Websites and domains!
I recently had to help my favorite club remove some malware off their website. My club, Starfleet-command Quadrant One website, was one of those sites that didn’t see this coming. As a website owner, I’ve seen many of things come and go but experience has taught me that it will always come back. I will be watching for this again in the near future but hopefully it won’t come back!
The back story was something that I have to at least talk about because this is how the site got infected.
One reason that this site got infected was by being hosted with the same hosting server. They were both using the Goddady shared hosting account to display their webpages or forums on the internet. Thus Godaddy, with their infinite wisdom tried to explain it away as that. I don’t know if I buy that reason or if there was something else that might of been the culprit but I do know this website had urls redirects and such to malware sites. I much rather keep with Hostgator, then have Godaddy anyways.
Another Reason is that it was probably some kind of key logger, or something that was sending back the important password information to a Command and control server and thus the website owner was infected or someone in the organization that had access to the account was unintentionally allowing a hacker to gain access to the website.
Removing the Malware off your Site!
Nothing in the world is ever going to be easy, but it is necessary to get into the guts of the website. Your probably thinking, websites don’t have guts. You’d be wrong, when I thought about having to go through each part of the code and remove the html malware redirects that is what I mean by guts. Many people will come to understand that as a programming language but I like to think of it as a doctor who does surgery to remove an infectedc limb or something like that.
So I’m going to give you a few areas to look at if your having this problem with Malware being on your site or domain. It won’t always be the same place for the same infection but it will at least help you find it and remove it.
.htaccess — This is one place where they will first make changes to redirect traffic to the domain that they want your visitor to. If you have had much experience with what it does. It is a good time to learn what they do and how to use them.
index.php or index.html— This is something that the hackers have learned to use but most often is over looked. This is something that I haven’t seen before until now. Certain browser will display the virus or malware warnings and others will not even see it or have any problems! See example for more information, because I couldn’t do a better job then them!
Check Subdomains and subdirectories — This is something that is also needs to be looked at. even if they aren’t showing the signs of being being infected it is always a good idea to at least make sure they stay uninfected. Check them for the .htaccess and index code and remove what you need or change it to where it should be going to in the first place. I found the .htaccess redirect code all in subdomains and sub directories on the one that I helped to remove the infection from.
Change ALL passwords — This is a MUST, if you’ve been infected then your passwords are at risk of being the source of the infections. Change your FTP Password, your log in information password, and anything associated with the site in question and possibility the subdomains passwords.
Limit the number of people with the new passwords — if your like me, you don’t want to many people to have the ftp password and thus you should consider only allowing a select number of people having it. Like the organization I have, they have people left and right who use it to upload files and stuff that is needed. It also might be required to just have a server that is used for nothing else but to upload files for publications and other things like that.
Nothing in the article is a must do or will get rid of your site being blocked by Google and other such search engines but it will at least give you a place to start looking to find culprit and maybe get your site running again quicker. I will not make any guarantees that this will fix the problem or that it will solve your problem 100% but this is to be used as a tutorial on where to look and what you should do to prevent re-infections with malware.
- Using your domain name as a marketing tool (marketing.yell.com)
- Never ever search for a domain name at Network Solutions! (xemion.com)
- Malware Analysis Quant: The Malware Profile (securosis.com)
- Dangerous Malware Link Spreading Through Facebook Chat System (techie-buzz.com)
- 75 Million Unique Malware Samples By 2012 (homesecuritysource.com)
- Getting rid of Malware – Stop the Spy who enjoys your Information and Information (microphone-film.net)