Identifying, Removing, and Preventing Malware on Your Hosting Server
Malware is short for malicious software. It's a catch-all term that describes harmful applications or other malicious code such as adware, spyware, trojan horses, worms or viruses.
Malware comes in many forms, from an unwanted ad reappearing on your site to an executable file that infects visitors who click on it. Telltale signs that your site is infected can include unexplained ads, links or pop-ups, but some malware can have no noticeable effects at all.
Your best defenses against malware are staying current with third-party application patches and using strong server passwords. When checking for the presence of malware, be sure to check the code residing on your server and not your backup files. Always use a virtual machine for verification to avoid infecting your own computer.
We cannot assist you with removing malware from your server. Consider taking your site down immediately to prevent infecting visitors, and take action quickly to identify/remove it.
If you think you're having an issue with malware, change passwords that would be affected such as FTP or database passwords. Then use these guidelines to identify the problem.
Always use a virtual machine to test for malware to prevent infecting your own computer. To get accurate results, test your currently-live code from your hosting server and not your backup files.
Check Google SafeBrowsing diagnostics. Visit http://www.google.com/safebrowsing/diagnostic?site=www.example.com and replace www.example.com with your site.
Test all downloadable software posted on your site. Software downloads can pass on malware. Even if you developed the software, it might have been altered by a hacker.
Test all links from your site. Make sure they do not go to sites containing malware.
- Search for unknown links or links to executables such as .exe, .bat, .cmd, .scr, or .pif.
- Use a link-checker software to scan all links in your code.
Check the ads on your site. Malware can be distributed through ads on your site. Identify these with a link-checker software and research your ad partners on the Internet to see if others have had similar problems.
Check all user-posting areas of your site. Scan all links with a link-checker.
Be alert to hacking attacks. Injection (inserting code or executables onto your Web pages) is a common method of hacking that exploits a security vulnerability to introduce harmful code, so look for code you didn't add.
- Look for invisible frames. They are virtually invisible because of their size, and are usually placed at the very top or bottom of the source code. Search for iframe tags with height=“0” width=“0”.
- Look for strange code. A common way to hide malware is hiding it with encoding or encrypting:
- Encoded code uses hex or unicode/wide characters. Look for strings of percent signs (%) followed by two characters (e.g. %ww%xx%yy) or \u followed by 4 characters (e.g. \u9900\u1212\u8879).
- Encrypted code is harder to find because there are no set patterns. Most Web syntax is based on English words, so most of your code should be somewhat readable. Look for large sections of code that are completely unintelligible blocks of letters, numbers, and symbols.
Download your site's files to a virtual machine and scan them. Avoid infecting your own machine by using a virtual machine, and scan using anti-virus and anti-spyware programs.
If you discover you have malware, use these suggestions to remove it from your site.
Remove all links to malware sites from your site.
Remove infected software. Do not offer it again until you are sure that it is not infected. If you created the software, use malware prevention sites to learn guidelines for software compliance.
Remove malware-infected ads. If you use an ad network, you might need to remove all of the network's ads until you are certain that the network is clear. You might also contact your ad provider.
Edit or remove user-generated posts where malware is present.
If you think your site has been hacked, use the following guideline to resolve issues and get back online.
- Take the site offline to avoid putting site visitors and customers at risk.
- Remove all offending code. This is only effective long-term in conjunction prevention.
- Fix underlying security vulnerabilities to prevent future attacks.
- Check for and remove "back doors" left by the hacker. A back door allows the hacker future access even after you secure the site.
- Check for and install updates, and research the software you are using to find out if other users have been affected.
Some features in this article are only available in the full version of SiteLock. For more information on how to upgrade, see .
Prevention is the most important tool against malware. Follow these guidelines to save time, effort, and trouble in the future.
Use a daily site scanning utility. Vulnerability scanners, such as SiteLock, can detect vulnerabilities that a hacker could potentially exploit.
- Scan your site daily, even if you haven't updated your site.
- Correct vulnerabilities immediately. SiteLock provides specific steps you should take to correct vulnerabilities.
Check all software before making it available for download. Scan all software before offering it and if you are a software developer, consider a Code Signing Certificate to protect your code from being altered.
Use only reputable ad providers and monitor them regularly. Make sure your ad providers are currently malware-free and that they scan regularly for malware from advertisers. Use Internet searches and review sites to check out new partners for previous or current problems.
Use strong passwords. For guidelines on creating a password see Generating a Strong Password.
Use FTP-SSL, if available. To check your hosting server for FTP-SSL availability and to connect using FTP-SSL, see Connecting to Your Shared Hosting Account with FTP-SSL.
Keep everything up to date. Install the latest available version and all available patches for third-party software on your site. This is integral to preventing malware, because if the software you use has a security vulnerability, then your site is also vulnerable.