• GoDaddy Community
  • Building and Managing a Website
  • Building and Managing a Website

    cancel
    Showing results for 
    Search instead for 
    Did you mean: 
    Go to solution
    sword
    Apprentice

    How to find malicious scripts on server

    Hi,

    My shared hosting server has malicious script that will make my domains show a blank page. For sites in html, a index.php is maliciously added. This is causing the blank screen. When I delete this files from all my domains, everything returns to normal. But it will reappear within one hour across all the domains again causing the blank screen to show again.  There is  some script somewhere that starts the whole process over again. Any suggestions.? thanks

    5 REPLIES
    Pro Community Founder Journeyperson Pro Community Founder Journeyperson
    Pro Community Founder Journeyperson
    Solution

    Re: How to find malicious scripts on server

    @sword - sorry to hear you got hacked. It sounds like you are running a number of different sites under one account which can prove problematic if you get hacked, because the different sites are all accessible under the root directory. You'll have to go through all of your sites to find the malicious script(s), or you'll just keep getting hacked.

    You didn't mention what kind of sites you are running. I'm going to assume that at least one of them is WordPress because it is such a popular target for hackers.

    First I would change the password on my GoDaddy account, and make sure to use a secure one. I recommend using a site like http://strongpasswordgenerator.com.

    If you are running WordPress, replace wp-admin and wp-includes directories with clean versions. Replace the core WordPress files in the root of the site with a clean version as well. Change the password on your WordPress database. Change the password on your WordPress account, and make sure not to use Admin as your login name.

     

    If your site is functional, use a plugin like WordFence or Anti-Malware Security and Bruteforce Firewall to scan and clean the site. If your site is not working, you'll need to go through your wp-contents directory looking for malicious files. Look for php files in upload directories where they shouldn't be. Look for files that have suspicious file names. If you have the technical skills to ssh into your site, use grep to search for strings that include exec or base64.

    One of the most common ways hackers get into sites is through vulnerabilities in the coding. If you are writing your own code on your site, make sure to use best practices to avoid SQL injections or cross site scripting. If using WordPress, ALWAYS keep plugins, themes and WordPress core files updated. New updates are released all the time, many addressing newly discovered vulnerabilities which hackers are quick to exploit.

     

    Here are links that can help you clean up WordPress sites:
    https://codex.wordpress.org/FAQ_My_site_was_hacked
    http://www.wpbeginner.com/beginners-guide/beginners-step-step-guide-fixing-hacked-wordpress-site/

     

    Good luck!

    Doc

     

     

    Need some help with WordPress? Check out Site Doctor 911
    Worry-Free WordPress Support - So You Can Focus On The Important Stuff
    OHYSA
    Novice

    Re: How to find malicious scripts on server

    Are there similar tools for Joomla sites? Several of the pages on my site are being reported as having malware by Chrome.

    Pro Community Founder Journeyperson Pro Community Founder Journeyperson
    Pro Community Founder Journeyperson

    Re: How to find malicious scripts on server

    @OHYSA - sorry to hear that!

     

    I am a WordPress specialist, so I have tons of experience cleaning people's WordPress installations, but very little experience with hacked Joomla! sites.

     

    However having said that, both types of CMS run on a foundation of PHP so de-hacking takes a similar approach and will uses similar tools. I found this article for you that will give you a good start: https://www.bluebridgedev.com/hacked-joomla-files

     

    A search on Google will turn up more information.

     

    Cleaning up a hacked site is a time-intensive and laborious task - good luck!

     

    Cheers

    Doc

     

     

     

    Need some help with WordPress? Check out Site Doctor 911
    Worry-Free WordPress Support - So You Can Focus On The Important Stuff
    Moderator
    Moderator

    Re: How to find malicious scripts on server

    Hey @OHYSA,

     

    Some great advice from @SiteDoctorSmiley Happy I just wanted give another reference from one of our help articles that has some good suggestions to help you Identify and Remove Malware form your site content. 

     

    Hopefully this all helps you in fixing up your site. Do keep us posted on how it works out for you. 

     

    CG - GoDaddy | Community Moderator
    24/7 support available at x.co/247support
    SporkSchivago
    Proficient

    Re: How to find malicious scripts on server

    I'm sorry for the delayed response, I just read your message, but is this problem fixed?

    You don't mention if you're running Linux or if you're running a Windows server.   Either way, you need to do two things.   One, as you've already mentioned, is finding the malicious script.   The second is finding how it got there (or how the hacker got into your machine).

    For my Linux system, I have some programs installed that help with this.   There's rkhunter and chkrootkit.   They're free programs that scan for rootkits.   There's clamav, which is a free Linux anti-virus program, although this might not help right now, it might be a good idea to install it.   It'll scan for Windows viruses and malware on your Linux box, incase someone uploads something that they shouldn't have.

    There's csx, which costs money.   You can download and install ConfigServer Firewall (CSF), which will help prevent future hacking attempts.   I highly recommend CSF.   There's an option to have it scan your server and provide some hardening suggestions.   For example, when I have CSF scan my server, I receive a message that ini_set is enabled for PHP.   This is a security weakness and I should consider disabling ini_set.   CSF might give you some clues as to how someone got into your server.

    Generally, a hacker (and I use the term hacker real loose like here) will scan your server looking for services on your machine and try to find weaknesses.   They might use a program like Nessus to scan for weaknesses.   Then, they'll try to exploit one of those weaknesses.   They might use a program like Metasploit to exploit a weakness.   There are programs that can detect these scanners and block them.   One of the more popular ones is ModSecurity.   If you don't have ModSecurity installed and configured, you should do that.

    Another thing to consider is having a security website scan your server.   One of the free ones that I use is Scan My Server from BeyondSecurity ( https://scanmyserver.com ).   For free, it'll scan my server once a week.   If I pay money, I can have it scan my server more often.   If you're going to sign up for a free account, I either suggest signing up and scanning your server before you setup and configure Config Server Firewall and ModSecurity, or whitelisting the IP addresses that Scan My Server uses so CSF and ModSecurity don't block the scanning attempt.

    Remember, you want to let the security scanning software through your firewall and security software on your server to find exploits.   With the Scan My Server website, you should have it scan your server, regardless of whether you're running Windows or Linux.   If it was me, I'd create the free account and have it scan my server first, to figure out if your server has any exploitable services, how the hacker might have gotten in, and work on patching that first.   If you're concentrating on finding the malicious script first, if the hacker has found away to get into your machine (and it sounds like they have), who knows what else they might do while you're working on removing the malicious software?   They might be setting up back doors or downloading your shadow password file, etc.   I'd concentrate on finding out how they got in and fixing that first, then work on undoing the damage they did.

    If you go this route, please feel free to copy the contents of the security report and post it here, but please remove any domain names / IP addresses, etc first.   That way, if someone sees the report and you have some exploitable service installed or the scanner detected a backdoor, you don't have to worry about people reading the report and trying to get into your server.  If you want, you can send me a copy of the report via a private message and I can help remove the content.

    I hope this helps.