or deleted without your knowledge
Your website freezes or crashes
You’ve experienced a noticeable change to your search engine results, such as a blacklisting status or harmful content warnings
You’ve experienced a rapid drop or increase in traffic
Should any of these common signs appear, you can follow these next steps to confirm your suspicions.
If you suspect that your website has malware, a good online tool to help identify it is a URL scanner. Sitelock offers to scan any URL for free. Type in the domain name for your website (for example, mywebsite.com), and SiteLock will perform a free malware external scan of your site. Scanning your site checks to make sure your site is up-to-date and secure. If your site is flagged for malware and you want to find the source of the infection, you can start by looking at your website’s code. Then, you’ll be able to remove malware from the clean code.
A best practice for all site owners is to keep frequent backups of your website. You can do this easily by using a tool that creates backups automatically. This offers several advantages, including having a clean copy to restore your site in the event of a cyberattack. Additionally, knowing what the clean, normal code on your website looks like can also help you spot potential signs of malware.
But what if the worst happens and you don’t have a clean backup available? If you are familiar enough with your website or content management system’s (CMS’s) code to review it for suspicious content, you can check your database, files, and source code for signs of malware.
To check for malicious code in your databases, you will need access to a database administration tool offered by your web host such as phpMyAdmin. If your host offers a different tool, you may want to check their local knowledge base for further support.
Once you have access to the tool, let’s take a closer look at what exactly you’re looking for. The following is a short list of common syntax used by hackers when they inject malware in a site. While it is not comprehensive, and may very well turn up a number of false positives, it is a great start when trying to perform a manual search.
eval: This is a PHP function that attempts to process any string as valid PHP itself. It becomes dangerous when user-defined variables are included within it. It’s also dangerous as most fail-safes included within the code of an application are disregarded within an “eval” statement. For these reasons, they are not only a prime target for hackers, but also a common destination of their injected code.
base64_decode: This PHP function is used to decode base64-encoded text for further processing within the PHP engine. Open source applications do not typically have encoded text within their source code as that then makes them not open source. More importantly, it’s an easy way for hackers to disguise their nefarious code. If this function is found and shouldn’t be there, you may have found your culprit.
gzinflate: Very similar to “base64_decode”, the “gzinflate” function is used to inflate (decode) a deflated (encoded) string of text. Again, if this function is being used to disguise code and isn’t a typical part of your site’s code, chances are it’s a problem.
shell_exec: This function can be particularly dangerous if a server is not properly locked down. In short, it allows PHP to run commands at the server level and then feed their output into the PHP code of the site. Hackers are more interested in taking over a server than just one site, so this is a prime vector for them to leverage.
GLOBALS: Disabled by default in versions of PHP since 2002 (v. 4.2.0), “GLOBALS” can pose a security risk when not implemented thoughtfully and carefully. If used in conjunction with user input, there is a much higher risk of unintended variable manipulation, which can lead to a compromised site. As a result, most applications and sites these days do not use global variables.
error_reporting(0): When set to “0”, the “error_reporting” directive in PHP will effectively disable any code errors from being displayed in the browser or log. It is very unlikely that a stable release of an application or site would require such a directive. Instead, this exact directive might be used by a hacker who is testing out different bits of code within your site to see what might work.
Please note that this is by no means a comprehensive or complete list, but it does briefly outline some of the most common bits of PHP code that can be found in web site hacks today.
There are two types of attributes you’ll want to check if you are looking for malware in your source code: script attributes and iframe attributes. Look for any lines beginning with “<script src=>” and check for unfamiliar URLs or file names that follow. Similarly, look for unusual URLs included in <iframe src=”URL”>. If anything looks out of place, or the URL doesn’t look familiar, it’s a likely sign of cybercriminal activity.
There are a few ways to manually check for malware in your website’s files, with varying degrees of difficulty and effectiveness. For most website owners, we recommend searching for malicious content in your website files using FTP or your host-provided file manager. Learn more about the signs of malware and what you need to look for. Once you’ve learned how to examine your database, source code, and files for changes, you’ll need to do so regularly to properly monitor for malware.
If this sounds overwhelming for someone new to code, there’s good news: the easiest way to check your website for malware is also the most reliable.
Recent data shows that cybercriminals are more active than ever, increasing their attempted attacks by 15.1% in 2021 vs the previous year. With such a high level of criminal activity, you’ll need protection that can keep up, such as a website scanner that can scan for malware and remove it automatically.
Daily, automatic website security checks not only save you time but also allow you to get ahead of any infections, which may reduce the negative impact of malware on your site and its visitors. Malware scanners are typically designed to automatically scan for known and common malware types including backdoor files, shell scripts, and spam. If the tool identifies malware, the website owner will be alerted immediately, and some solutions even provide automatic malware removal.
It’s important to note that preventative measures against malware are only as good as their ability to keep up with new types of malware and trends. A thorough scanner should be backed by a comprehensive database that logs the most recent and persistent threats, offering the most up-to-date protection possible.
As cybercrime and malware continue to evolve, being proactive about your site’s security is your best defense. In addition, search engines favor safe browsing and websites so malware can also put your Search Engine Optimization (SEO) performance and rankings at risk. Whether you use hands-on methods to check for malware yourself or deploy an automatic solution, by learning the different ways to look for malware, your website is one step closer to being secure.
If you’d like to install an automatic website scanner, learn about SiteLock’s website security plans or contact us for more details. If your site has been hacked, learn about SiteLock's website repair services today.
Want to learn more about malware? Explore these additional resources: