Search and eliminate malicious code on the site. Sending spam. Print

  • 1

Search and eliminate malicious code on websites.

 

There are many viruses on the Internet that spread through websites. Responsibility for the security of a web resource lies with its owner, however, unfortunately, not everyone treats this responsibility with due attention.

Following a few basic rules will help protect your site:

use complex passwords - upper and lower case Latin characters in combination with numbers and complex symbols;

do not disclose authorization data to third parties;

install CMS modules and templates only from official developer resources;

update modules only from official developer resources;

when adding a feedback form to the site, make sure that it contains a complex captcha;

update the CMS in a timely manner;

 

Let's consider an infection variant associated with website hacking.

One of the most common consequences of a site being hacked is the downloading of malicious scripts to the hosting and their introduction into the code base of this site. Such scripts are used for various malicious activities, such as sending spam, carrying out DDOS/bruteforce attacks on other resources, spreading viruses, redirecting visitors to phishing pages, and performing other prohibited actions. This activity puts a load on the web server, which affects other users. Therefore, such activities are monitored and isolated by the hosting provider.

 

The site owner has two important questions:

1. What can I do to get the hoster to unblock the site?

2. What can be done to prevent a similar situation in the future?

 

What can I do to get the hoster to unblock the site?

When a hosting provider blocks an account for sending spam, the owner of that account is sent a notification containing an example of a malicious message sent from his site. From the specified message, it is sometimes possible to determine the file containing the malicious script that sent the message.

Example:

200P Received: from domain by164.net with local (Exim 4.80.1)

(envelope-from <webmaster@domain.com>)

id 1Wt8ty-0001S7-0i

for cshort@ariesnet.com; Sat, 07 Jun 2014 08:10:46 +0300

024T To: cshort@test.com

027 Subject: Ship Notification

039 X-PHP-Script: domain.com/ for 127.0.0.1

047 X-PHP-Originating-Script: 1586:841rewb3v4x.php

048F From: "Postal Service" <message_id17@domain.com>

030 X-Mailer: CSWMSAutoMailer:reg

052R Reply-To: "Postal Service" <message_id17@domain.com>

018 Mime-Version: 1.0

081 Content-Type: multipart/alternative;boundary="----------140211784653929ED602110"

051I Message-Id: <E1Wt8ty-0001S7-0i@by164.net>

 

Here, as in all letters, there are fields “FROM:”, “TO:”,  “SUBJECT:”, from the contents of which you can determine the sender, recipient and subject of the message.

Sometimes (but not always) the headers contain the fields “X-PHP-Scrip” and “X-PHP-Originating-Script”, which contain the address of the script used to send spam. In this case it is a script called 841rewb3v4x.php

Finding and eliminating a script can be organized as follows

Uploading site files to your local computer via FTP access and searching for malicious script using an antivirus or manually


Was this answer helpful?

« Back