The detection rates of anti-malware and antivirus scanners varies considerably. Knowing how to manually scan for and remove malware is an important and useful skill with which to confirm a scanner's effectiveness or compensate for its failings. In this article, Andrey Kucherov, Malware Analyst at Imunify360, describes some essential manual website malware detection and cleanup techniques.
Have you ever wondered why malware is so hard to get rid of, and why, no matter how many times you run your malware scanner, infected files keep reappearing, as if by magic?
A hacker might not cause any noticeable damage when infiltrating your web server. You may not notice any change in performance or any loss of data.
But that doesn't mean everything is okay. A popular use of a compromised server is to distribute malware.
Malware is malicious software. It gets embedded into your website's pages and can infect any visitors to those sites.
Hackers do this by injecting malicious code into a database or into web page templates. Visitors get redirected to malicious sites, or inadvertently download trojans.
Very often, web hosting administrators start to take security measures only after a website has been hacked. So, let us imagine the situation when ImunifyAV has been installed on such an infected server. All malware has been cleaned in one click, and all malicious activity has been stopped.
Recently, we got a few support requests related to the usage of Imunify360 with Cloudflare. We’d like to explain the root cause and provide you with a workaround.
The issue was looking like an inability to pass the Captcha causing an endless loop. Further investigation revealed an issue caused by custom cache settings in the Cloudflare control panel.
As part of Imunify360’s proactive malware research activities, we recently identified that a plugin named Malicious Checker from WordPress repository, which can be used to identify malware in web servers, indeed had active malware inside one of the plugin’s source files.
The Imunify security team has identified a security threat: a website, wpnull24.com, that provides WordPress themes infected with malware. This site offers “nulled” themes, or paid-for themes that have been modified so they can be downloaded for free.
The themes provided free of charge at wpnull24.com are particularly dangerous, because installing one of them infects all of a site’s themes, plugins, and core WordPress files with malware. Once a site is infected, it can be used for black SEO, phishing, and sending spam as well. Access to an infected site can also be sold to other cyber-criminals.
Over a typical 3-month span, the average server has around 1500 kinds of malware injected into its files. Lately, a great many of these injections have been occurring in WordPress installations. What should you do when malicious code is injected into WordPress files?