This site uses JavaScript to function properly. Please activate JavaScript in your browser.

Malware/Spyware/Virus on the hosting package

General informations
How can I protect myself?
What to do if malware/phishing sites have been discovered?
What to do if a virus/malware code has been detected?
Security measures through checkdomain

What to do if malware/phishing sites have been discovered?

How do I find the malware?

Under the following links you will find various plugins/programs for malware detection.

http://www.stopbadware.org/common-hacks
http://docs.joomla.org/Vulnerable_Extensions_List
http://itpixie.com/2012/06/wordpress-exploit-alert-uploadify-php/#.UMtXiayundE
http://wordpress.org/extend/plugins/exploit-scanner/
http://wordpress.org/extend/plugins/antivirus/
http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection
http://drupal.org/project/clamav

Examples of what malware does:

- Index files are manipulated, Javascript or PHP code is inserted at the end.

- Often the code is obfuscated in such a way that a human viewer can no longer understand what is happening there.

Example Javascript (outputs "hello world"):

.htaccess files are created to redirect to other pages.

Possible consequences for you and your website visitors

Malware is installed on your website visitors' computers
Phishing/Spamvertised Content (http://en.wikipedia.org/wiki/Spamvertising) hosted
Your webhosting package is misused for spam delivery
Attacks (DOS, Brute Force, etc.) are launched on other servers from your website.

Remove Malware

Since malware removal can vary greatly, we can only give general hints here.

- As long as the malware is not completely removed, you should put the site offline to protect your customers/visitors. It is best to temporarily point to another empty folder. Further possibilities are e.g. via .htaccess or domain forwarding to another domain.

- Change FTP password. Under no circumstances store the FTP password in the FTP client. If necessary, also change other passwords (e.g. e-mail or checkdomain password), if in doubt.

- Check all computers that have connected via FTP for viruses or reinstall them if necessary.

Whether you reinstall your PC is of course at your discretion. However, if there are viruses on the PC, it is often difficult to remove them completely. Often you have similar problems after a short time.

- CMS (software like Wordpress or Joomla) and plugins update. Possibly outdated software, which will no longer be updated.

- Check files for malware and remove them.

- Control .htaccess files.

- Deleting everything and performing a complete reinstallation is the safest way, but not always necessary/possible.

- If available, installing a backup can also take a lot of work off your shoulders. The backup must of course have been created when the web space was not yet infected. Checkdomain backup system

- To remove the malicious code completely or to close a CMS security hole is not always easy. If you don't want to delete everything and rebuild the site, you might want to use an external to instruct experts or to ask for information in anti-virus forums. (Checkdomain does not offer this service!)

- The easiest way to remove a Google Safe Browsing warning is to use Google Webmaster Tools (http://support.google.com/webmasters/bin/answer.py?hl=en&hlrm=en&answer=163634)