There are a lot of malware scanning services out there that will report any malicious code associated with your website. Some malware services will only report the problematic malicious code, and other services such as Sitelock provided by Acmetek Global Solutions take malware scanning to the next step and will actually remove the malware from your website automatically.
If you do not have Sitelock then you will have to manually remove the code yourself. Hopefully this article can help enlighten admins on the general idea of what to search for when manually removing the code to secure your website.
Here is The Scenario…
You received a notification from a malware scanning service such as the Norton Malware Scan that comes with Symantec SSL Certificates, Rescan, Google Malware Checker, Qualys MD, etc.. it means that the scanner has found malware on one or more pages of your Web site. However, when you sign in to your supplied anti malware account, the “Malware requiring removal” section doesn’t show exactly what the malicious code looks like. The question that you ask yourself now is, “How am I going to find the malware and get rid of it?”
The malware code may look similar to one of the following examples listed below. Review the source code in the Web page and the database for any code that seems out of place or is of unknown origin.
Malware code could look like this:
- <script src=http://unknown-third-party-host.com/load.js ></script>
- <iframe src=http://unknown-third-party-host.com/loader.php ></iframe>…or have JavaScript that begins like this:
- <script>eval(xyz);……</script>
The majority of malware identified by malware scanning services will display in the “Malware requiring removal” will list the problematic code. However, there are some instances when it may not be possible to display the specific location of the malware. This will require you to pay special attention to the identified Web pages and analyze them carefully. When analyzing your Web site for malware, pay attention to the following key identifiers:
- Any code that opens 3rd party URLs.
- Uncommon or obscure JavaScript.
- Iframes that are set to “hidden” with dimensions set to zero.
- Iframes with a display status set to “none.”
- Note: Inline Frames (iframes) are windows cut into your Web page that allow your visitor to view another page on your site or off your site without reloading the entire page.
Procedure.
If your malware scanning service detects suspicious content on a page within your Web site:
- Note the identified page where malware has been found on.
- Examine your webpage source code and database for code that seems out of place or is of unknown origin.
- Open the page in your development environment. Find and delete the malware code. Save your changes.
- Repeat this process for all identified occurrences.
- After you have removed any code out of the ordinary rescan your website to insure that the code has been removed.
When the scan is complete, the results will be posted to your malware service provider account. If additional malware is found, you will receive an email notification typically.
Tips
- Identify the malware by comparing the current webpage to an earlier version or a baseline image.
- If your domain is a dynamic web application that is supported by a backend database, it may not be possible to find the malware in the web application code itself. Instead, check the database or examine the HTTP logs for signs of unfamiliar SQL.
- If neither the web code nor the database exhibits signs of uncommon code then it may be necessary to look for signs of spoofing.