Antivirus scanning on the hosting platform

Malicious actors are constantly trying to install harmful code on other people's sites. This code is used for activities such as: sending spam, network attacks, further infection of other people's resources. This often happens because of FTP and hosting control panel password theft, as well as vulnerabilities in popular CMS: WordPress, Joomla!, Drupal.

Such activity cybercriminal activity interferes with the normal functioning of both your sites and the sites of other clients. Therefore, the hosting platform automatically scans new files for malicious code several times a day. If the code is detected, measures are automatically taken to remove it, and a corresponding notification of the following form is sent to the client:

FILE HIT LIST:
{HEX}php.base64.v23au.186 :
/var/www/example/data/www/example.com/administrator/modules/xml.php
=> /usr/local/maldetect/quarantine/xml.php.2618924006
{HEX}php.base64.v23au.186 :
/var/www/example/data/www/example.com/administrator/modules/mod_multilangstatus/dir56.php
=> /usr/local/maldetect/quarantine/dir56.php.104017012
{HEX}base64.inject.unclassed.7 : /var/www/example/data/www/example.com/index.php
=>
/usr/local/maldetect/quarantine/index.php.1993330613
{HEX}php.base64.v23au.186 :
/var/www/example/data/www/example.com/components/com_contact/controllers/login.php
=> /usr/local/maldetect/quarantine/login.php.2603530476
{HEX}base64.inject.unclassed.7 :
/var/www/example/data/www/example.com/includes/framework.php
=> /usr/local/maldetect/quarantine/framework.php.260901782

What to do if you find malicious code on your site?

Unfortunately, simply removing malicious code is not enough. It is necessary to take measures to prevent re-infection of your site: since this procedure is automated for attackers, «reinfection» can occur quickly. That's why:

• The customer should assign new strong passwords for access to FTP and hosting control panels, as well as take measures to ensure that these passwords are not compromised. In particular, they must be unique, for example, not the same your email passwords. Do not write down passwords in popular FTP clients: their system for storing this kind of confidential data is very unreliable.
• The second important step is to update the CMS on the site to the latest version in order to eliminate vulnerabilities. The developer’s website will contain information on how to do this. It is also important to update not only the CMS itself, but also all extensions, add-ons, themes, etc. installed in it.
• Customers are advised to update the CMS regularly. On the one hand, this helps avoid infection in principle, and on the other hand, updating between minor versions creates fewer problems and helps the system run more smoothly. While older CMSs (for example, those that are more than a year old) are a good target for attackers, updating a CMS is much more likely to cause problems.

After all the necessary measures have been taken, you should notify the SIM-Networks support service. This is important, because otherwise, in the absence of any feedback from the client and the identification of incidents of re-infection, the operation of the site may be suspended.

The scanner may have false positives, i.e. situations where legitimate code can be mistaken for malicious code. This happens happens when developers use various measures to protect their intellectual property. In this case, you need to contact the support service and explain what these files are for. They will be restored and added to the exclusion list.

Did you like the article?