Answer the question
In order to leave comments, you need to log in
What should I do if a malicious file is uploaded to the site?
Good afternoon.
The site was blocked by the hoster, the hoster unsubscribed that a malicious file was uploaded to the directory.
The file was deleted by me (the one that the hoster pointed to), the questions are the following - what is the algorithm for searching for other (if any) alien lines of code / files?
what is the fix algorithm? will it be enough to change passwords from ftp, sipanel, database and admin panel?
please do not unsubscribe with short answers like "see error_log" &
thanks!
Answer the question
In order to leave comments, you need to log in
1. Engine update. Security updates are regularly released to close holes in the functionality of the engine. If you do not install updates, you will be regularly broken.
2. Rights to folders 755, rights to files 644 and nothing else.
3. Different owners for different sites. If you make several sites under one owner, there is a risk of infection of all sites.
4. No left plugins from incomprehensible sites. Only off plugins and addons.
5. Analysis of site access logs. Ask the host when the activity started - and look at the POST requests to your site in the admin directory. Log analysis will allow you to install the attacker's IP address and vulnerability.
6. Download a fresh backup of the site to your computer and run it with an antivirus - almost any antivirus will find the simplest injections. Special recommendation - if you have a computer with Linux OS, use Maldet - focused on site security.
habrahabr.ru/post/194346
7. Make sure that there are no viruses on those computers from which you enter. Never save passwords in the browser and FTP clients.
8. No, changing passwords does not help if the malicious file was introduced through a vulnerability. It helps to comply with the above rules + use the current, regularly updated version of the engine.
9. Restrict access to the site admin panel, hosting control panel by IP address (that is, leaving the entrance only from your IP addresses) - God saves you.
The algorithm should consist in uploading a known clean copy and changing passwords. No one guarantees 100% detection of an infection.
How I do it on small sites (I don’t work with large ones, because it’s not my profile) - I just look at the date the files were created (you open FTP with something like TC and search by date). And then I read these files in detail.
when I had such a case, I downloaded the entire site on a computer with Windows and set Casper on it.
ps hoster is nonsense, it's worse if Yandex finds this....
Most likely, the ftp password was stolen by a virus in order to place someone else's advertising on your site. We had this, and after cleaning with changing the password to FTP, it did not happen again.
Searching for malicious code is a huge hassle if these are not explicit patterns.
It is necessary to look at the date of modification / access to files and search manually.
At the moment, there are ways to bypass antiviruses and all sorts of manuals when installing backdoors.
So the best way is to change passwords + upload the working database to a clean CMS.
If you have a free popular CMS like WordPress with a bunch of installed plugins downloaded from the Internet, then no matter how much you delete the files, they will still appear somehow. We must first decide where it came from. And of course, delete what you found. Also, just in case, change passwords and see what rights there are on your folders and whether anyone has the ability to write to your folders from nearby users. With cheap hosting or with the wrong construction of the provision of services, any user can record anywhere. I advise you to move to hostwell.net/ua/hosting-base where all users are completely isolated from each other by providing each with a personal file system.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question