Yesterday I cleaned up a site hosted on bluehost. I will show you how I proceeded from malware identification to removal.
First, I did a quick look up on StopBadware’s Clearing House:
It reported three different links containing malware. I opened them in a VM, looked at the source code and confirmed the problem:
It was time for a full website inspection and clean up.
I got access to the cPanel admin account, unfortunately SSH was not enabled (it isn’t by default, and you need to contact customer support). So, I went with FTP instead.
The thing with FTP is that you need to browse each folder by hand and you can’t run a script.
The site being relatively small, I downloaded a local copy. This makes it easy to do all the work with whatever scripts and tools you have installed.
The code was found in almost all the ‘.php’ files (and there were a lot of them!):
A grep command was able to find all the files containing these pieces of code:
Before making any changes, I backed up each file with a ‘.bak’ extension. Each file was then disinfected using a sed command.
Website infections are very common. Because it is easy to set up a website but difficult to maintain it (from a security point of view), most websites fall to automated scripts exploiting vulnerabilities.
This particular website was affected by a XSS vulnerability:
At SparkTrust we look at both ends of the spectrum: We protect your site by doing regular security checks to make sure script kiddies can’t hack the site with readily available tools. But for our new customers that are already infected, we also provide disinfection services.
To learn more about our services please visit SparkTrust.com.