2.18.5. Virus cleaning
Attention!Hosting technical support cannot provide precise instructions on how to remove viruses. All information is advisory in nature and is not an accurate guide to cleaning the site from viruses. Actions to remove viruses must be performed independently or with the assistance of third-party specialists.
When antivirus on the hosting, when scanning, it finds malicious code, a notification is sent to the owner of the hosting account with information about the problem. It is imperative to remove the malicious code, as its presence may cause problems with the data security of both the infected site and neighboring sites in the same hosting account.
Removing the malicious code should be done after reading antivirus report and analysis of the malicious code itself. Quite often, the removal of malicious code can lead to problems in the operation of the site due to its insertion into important scripts of the site system.
In most cases, performing a complete cleaning of viruses is not enough to ensure the security of the site, since it is necessary to detect the source of infection and eliminate it. Without such action, re-infection may only be a matter of time.
It is recommended to use additional services for checking the site for viruses, for example, the service WPScan.
Attention!Before taking any action, you need to create a backup site and database, and then download it to your device to ensure the possibility of recovering important data.
There are several ways to remove viruses:
- By backup restore site files until the virus code appears.
Attention!We regularly update the database of anti-virus signatures, so viruses could have existed on the site for a long time and will also be present in the backups.
Manual virus cleaning
To clean your hosting account from malicious code, you need to familiarize yourself with antivirus report and eliminate all found comments. It is necessary to open each of the infected files, carefully examine its contents and delete from it fragments of malicious code (the antivirus highlights only found signatures in the file, the virus code may be in other parts of the file and not be selected, it is important to check the entire file and delete suspicious data). Completely delete infected files. only if they consist entirely of malicious code.
You can make a complete replacement of site files with identical ones from your own backup copy or from official sources. For example, most WordPress files can be found in the repository at GitHub.
To search and edit files, you can use filemanager control panel or any FTPclient.
Pay attention to the code, which is encrypted in Base64. It is in this form that malicious code is often placed. You can decrypt such an encoded section, for example, using ofthis service.
Dangerous PHP functions include: eval, exec, shell_exec, system, passthru... When finding such functions, you should pay special attention to them, as they are often used in malicious code.
To find the source of infection, you should analyze site logs for suspicious requests to him. In the logs, it is worth checking the data for the date of the last changes of the virus files.
Attention!The date of the last change cannot accurately indicate the date when the virus files were created, and it is impossible to focus only on it. The site could have been infected much earlier, but the appearance of virus files detected by our antivirus was due to some "trigger"1).
Suspicious requests include:
- POST and PUT requests.
- Requests to the site admin panel from third-party IP addresses.
- Queries to protected directories of the form
- Queries that contain encoded text in the form of Base64, etc., or SQL queries.
- Queries for recently installed plugins.
Besides checking server logs worth checking also FTP logs, outgoing connection logs and authorization logs in the control panel. If suspicious entries were found, it is worth changing passwords FTPusers, database users3) and account, additionally setting two-step authentication... You can generate new complex passwords at this page. If outgoing connections were found that should not be made, you can set limits for all or certain outgoing connections for the entire hosting account for the duration of the problem.
After checking the logs, you need to check the site files for the presence of third—party code. First of all, it is worth checking the files of recently installed plugins and modules. It is important to beware of unofficial plugins and modules, especially if they are paid but were obtained for free from third party sites. If there are any, then they should be removed or restore backup site until they are installed.
Discard any file managers on the site itself. For the most part, they are unsafe and can pose a great threat.
Attention!All sites in one hosting account can be infected at the same time due to the vulnerabilities of one site. It is possible to completely isolate sites from each other only by placing them in separate hosting accounts.
To ensure the safety of the site, you should familiarize yourself with protection recommendations.