Skip to main content

Knowledge base

Website Viruses Removal

Avoid viruses and other malware on your server by observing the following guidelines:

  • Update the software on your server and CMS;
  • Perform data backups
  • Utilize complex passwords comprised of upper and lower case letters, numbers and special characters;
  • Do not store usernames and passwords in plain text;
  • Monitor user access privileges for the website directories, and follow the highest access restrictions possible.

If you suspect a virus is present on your website, run a scan using an antivirus program or the free service at https://vms.drweb.com/online/?lng=en. The scan will indicate areas of the code that may be potential viruses. Look through the files and make sure the code is not a virus.

The ISPmanager control panel include special module called ImunifyAV (ex. Revisium, enabled by default), which will help in monitoring and elimination of viruses from your server. The software searches for any malicious code in the .php, .js, .html, system files and attempts to clean the infected files.

In UNIX-like operating systems, you can use the command:

find /var/www/user/data/www/mydomain.com/ -type f -mtime -5

This will locate the mydomain.com website files changed within the last 5 days. If you have a rough idea of when the assumed virus was found, you can locate the infected files among the results.

 

Check the ftp log file for unknown file uploads. For example, the entry

Tue Aug 16 10:56:38 2016 0 <146.55.4.112> 14271 /var/www/user/data/www/mydomain.com/include/trash.php a _ i r unknownuser ftp 0 * c

indicates that the trash.php file was uploaded onto the ftp-server's directory /var/www/user/data/www/mydomain.com/include/ on August 16, 2016, by unknownuser with IP address 146.55.4.112. This could be an infected file.

Look through the directories accessible to the majority of the website users. If they do not typically upload .php or .js files, uploads and image directories should not contain them. You can check for .php files in the uploads directory by using the command

file /var/www/user/data/www/mydomain.com/uploads/* | grep -i php

If it contains files that are unknown to you, they may be malicious and should be deleted. It is possible that a .jpg file may actually contain a .php file.

file in.jpg 
in.jpg: PHP script text\

It is highly probable that this is also a virus file; you want to delete these.

Make sure the website contains no unknown redirects by running the command

find /var/www/user/data/www/site.com/ -type f -iname '*htaccess'

The result of this command will be the list of all .htaccess files in the website directory. Look closely at each file’s redirects and ensure that they are all necessary.

Search for malicious code using templates; these are pieces of code that are typically found in viruses. The most common templates are as follows:

FilesMan, try {document.body, String[“fromCharCode”], auth_pass, fromCharCode, shell_exec, passthru, system, base64_decode, chmod, passwd, mkdir, eval(str_replace, eval(gzinflate, =””; function, “ev”+”al”, md5=, ss+st.fromCharCode, e2aa4e))}

The command

grep -ril FilesMan /var/www/user/mydomain.com

searches through the mydomain.com website hosted by /var/www/user/mydomain.com and lists thefiles containing the FilesMan fragment..

 

Should you find any of these templates within the file's body, makes sure it is actually a foreign code, as the templates listed above can also be used purposefully. If it appears to be virus-carrying code, backup the website, then follow up by deleting any fragments that contain this code. Before deleting, run the command:

stat inf_file.js

where inf_file.js is the file with suspicious code.
The results from this command will be the dates of the last file reference, the last change, and the last modification to its attributes. Make sure that this data matches the assume date of occurrence for the virus, and arrange it alongside the log file events as determined by the commands above.

To delete the malicious code file fragment, use the command

sed -i "" 's/start_template.*end_template//g' inf_file.js

For example, String["fromCharCode"] code can be deleted using the command:

sed -i "" 's/String.*"]//g' inf_file.js

The above-mentioned steps are the only possible way to remove viruses from the website and, if possible, restore the last uncompromised backup.

Once you have removed the virus from the website, change passwords, access the website, and complete all updates to the operating system, software, CMS, etc; after this, create a virus-free backup of the website.

Return to category