GlobalSign Blog

11 Apr 2017

How to Find Malware in Your Website

If you thought malware only comes from malicious, shady sites, think again.

Hackers routinely upload malware to smaller, legitimate websites.

They don’t publish their modus operandi, but generally they target poorly protected websites for any number of malicious reasons ranging from spamming to sending phishing mails or to run Distributed Denial of Service (DDoS) attacks.

There are various ways they can upload their malware, such as disguised plugins, source code manipulation, malicious redirection, drive-by downloads, phishing, or via backdoors etc.

A popular misconception is that hacking is all about defacing a page, but hackers don’t always want you to know that your website is being hacked. They want to be left to their own devices and mess about with your site as sneakily as they can.

It’s often pretty hard to identify this malware as it’s usually pretty well hidden within your website, even if you’re on a secure hosting platform.

So we’ve prepared a few ways that you can defend yourself and identify if there is malware on your website by yourself.

Google Free Malware Checker

Before you do anything it’s worth quickly checking with Google if they have detected any issues with your site.

You can do this using Google site checker which is a free service. It uses their safe browsing technology to check whether your website is potentially dangerous to visit.

You can also check your website from Google Console via the "Health" menu. If your site has been previously flagged by Google as hosting malware this will clear the flag once you remove the malware from your website. As a starting point it's a good (and free) way to identify the presence of malware in your site.

Malware Scanning

Another great free tool you can use online to check whether your website is malware infected or not is by going to Sucuri site check and running a manual malware scan.

It will provide you with a report of malware checking, blacklist checking for key signs of malware, such as sending spam, website defacement etc.

Whilst the check is free, if malware is detected there is an additional fee if you want to set up automatic monitoring. If you find that your site has been compromised you can either remove the malware yourself or if you’re not confident with that type of thing you can also pay them to remove it for you.

For WordPress based sites, Sucuri has a plugin. It’s free and it has some really useful features like WordPress hardening, last login notification panel, blacklist monitoring and security notification etc. It also has automatic site recovery as well as the ability to reset a user’s password.

Another great website malware scanner is SiteLock. This tool scans your website for malware, malicious code injections, iframes, scripts, or backdoors, and notifies you if your website is blacklisted by any ISPs or not.

It can also perform daily scans and which is accessible from any internet connected device. It comes with a website security shield to reassure visitors that your site is safe.

Qualys is also a free website scanner that identifies malware. It’s a cloud-based solution which not only provides malware reports, but also other vulnerabilities report for your website in an easy to digest format.

Code Monitoring and Backup

Another effective method of checking if your site has been compromised is to monitor changes to the code.

One tool that does this really well is Codeguard. It’s a time-based backup service which makes regular backups of your data.

The way it works is that it connects up to your site and runs an initial backup. It then runs periodic backups and notifies you of any changes.

That way if there are any discrepancies it can restore back your website to the previous state with a click of a button. It’s a really neat solution that combines both backup and malware checking.

WordPress Security Plugins

If your site runs on WordPress, then WP Antivirus site protection is a great security plugin which provides protection against malware, backdoors, Trojan and rootkit scanning.

It can also scan any plugins and media files that have been uploaded to your website as well. There are free and paid version of this plugin. The free version will scan your website each week. If you want to scan more frequently, you can go for the paid version.

Another free WordPress plugin is called gotmls. It scans your WordPress website for free and removes any known malware or malicious scripts and notifies you in the admin bar section.  It has basic inbuilt DDoS protection and a WordPress Login page hardening feature as well.

If you’re amongst the millions of WordPress users, then you’ll know that one of the great advantages of WordPress is the sheer number of ready made Themes that are available to you.

But it’s a double edged sword because most of them are uploaded from third-party vendors and need to be checked for authenticity and security. The last thing you want is to launch your new site only to find that it has malware baked into it.

But help is at hand. You can check the authenticity of your Theme using the theme authenticity checker plugin. It can check for common injection malware in the theme files as well as checking footer links.

Just a simple check like this can save you so much in terms of time, money and your reputation.

Malware Detect (LMD)

For more advanced users who have their own server (either Dedicated or Virtual), you can scan your server with Linux Malware Detect along with the ClamAV virus engine.

This malware detection software works at the server level and is especially good at detecting PHP backdoors, dark mailers and other malicious files etc.

By default, Maldet scans for every new file in the directories that were created in the last two days as it looks for malware. It uses a signature-based detection system and it receives its signature data from four engines (Network edge IPS, Community Data, ClamAV, user submission).

Manual Inspection

If you don’t mind taking a peep under the hood and getting your hands dirty, you can manually inspect your files.

Hackers are particularly attracted towards files such as:

Often many of the files will look innocuous at first glance since hackers often insert malicious links in those files in base64 encoded format. So you need to search all directories for base64 encoding; these types of infected files can easily be identified. Here is the link for decoding base64 string format.

Wrap Up

The options above can help you detect malware lurking in your website, but you must keep in mind that none will provide a 100% success rate since hackers are continually expanding and developing new types of attacks. Despite this, it is in your best interest to try and stay ahead them and I strongly recommend using some type of tool like those outlined above to detect any malicious injections in the early stage before it’s too late.

Tony is passionate about helping his clients get the most out of their online presence. He is the co-founder of Pickaweb and Author of the 5 Star Amazon rated book ‘The Lazy Website Syndrome’, which gives the reader a simple 3 step approach to grow their business using online marketing. Tony currently resides in the South of Spain.

Pickaweb offers a full range of services for SME’s including Domain Names, Web Hosting, Reseller Hosting, Virtual Private Servers, Cloud Servers, Dedicated Servers, SSL Certificates and an easy to use Website Builder.

Share this Post