PHP Developer & IT Business Analyst

Detecting and Removing Malicious Codes

May 3, 2013By Faraz Ahmed0 Comments

If you have been doing web development for a while, then you must have encountered malicious codes in your or your client’s website. I’ve seen many novice programmers removing the malicious code from the website and then immediately changing the FTP and web hosting passwords, thinking that the website won’t get hacked again, only to find out in a few days that it has been hacked again.

Yes, in rare cases, it’s possible that the FTP or web hosting account might have been compromised, and it’s good to run an antivirus scan to get rid of any malware on your PC, but most of the times the malicious code injection has to do with your website security. But we will come to that part later. This post is about how we can detect the file where the malicious code is present and remove the code successfully, because sometimes it’s not as straight forward as it sounds, as I’ve recently experienced in one of my clients’ website, and I’ve written that experience below.

Normally the malicious code is removed by just opening the source code of the file where it is present and uploading the file back. It could be in one file, or in many files, in which case, we can do a site wide search and remove all the codes.

But what if you can’t find the malicious code in any of the files? If your website is database driven, which it was in my case, then the next obvious step would be to check the database.

Now what if you don’t find the malicious code in the database either? What will be your next step? I bet most of the developers will just upload the last clean backup they have, which will definitely fix the issue, but the challenge is to find the infected area of the website, so we can secure it from the future attacks.

The best thing to do in the above scenario is download all the files on the website and compare them with the clean local copy with some file comparison tool. This will definitely tell you which file have been changed, and then you can open that file and spot the code that has been changed or added. In my case the hacker has added ‘file_get_contents’ function of PHP to include the malicious code from an external link. That’s why when I searched for the same malicious code in the website files, I couldn’t find it.

You could have also just checked the last modified date of all the files and only downloaded the file that has been changed recently? Some of you might say. Yes, you are correct and I tried that, but what if I tell you that the last modified date of all the files was of two years ago, the time when we first uploaded the website?

How’s that possible? After a quick Google (God Bless Google!) search, I found that there’s a PHP function called ‘touch’ which sets the modification time of any specified file, and which is most likely what the hacker used to set the time back. Very clever…

After removing malicious codes from all the files, make sure that there are no extra files that have been placed by the hacker to gain access to your website again after you remove the malicious codes. The names of those file could be very innocent looking, like “License.php”, “Copyright.php”, etc, so they are very easy to skip, but again you can use a comparison tool to find difference between two folders. WinMerge is a pretty good tool for this purpose, as it can be used for both file and folder comparisons.

In some cases, when I don’t have the original backup of a website, I download all the files and search for the following keywords:

  • \x
  • eval
  • base64
  • file_get_
  • multipart/form-data
  • move_uploaded_file

If you find any of the above keywords in any of the files, analyze the code of that file and see if that file did something funny. For example, a hacker could have placed a file upload script to upload remote files to your website, but you can spot it by searching for ‘multipart/form-data’ and ‘move_uploaded_file’ keywords. If a file is encoded, you can spot it using ‘base64_decode’ keyword to check if the encoded data contains a malicious code.

I hope you enjoyed the article and learned something new. Please tell me in the comments below how you go about detecting and removing malicious codes from your websites?

Leave a Reply