Table of Contents

1. The Many Side Effects of Malware on a Server
   
2. Manually Removing Malicious Content
3. Using Imunify360 to Ensure Linux Server Security

The Many Side Effects of Malware on a Server

The WordPress content management system (CMS) powers over 30% of the world’s websites and ⅓ of the top 10 million sites on the web. Because of its popularity, WordPress is also one of the most targeted sites and the most commonly used software installed by small site owners. Malware authors create malicious code to specifically target WordPress, and scripts are freely available to anyone who wants to scan WordPress sites for vulnerabilities. This makes unmanaged and outdated WordPress sites highly vulnerable and the perfect target for attackers.

Exploit methods are dependent on the attack, but once an attacker compromises a site, any number of results can go unnoticed. Infecting a site with malware such as ransomware is immediately noticeable. But many attackers use hacked WordPress sites to add hidden content or implement conditional redirects. They do this by gaining access to the database or edit files such as the .htaccess file when they aren’t properly secured. With hidden content, the attacker might inject links into the database so that every article returned to the browser includes links to malicious sites. The reader doesn’t see the links, but search engines parse them after crawling site pages to detect content. Google refers to this content as “cloaked content,” and it can result in manual action and potential blacklisting from their search index.

Hidden content can also contain malicious scripts such as cross-site scripting (XSS) that could be used to take over accounts including the site administrator’s, giving an attacker full control of the site. JavaScript and CSS could be used to redirect users or change content to trick users into divulging sensitive information. Conditional redirects send a user to an attacker-controlled site where they can be phished or tricked into downloading malware to their device.

The WordPress CMS is a target for several attacks, but the aftermath for a site owner can be devastating to the business.

• Blacklisting & removal from search engine indexes. If search engines detect that malware or malicious content is hosted on the site, it can be blacklisted and removed from search engine indexes. After a site is removed from the index, organic search traffic is cut to a fraction of what it was before. For a site that relies heavily on search traffic, this can cripple the business.
• Malware often breaks sites, and the broken pages aren’t always immediately noticeable by the site owner. These pages could also break when crawled by search engine bots, which hurts ranking. If the site owner does not have monitoring set up to detect server errors, then these broken pages could go unnoticed for weeks.
• If an attacker can inject malicious content, a site required to adhere to compliance could also face hefty fines for violations. As users determine that the site hosts phishing, it could be reported to regulatory bodies. The site owner eventually learns of these issues from their own reports, but it could be too late before fines are assessed.
• Any attack that works with requests or server resources will affect performance as more resources (e.g., CPU, memory, etc) are used to handle additional requests and processing. Because shared hosting involves several sites on one server, this effect could also cause performance issues on other customer sites.

Manually Removing Malicious Content

Site owners' first attempt at remediating the issue is to manually remove it. When attackers exploit vulnerabilities, the content injected into site pages is often hidden and usually stored in database tables. This means that a full scan of the site and the database should be performed. For sites with thousands of posted content, this could mean searching for a single malicious script in thousands of records. If files are infected, it could mean that the cleanup involves thousands of compromised files.

• Simply deleting content from files or the database isn’t an option. In many malware cases, an attacker edits content in file contents. Should you manually remove this content, it could break the code and result in errors on the site. Manually deleting malicious content from database tables has the same potential effects. Deleting content could also break the data that renders in the user’s browser.

• Malware is often stealthy, so an additional issue is finding the injected code. It often co-mingles and masquerades as legitimate code, so it’s difficult to detect. For example, hacked sites often have hidden links to pharmaceutical sites. This hack is commonly called the “pharma hack.” The goal for attackers is to hide links in legitimate content so that it can’t easily be detectable. Even if you find malicious content, you could miss other injected content, meaning your site is not completely clean and still serves malicious code. The same can be said for content hidden in database tables.
• Because sophisticated attacks are competently hidden, it takes a professional who knows how to find hacked content. Most small website owners do not have the funds or the resources to manually remove hacked content, so they need to hire a professional to go through the site and find hacked content. This can be expensive for a small site owner, and could take weeks for the site to be fully cleaned from malware.
  
  

Using Imunify360 to Ensure Linux Server Security

To combat these attacks, shared host providers will find that Imunify360 stops many of the common WordPress (and other CMS software such as Drupal and Joomla) vulnerability exploits before they can be used to inject malware.

Imunify360 combines a diverse set of features resulting in server protection from all sides. It has tight integration between its DB and Real-time Malware Scanner with reliable cleanup, Web Application Firewall (WAF), and Proactive Defense, which leave attackers no chance to exploit vulnerabilities and upload malware to the server. For sites already compromised, Imunify360 will detect and clean up any malicious injections and web shells from both files and the databases keeping websites operational.

Imunify360 offers other benefits:

• Avoid having your IP blacklisted. Avoid having your server IP blacklisted from search engines such as Google and Bing. Imunify360 keeps your server IP’s reputation clean and prevents outgoing spam sent by bad actors who install email malware on your server.

• Get full security automation. Imunify360 provides a comprehensive command-line interface and API for advanced control, incident management and configuration.

• Receive fewer support tickets. As a hosting provider, you try hard to help website owners experience fewer problems. Imunify360 will handle security issues so that customers can focus on their business and forget about monitoring malware on their website.

• Lower CPU usage. Imunify360 provides inbound traffic filtering to block denial-of-service (DoS) attacks, vulnerability exploitation and server scanning from bad bots, bad actors, and malicious services. These requests increase load on the server, but Imunify360 mitigates attacks and leaves the server CPU to handle legitimate requests.

• Stop worrying about client upgrades to their software. Imunify360 will have your back covered, so outdated WordPress is still protected.

Try Imunify360 Security suite for free for 14-days and forget about malware on your servers.