It can come as quite a surprise when a site owner is notified that their site has been compromised with malware. After the shock wears off, and the immediate impact understood, it’s important to take stock of what has actually happened behind the scenes and then clean it up. The best advice anyone can give you is to make frequent, downloaded backups of your site in the event something happens to the live version so that the clean backup can replace the live, hacked version.
But what if there is no clean, viable backup available? In a world where websites have hundreds, if not thousands of files, how can any one person go about cleaning out an infection in just a small number of those files? In this two part series, we’ll talk about how to look for malware in both files and databases and give a couple examples of what to be on the lookout for.
When looking for malware in files, there are generally a few options available to a site administrator. When deciding which path to choose, it’s important to understand how each enables (or disables) one from being able to really find the nasty stuff they’re looking for.
The most easily accessible, but usually least versatile, is the “file manager” offered by most web hosts. These tools are generally engineered for basic file modification and are not geared towards searching for specific content, like we’ll need to do. Nonetheless, you can always refer to your host’s local knowledgebase to see what they might be able to do for you.
Another option is to download your live site to your local computer and run a search in an environment you’re more familiar with. In a Windows environment, for example, there is a simple way to search your site files’ content. First, we’ll need to make sure Windows knows to search file contents and not just their properties:
*Note that this type of search can noticeably slow your computer down, so you’ll want to make sure it’s only for your website files and then disable it altogether when you’re done with the search.
Now that Windows knows to search the contents, you can use the search bar available in the upper-right corner of the folder’s window to search for any content you want to find.
The most effective option when searching for malware is the command line of the server your site resides on. While it is somewhat rare to have access to a command line in a shared hosting scenario, those who do have this level of access will find it much more versatile when performing a “needle in a haystack” search like this one. Assuming the command line is from a UNIX-based operating system, we can both search for files that have been recently modified, and search for specific contents within files.
Using the “find” command with some specific options will allow us to locate any and all files that have been modified within a specified timeframe. First, make sure you’ve navigated to the folder in which your website resides, then consider the following example of the “find” command:
find . –mtime -7
Breaking this down, first the “find” command is specified, followed by a simple period to indicate we’ll be searching in the current directory. Next we use the “mtime” option to indicate the modified time, and the “-7” indicates less than seven days. Put it all together and we’ll get a list of all files in the website directory that have been modified in the last seven days. Of course, that number can be changed to suit your needs. The output will simply be a list of filenames preceded by their location:
For more information on the “find” command, read its manual page by using the “man find” command.
The other, more specific approach is to use the “grep” command, which will search for content within files. Again, we’ll want to be in the directory that contains the web site files and from there we can consider the following usage of the “grep” command:
grep –Hn “search” ./*.php
In this example, first we have the “grep” command, and then we specify the “H” option to include the matching filename in the output, and the “n” option to include the specific line number of code where a match is found. Next, in the quotes is the phrase that we’re searching for. Last, the “./*.php” indicates we’re searching in the current directory for all files with a name that with “.php”. The output of this command will look something like this, with the filename, line number and then matching line’s content separated by colons:
./directory/file.php:57:random php code that matches search
For more information on the grep command, take a look at its manual page by running the “man grep” command.
Stay tuned for next week’s installment of this two-part series where we discuss how to look for malware in databases and what types of things you should be looking for.
As an alternative to the manual search techniques outlined above, some website owners may choose an automated tool to look for malware and remove it from their website. Take a look at the SiteLock plans page to see the variety of services we offer.