How to check a site for malware
If you have a client freaking out because their website seems to be hacked, you are probably looking for answers – fast.
Don’t panic! We’re going to show you how to check a website for malware infections and what to do when you find one.
Remote website security scan
You can use tools that scan your site remotely to find malicious payloads and malware locations. Remote scanners are limited, but they can offer some quick answers. We recommend using Sucuri SiteCheck as a first step.
Visit the SiteCheck website at sitecheck.sucuri.net and click Scan Website.
If the site is infected, review the warning message to look for any payloads and locations.
You can click More Details at the top to review the iFrames, links, scripts, and embedded objects to identify unfamiliar or suspicious elements.
If you have multiple websites on the same server, we recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. We encourage every website developer to isolate their clients’ hosting and web accounts.
Recently modified files on the site
If you’ve gotten the dreaded 2 a.m. call from a client wondering why their site is acting up, it’s likely that something recently changed.
Using terminal commands on the server can help you quickly check recently modified files:
- Type this command in your terminal:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
- If you want to see directory files, type in your terminal:
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
- Unfamiliar modifications in the last 7-30 days may be suspicious. We have even seen malware go unnoticed for over a year.
Check Diagnostic Pages
If your website has been blocklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your website. If you haven’t signed up for any free webmaster tools, we highly recommend that you verify all your clients’ sites to keep track of any issues.
Check the database for script tags injected.
Using the Hub by GoDaddy Pro
It’s free to sign up for The Hub by GoDaddy Pro, and you can add your clients’ sites to the free tools including backups and security scans.
Just create a free account, select Sites from the main navigation menu, and add your client’s site.
After adding a site to The Hub you can activate and then run the Security Check, which will scan the site for malware and known vulnerabilities at no cost.
Cleaning a hacked site
If you are comfortable, there are some steps you can take to clean up a client’s site on your own.
However, if you are not familiar with editing database tables or website files, please seek assistance from a professional.
Always make a backup before attempting any major changes.
While we’re on the subject, we don’t recommend restoring a backup to get rid of a hack. Often, hackers will infect a site and leave backdoors sitting idle for weeks or months before they actually use the site for anything malicious. In other words, you could restore a backup, only to get reinfected the next day as a backdoor is already present on your backup.
One quick fix that can solve a lot of issues is to replace the core files for your content management system. If you know how to do this, it can overwrite any files that have been modified by attackers.
You can also use any clues from the previous sections to find payloads, backdoors, and recently modified custom files to restore them to a known clean state.
For more information, check out the guide linked in the description.
Finally, you want to make sure you get rid of any backdoors installed by the attacker. Hackers always leave a way to get back into your site. More often than not, security analysts find multiple backdoors of various types in hacked sites.
Often, backdoors are embedded in files with names similar to core files but located in the wrong directories. Attackers can also inject backdoors into configuration files, and directories for your themes, plugins, and uploads.
The Sucuri guide has even more details on common backdoor PHP functions that you can search for.
Using GoDaddy Security
A solution such as GoDaddy’s Website Security, powered by Sucuri, runs daily security scans automatically.
After you set up Website Security, it will automatically scan the website every 12 or 24 hours based on the scan frequency that you set.
If you are concerned that the site is currently infected, you can prompt Website Security to re-scan, which usually takes less than 10 minutes to complete.
If Website Security detects any problems in the scan, you’ll receive email notification along with next steps to fix the site.
Whether you handle website security for your clients or use a third party, it’s important to have a plan.
Don’t wait until you get that call from a distressed client to start thinking about website security. Get a plan in place early, so you and your clients can breathe easier.