Menu
homeMicrosoft

How to remove found malicious code manually. WordPress Malicious Code: How to Get Rid of Unwanted Threats? Installing AI-Bolit antivirus

Periodically checking the site for availability harmful viruses necessary, this is the first commandment of any self-respecting webmaster. Even if you use a clean Twenty Eleven theme, it is not a fact that over time it also did not become infected. This phenomenon can occur (and most often occurs) due to the fact that WordPress engine intended initially for online publications. So it never hurts to check again and make a copy of the site and database.

For example, I (after some time, of course) made one conclusion for myself - you just need a good hoster, and your problems with backup will disappear by themselves. I don’t need to make backups of the database or website now - the hoster does everything for me, and in automatic mode. At any time, if you wish, you can order a copy of any section of your blog (and not only), download this copy, or restore the blog directly from the control panel. That is, I don’t need to download a backup, everything happens automatically - backup, restore, etc. This is convenient because I can track, not just daily, but hourly, when a virus appeared on my blog and, accordingly, take measures to eliminate it.

I'll start with the good news - at least two plugins that I have used give good results in detecting and localizing malicious code. These are AntiVirus and Exploit Scanner plugins. You won't believe how much harmful code is on your blog! But don't take all the resulting information after checking as dogma - many of the lines that these plugins detect don't actually mean anything bad. The plugin just questions some lines, that's all. To make sure of this, manually check those fragments that the plugin has identified as malicious. So, when checking with the AntiVirus plugin, it turned out that even a simple call to function get_cache_file () is already considered suspicious by the plugin. So all check results will have to be tracked manually. But this, for example, is a really infected link, and it needs to be removed:

How do you know if it's a virus or just how it should be? Everything is very simple - compare your clean template (if you have one), and compare it (file by file) with the one that is installed and has already undergone some changes. It is not necessary to make a comparison literally, just search to see if yours has clean template the line that the plugin highlighted. If there is, click the “This is not a virus” button, and this line will not be taken into account during the next scan.

And here is an example of the second plugin we tested - Exploit Scanner

As you can see, everything is much more neglected here. For me, this result was shocking. But that's not all. The plugin has a function called check. So, if you turn it on, it turns out that the blog should consist of text and, at most, a couple CSS tables. So, it seems to me that the author of the plugin clearly overdid it with security here. It’s good that the plugin simply shows suspected infected fragments and does not clean them.

Having analyzed all the selected yellow lines, you can easily detect malware ( malicious code), well, decide for yourself what to do with it next. The cleaning method is still the same - compare the selected code with a site backup (see) and, if you find discrepancies, find out whether you did it yourself, or someone did it for you, which means that this is no longer good and may turn out to be virus. Even WordPress developers recommend checking your site for malicious code with this plugin. But there are such harmless inserts, for example, into the body of an iframe, which the plugin can also identify as infected code. But in reality, without these lines, this area of ​​your blog will not work correctly.

How can malware even get into blog files and what is it by definition? The word malware literally means - malicious software , from English malicious software. This is any software that can be used for unauthorized access to the site and its content. You probably imagine that for an average hacker, hacking a website will not be difficult, especially after registration. After this, you can modify the blog content as you wish - it would be educational.

Malicious malware can also be inserted into plugins that you install from unknown source, and in scripts, which you also sometimes take without checking, but trusting the author. The most harmless malware is a link to the author of any module that you installed on the site. And if the author himself did not warn you that such a link exists, then this is a pure virus.

Yes, I installed it on a test blog new topic, and after deleting one harmless link to some kind of men’s club in the basement of the site, it stopped opening at all, and the inscription appeared on the main page - “You do not have the right to delete links.” Here you go free theme. You can read about how to rip out such left-wing links.

Your database can also be used to run virus-containing code. Spammy links are also very often added to posts or comments. Such links are usually hidden using CSS so that an inexperienced administrator will not see them, but search system distinguishes them immediately. Of course, here any antispam comes into play, for example, the same one that is licensed, tested and double-checked many times. A hacker can download files with image file extensions and add them to the code of your activated plugins. Therefore, even if the file does not have a php extension, the code in that file can be executed.

There is another simple tool with which I started getting acquainted with malware - the Theme Authenticity Checker (TAC) plugin. This is a lightweight and quite effective tool, but it only checks your topics, even inactive ones. It doesn’t touch the rest of the directories, and that’s its downside. This is what checking my current topic with this plugin:

Two warnings in the active thread, and nothing more. There is no malicious code. By the way, these are the links that I inserted myself. Google advice— to improve the quality of the snippet (displaying personal data, organization address, etc.). But this is only checking the theme files, and you will have to find out what is being done in other directories either using other plugins or online services. For example, a service (it’s really trustworthy) like Yandex Webmaster or a similar one at Google. They have the function of checking any web resource for the presence of malicious inclusions, and they do it efficiently. But if this is not enough for you, then compare the results with the results on other services and draw conclusions.

For some reason I want to trust Yandex, not plugins. Another good resource is http://2ip.ru/site-virus-scanner/. After checking one of my blogs, this is what I found:

Here you can also check separate files for the presence of malicious code if you have such doubts. In general, the service is not bad.

From all that has been said, I would draw the following conclusions:

1. To prevent the appearance of malicious code, you must first of all use proven services for downloading files - plugins, themes, etc.

2. Regularly make backup copies of everything the site contains - databases, content, admin panel, downloaded files third party files including.

3. Take advantage of the updates that WordPress offers. At least they do not contain viruses, although they are not always functionally justified. But by updating, you thereby remove any viruses that may be present.

4. Delete unused themes, plugins, images and files without regret - this is another escape route for malware that you may never even guess about.

5. Properly password-protect your FTP accesses, login to PhpAdmin, the admin panel, and generally where no one but you should have access.

6. Try (even if your desire is as great as the sky) not to change or replace WordPress core files - developers know better what should work and how.

7. After detecting and removing viruses, change all passwords. I think you will have a great desire to make a password of 148 characters in different registers and with special characters. But don't get too carried away complex passwords, you may lose it, and then you will have to restore everything, which is not very pleasant.

All these methods and components that I have described that will help you get rid of viruses are, of course, free, of course, almost homemade, and of course, they do not provide a 100% guarantee that your site will be cleaned of malicious inserts. Therefore, if you are already concerned about cleaning your blog, then it is better to contact professionals, for example, the Sucuri service (http://sucuri.net/). Here your site will be thoroughly monitored and given practical recommendations, which will be sent to you by letter, and if you do not want to clean the site yourself, then specialists are at your service who will do everything in the best possible way within 4 hours:

Every webmaster who discovers malicious code on his website receives a lot of not very pleasant experiences. The site owner immediately, in a panic, tries to find and destroy the virus, and understand how this nasty thing could get onto his site. But as practice shows, finding malicious code on a website is not so easy. After all, a virus can be registered in one or several files, from huge amount which the site consists of, be it an engine running on WordPress or a regular site on html.

Yesterday, while checking my email, I found an email from Google saying that the visit certain pages my site may lead to infection of users' computers with malware. Now, users who access these pages via links in Google.ru search results are shown a warning page. This site was not added to my panel Google webmasters, so I was notified by mail. I had several more sites in the webmaster panel; when I went there, I was horrified to see a warning about malicious code on two more of my sites.
As a result, malicious code settled on three of my sites, which I had to find and destroy. One of the sites ran on WordPress, the other two consisted of regular PHP pages.

It is worth noting that Google reacted much faster than Yandex for the presence of malicious code. In the Yandex webmaster panel, a warning about the presence of a virus on the site did not appear. Fortunately, within a few hours I managed to find this unfortunate virus.

As a rule, most often sites are infected by the so-called iframe virus. Essentially, this virus consists of code... . The virus steals all passwords from Total Commander or another ftp client. In my case, the same thing happened; the iframe code was written into several dozen files on my site. On the site, which ran on WordPress, the malicious code managed to settle only in footer.php.

And so, how to find malicious code if you find that your site is infected:

1. Go to your hosting control panel and change your password. If you have several sites, then we do this with all of our sites.

2. Change and delete passwords in the ftp client. We never store passwords in ftp clients anymore; we always enter them manually.

3. You can go to the hosting via ftp and see what has changed in your files. Sort files by last modified date. Those files that are infected must have the latest and the same date. Open these files and look for the iframe code, usually this code is located at the very end. Basically, malicious code is written in the following files: index.php, index.html, and files with the .js extension. Often, this infection lives between tags... .
For self-written sites, look very carefully at all files and folders of scripts; the virus is often written there. Also, the favorite habitat of this virus is in counter codes for the site, and in advertising codes.

4. Check the .htaccess file for suspicious code. Sometimes malicious code penetrates into this file. Typically, there are several directories in the engine files in which the .htaccess file can be located. Check all these files and make sure the code is “clean”.

As for WordPress files or other CMS, as a rule, any CMS consists of many files and folders, and it is very difficult to find malicious code in them. For example, for WordPress I can recommend the TAC plugin. This plugin checks files in all themes in the themes folder for third-party code. If TAC finds unwanted code, it will show the path to this file. Thus, it is possible to calculate the masking virus.
Download TAC plugin: wordpress.org

In general, you should constantly keep in mind all the actions that you performed with your site files. Remember what was changed or added to this or that code.

Once you find and remove malicious code, it doesn’t hurt to check your computer for viruses.
And if your site was marked by Google or Yandx as infected, then you need to send a request for re-check through the webmaster panel. As a rule, search engines should remove all restrictions from your site within 24 hours. It didn’t take long for Google to process my request for re-verification, and after a few hours all restrictions were removed from my sites.


The truth of life is that the site can be hacked sooner or later. After successfully exploiting the vulnerability, the hacker tries to gain a foothold on the site by posting system directories hacking web shells, downloaders and introducing backdoors into script code and CMS database.

To detect malicious code in files and databases, there are specialized solutions - antiviruses and scanners for hosting. There are not many of them; the popular ones are AI-BOLIT, MalDet (Linux Malware Detector) and ClamAv.

Scanners help detect loaded web shells, backdoors, phishing pages, spam emailers and other types of malicious scripts - all that they know and are pre-added to the malicious code signature database. Some scanners, such as AI-BOLIT, have a set of heuristic rules that can detect files with suspicious code that is often used in malicious scripts, or files with suspicious attributes that can be downloaded by hackers. But, unfortunately, even if several scanners are used on the hosting, situations are possible when some hacker scripts remain undetected, which actually means that the attacker is left with a “back door” and he can hack the site and gain control over it full control any time.

Modern malware and hacker scripts are significantly different from those of 4-5 years ago. Currently, malicious code developers combine obfuscation, encryption, decomposition, external loading of malicious code, and other tricks to fool antivirus software. Therefore, the likelihood of missing new malware is much higher than before.

What can be done in in this case for more effective detection of viruses on the site and hacker scripts on the hosting? Nessesary to use A complex approach: initial automated scanning and further manual analysis. This article will discuss options for detecting malicious code without scanners.

First, let's look at what exactly you should look for during a hack.

  • Hacker scripts.
    Most often, when hacking, files that are downloaded are web shells, backdoors, “uploaders”, scripts for spam mailings, phishing pages + form handlers, doorways and hacking marker files (pictures from the hacker group’s logo, text files with a “message” from hackers, etc.)
  • Injections (code injections) into existing .
    The second most popular type of hosting malicious and hacker code is injections. IN existing files website.htaccess can inject mobile and search redirects, inject backdoors into php/perl scripts, and embed viral javascript fragments or redirects to third-party resources into .js and .html templates. Injections are also possible in media files, for example.jpg or. Often malicious code consists of several components: the malicious code itself is stored in the exif header jpg file, but is executed using a small control script, the code of which does not look suspicious to the scanner.
  • Database injections.
    The database is the third target for a hacker. Here, static inserts are possible, , , , which redirect visitors to third-party resources, “spy” on them, or infect the visitor’s computer/mobile device as a result of a drive-by attack.
    In addition, in many modern CMS (IPB, vBulletin, modx, etc.) template engines allow you to execute php code, and the templates themselves are stored in the database, so the PHP code of web shells and backdoors can be built directly into the database.
  • Injections in caching services.
    As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data “on the fly” are possible. In some cases, a hacker can inject malicious code into a site's pages without directly hacking the site.
  • Injections/initiated elements into system components server.
    If a hacker has gained privileged (root) access to the server, he can replace elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time introduce dynamic redirects and malicious code into the site’s pages. As in the case of an injection into a caching service, the site administrator will most likely not be able to detect the fact that the site has been hacked, since all the files and the database will be original. This option is the most difficult to treat.

    • So, let's assume that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the virus is still on the page or mobile redirect continues to work when opening pages. How to search further?

    Manual search

    On unix, it's hard to find a more valuable pair of commands for finding files and fragments than find / grep.

    find . -name ‘*.ph*’ -mtime -7

    will find all files that have been changed in the last week. Sometimes hackers “twist” the modification date of scripts so as not to detect new scripts. Then you can search for php/phtml files whose attributes have changed

    find . -name ‘*.ph*’ -сtime -7

    If you need to find changes in a certain time interval, you can use the same find

    find . -name ‘*.ph*’ -newermt 2015-01-25 ! -newermt 2015-01-30 -ls

    To search files, grep is indispensable. It can search recursively through files for a specified fragment

    grep -ril ‘stummann.net/steffen/google-analytics/jquery-1.6.5.min.js’ *

    When hacking a server, it is useful to analyze files that have the guid/suid flag set

    find / -perm -4000 -o -perm -2000

    To determine which scripts are running in this moment and load Hosting CPU, you can call

    lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ ( if(!str) ( str=$1 ) else ( str=str”,”$1))END(print str)’` | grep vhosts | grep php

    We use our brains and hands to analyze files on hosting
  • We go to the upload, cache, tmp, backup, log, images directories, into which something is written by scripts or uploaded by users, and scan the contents for new files with suspicious extensions. For example, for joomla you can check the .php files in the images:find ./images -name ‘*.ph*’ directory. Most likely, if something is found, it will be malware.
    For WordPress, it makes sense to check the wp-content/uploads directory, backup and cache theme directories for scripts.
  • Looking for files with strange names
    For example, php, fyi.php, n2fd2.php. Files can be searched
    • by non-standard combinations of characters,
    • presence of numbers 3,4,5,6,7,8,9 in file names
  • We are looking for files with unusual extensions
    Let's say you have a website on WordPress or for them files with extensions .py, .pl, .cgi, .so, .c, .phtml, .php3 will not be quite ordinary. If any scripts and files with these extensions are detected, most likely they will be hacker tools. The percentage of false detections is possible, but it is not high.
  • We are looking for files with non-standard attributes or creation date
    Suspicion may be raised by files with attributes that differ from those existing on the server. For example, all .php scripts were downloaded via ftp/sftp and have user user, and some are created by the user www-data. It makes sense to check the latest ones. Or if the script file creation date is earlier than the site creation date.
    To speed up the search for files with suspicious attributes, it is convenient to use unix command find.
  • We are looking for doorways by a large number.html or .php files
    If there are several thousand .php or .html files in the directory, this is most likely a doorway.
    • Logs to help

    Web server logs, postal service and FTP can be used to detect malicious and hacker scripts.

    • Correlating the date and time of sending a letter (which can be found from the mail server log or the service header of a spam letter) with requests from the access_log helps to identify the method of sending spam or find the spam sender's script.
    • Analysis of the FTP xferlog transfer log allows you to understand which files were downloaded at the time of the hack, which were changed and by whom.
    • In a correctly configured mail server log or in service header spam emails correct setting PHP will be the name or full path to the sending script, which helps determine the source of spam.
    • Using the logs of proactive protection of modern CMS and plugins, you can determine what attacks were carried out on the site and whether the CMS was able to resist them.
    • Using access_log and error_log, you can analyze the actions of a hacker if you know the names of the scripts that he called, the IP address or User Agent. As a last resort, you can view POST requests on the day the site was hacked and infected. Often the analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hack.
    Integrity control

    It is much easier to analyze a hack and look for malicious scripts on a website if you take care of its security in advance. The integrity check procedure helps to timely detect changes in the hosting and determine the fact of hacking. One of the simplest and effective ways– put the site under version control system (git, svn, cvs). If you configure .gitignore correctly, the change control process looks like calling the git status command, and searching for malicious scripts and changed files looks like git diff.

    Also, you will always have a backup copy of your files, to which you can “roll back” the site in a matter of seconds. Server administrators and advanced webmasters can use inotify, tripwire, auditd and other mechanisms to track access to files and directories, and monitor changes in the file system.

    Unfortunately, it is not always possible to set up a version control system or third party services on server. In the case of shared hosting, it will not be possible to install a version control system and system services. But it doesn't matter, there's plenty ready-made solutions for CMS. You can install a plugin or a separate script on the site that will track changes in files. Some CMS already implement effective change monitoring and an integrity check mechanism (For example, Bitrix, DLE). As a last resort, if the hosting has ssh, you can create a reference snapshot of the file system with the command

    ls -lahR > original_file.txt

    and if problems arise, create a new snapshot in another file, and then compare them in WinDiff, AraxisMerge Tool or BeyondCompare.

    Epilogue

    In most cases, antivirus software developers and scanners do not keep up with malicious code developers, so when diagnosing and treating sites, you cannot rely only on automated software solutions and scripts. Using a heuristic approach, rich tools operating system and the capabilities of the CMS, you can find malicious code that antiviruses and scanners could not detect. Using manual analysis makes the website treatment process better and more efficient.

    WordPress is the most popular engine for creating various information websites and blogs. The security of your website is more than the security of your data. This is much more important, because it is also the safety of all users who read and trust your resource. This is why it is so important that the site is not infected with viruses or any other malicious code.

    We will look at how to protect WordPress from hacking in one of next articles, and now I want to tell you how to check a WordPress site for viruses and malicious code to make sure that everything is safe.

    The very first option that comes to mind is that you were hacked by hackers and built their backdoors into the code of your site in order to be able to send spam, put links and other bad things. This happens sometimes, but this is a fairly rare case if you update the software on time.

    There are thousands free themes for WordPress and various plugins and there may already be a threat here. It’s one thing when you download a template from the WordPress site and quite another when you find it on the left site. Unscrupulous developers can embed various malicious codes into their products. The risk is even greater if you download premium templates for free, where hackers, without risking anything, can add some kind of security hole through which they can then penetrate and do what they need. This is why checking a WordPress site for viruses is so important.

    Checking a WordPress site for viruses

    The first thing you need to look for when checking a site for viruses is WordPress plugins. Quickly and easily, you can scan your site and find suspicious areas of code that are worth paying attention to, whether they are in the theme, plugin, or core Wodpress itself. Let's look at a few of the most popular plugins:

    1.TOC

    This very simple plugin checks all themes installed on your site to see if they contain malicious code. The plugin detects hidden links encrypted using base64 code insertion, and also displays detailed information about the problems found. Most often, the pieces of code found are not viruses, but they can potentially be dangerous, so you should pay attention to them.

    Open "Appearance" -> "TAC" then wait until all themes are checked.

    2. VIP Scanner

    Very similar to TOC scanner for topics, but outputs more detailed information. The same link detection capabilities hidden code and other malicious inserts. Just open the VIP Scanner item in the tools section and analyze the result.

    It may be enough to remove extra files eg desktop.ini. Or you need to look in more detail at what happens in files using base64.

    3. Anti-Malware from GOTMLS.NET

    This plugin allows you not only to scan the themes and core of the site for viruses, but also to protect the site from brute force passwords and various XSS, SQLInj attacks. The search is performed based on known signatures and vulnerabilities. Some vulnerabilities can be fixed on site. To start scanning files, open "Anti-Malvare" in side menu and click "Run Scan":

    Before you can run a scan, you need to update your signature databases.

    4. Wordfence

    This is one of the most popular plugins for WordPress protection and scanning for malicious code. Apart from the scanner, which can find most bookmarks in WordPress code, there is constant protection from various types attacks and password brute force. During the search, the plugin finds possible problems with various plugins and themes, reports the need to update WordPress.

    Open the "WPDefence" tab in the side menu, and then go to the "Scan" tab and click "Start Scan":

    Scanning may take certain time, but upon completion you will see a detailed report of the problems found.

    5. AntiVirus

    This is another simple plugin that will scan your website template for malicious code. The disadvantage is that only the current template is scanned, but the information is displayed in sufficient detail. You will see all the dangerous functions that are in the theme and then you can analyze in detail whether they pose any danger. Find the "AntiVirus" item in the settings, and then click "Scan the theme templates now":

    6. Integrity Checker

    It is also advisable to check the integrity WordPress files, in case the virus has already registered somewhere. You can use the Integrity Checker plugin for this. It checks all core, plugin and template files for changes. At the end of the scan, you will see information about the changed files.

    Online services

    There are also several online services that allow you to check a WordPress site for viruses or check just the template. Here are some of them:

    themecheck.org - you download the theme archive and can see all the warnings about possible malicious functions that are used in it. You can not only view information about your theme, but also about other themes uploaded by other users, as well as different versions Topics. Whatever the plugins find can be found by this site. Examination wordpress themes is also very important.

    virustotal.com is a well-known resource where you can check your website or template file for viruses.

    ReScan.pro - scanning a WordPress site for viruses using this service is free, static and dynamic analysis is performed to detect possible redirects, the scanner opens the site pages. Checks the site against various blacklists.

    sitecheck.sucuri.net is a simple service for scanning sites and topics for viruses. There is a plugin for WordPress. Detects dangerous links and scripts.

    Manual check

    Nothing could be better than manual check. Linux has this wonderful grep utility that allows you to search for occurrences of arbitrary strings in a folder with files. It remains to understand what we will be looking for:

    eval - this function allows you to execute arbitrary PHP code, it is not used by self-respecting products; if one of the plugins or a theme uses this function, there is almost a 100% probability that it contains a virus;

    • base64_decode - encryption functions can be used in conjunction with eval to hide malicious code, but they can also be used for peaceful purposes, so be careful;
    • sha1 is another method for encrypting malicious code;
    • gzinflate - compression function, same goals, together with eval, for example, gzinflate(base64_decode(code);
    • strrev - reverses the string not before, as an option can be used for primitive encryption;
    • print - outputs information to the browser, together with gzinflate or base64_decode it is dangerous;
    • file_put_contents - WordPress itself or plugins can still create files in the file system, but if the theme does this, then you should be wary and check why it does this, as viruses can be installed;
    • file_get_contents - in most cases used for peaceful purposes, but can be used to download malicious code or read information from files;
    • curl - same story;
    • fopen - opens a file for writing, you never know for what purpose;
    • system - the function executes the command in Linux system, if a theme, plugin or wordpress itself does this, most likely there is a virus;
    • symlink - creates symbolic links in the system, perhaps the virus is trying to make the main one file system accessible from outside;
    • copy - copies a file from one location to another;
    • getcwd - returns the name of the current working directory;
    • cwd - changes the current working folder;
    • ini_get - gets information about PHP settings, more often for peaceful purposes, but you never know;
    • error_reporting(0) - disables the display of any error messages;
    • window.top.location.href - javascript function, used for redirects to other pages;
    • hacked - so, just in case, we check, suddenly, the hacker himself decided to tell us.

    You can substitute each individual word into a command like this:

    grep -R "hacked" /var/www/path/to/files/wordpress/wp-content/

    Or use a simple script that will search for all words at once:

    values="base64_decode(
    eval(base64_decode
    gzinflate(base64_decode(
    getcwd();
    strrev(
    chr(ord(
    cwd
    ini_get
    window.top.location.href
    copy(
    eval(
    system(
    symlink(
    error_reporting(0)
    print
    file_get_contents(
    file_put_contents(
    fopen(
    hacked"

    cd /var/www/path/to/files/wordpress/wp-content/
    $ fgrep -nr --include \*.php "$values" *

    Malicious code gets onto the site through negligence or malicious intent. The purposes of malicious code vary, but essentially it causes harm or interferes with normal operation site. To remove malicious code on WordPress, you must first find it.

    What is malicious code on a WordPress site?

    By appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which this or that action is performed. Actions can be very different, for example, your new posts are immediately published on third party resource. This is essentially stealing your content. Codes also have other “tasks,” for example, placing outgoing links on site pages. The tasks can be the most sophisticated, but one thing is clear: malicious codes need to be hunted and removed.

    How do malicious codes get onto a website?

    There are also many loopholes for codes to get into the site.

  • Most often, these are themes and plugins downloaded from “left” resources. Although, such penetration is typical for so-called encrypted links. Explicit code does not end up on the site.
  • The penetration of a virus when a site is hacked is the most dangerous. As a rule, hacking a site allows you to place not only a “one-time code”, but also install code with malware elements ( malware). For example, you find a code and delete it, but it is restored after some time. There are, again, many options.

    • Let me note right away that the fight against such viruses is difficult, but manual removal requires knowledge. There are three solutions to the problem: the first solution is to use antivirus plugins, for example, a plugin called BulletProof Security.

    This solution gives good results, but takes time, albeit a little. There is a more radical solution, getting rid of malicious codes, including complex viruses, this is to restore the site from pre-made ones backup copies site.

    Since a good webmaster does this periodically, you can roll back to a non-infected version without any problems. The third solution is for the rich and lazy, just contact a specialized “office” or an individual specialist.

    How to Look for Malicious Code on WordPress

    It is important to understand that malicious code on WordPress can be in any file on the site, and not necessarily in working topic. He can come up with a plugin, a theme, or “homemade” code taken from the Internet. There are several ways to try to find malicious code.

    Method 1: Manually. You scroll through all the site files and compare them with the files of an uninfected backup. If you find someone else's code, delete it.

    Method 2: Using WordPress Security Plugins. For example, . This plugin has a great feature, scanning site files for the presence of other people's code and the plugin copes with this task perfectly.

    Method 3. If you have reasonable support hosting, and it seems to you that there is someone else on the site, ask them to scan your site with their antivirus. Their report will list all infected files. Next, open these files in text editor and remove malicious code.

    Method 4. If you can work with SSH access to the site catalog, then go ahead, it has its own kitchen.

    Important! No matter how you search for malicious code, before searching and then deleting the code, close access to the site files (turn on maintenance mode). Remember about codes that themselves are restored when they are deleted.

    Search for malicious codes using the eval function

    There is such a function in PHP called eval. It allows you to execute any code on its line. Moreover, the code can be encrypted. It is because of the encoding that the malicious code looks like a set of letters and symbols. Two popular encodings are:

  • Base64;
  • Rot13.

    • Accordingly, in these encodings the eval function looks like this:

    • eval(base64_decode(...))
    • eval (str_rot13 (...)) //in internal quotes, long, unclear sets of letters and symbols..

    The algorithm for searching for malicious code using the eval function is as follows (we work from the administrative panel):

    • go to the site editor (Appearance→Editor).
    • copy the functions.php file.
    • open it in a text editor (for example, Notepad++) and search for the word: eval.
    • If you find it, don’t rush to delete anything. You need to understand what this function “asks” to be performed. To understand this, the code needs to be decoded. For decoding there is online tools, called decoders.
    Decoders/Encoders

    Decoders work simply. You copy the code you want to decrypt, paste it into the decoder field and decode.

    At the time of writing, I did not find a single encrypted code found in WordPress. I found the code from the Joomla website. In principle, there is no difference in understanding decoding. Let's look at the photo.

    As you can see in the photo, the eval function, after decoding, did not display a terrible code that threatens the security of the site, but an encrypted copyright link from the author of the template. It can also be removed, but it will come back after updating the template if you don't use .