Hidden Threats: How to deal with Website Malware

This is a brief intro for how we analyze malware we find on infected websites. What is it? What does it look like? And more importantly – How do we proceed with an infected website?

The difference between client-side and server-side malware

There are two types of malicious code found on websites:

  • Client-side malicious scripts and
  • Server-side malicious scripts

 Client-side malicious scripts

A type of malicious html or javascript injections in the files or in the html source. They can do any of the following bad stuff.

  • Attack visitors
  • Redirect them to infected or advertising pages
  • Launch crypto-miners
  • Spy on users
  • Popup adware
  • Inject black-hat SEO links

Generally, you can easily spot client-side malware in HTML source code. Because it’s quite obvious by its malicious behavior. And you can even find it automatically by way of specialized online malware scanners, like Rescan.

Unfortunately, this type of malware is just the tip of the iceberg. Because the root cause hides in the server-side scripts.

Server-side malicious scripts

A large subset of malware usually represented by the following instances.

  • Hacker’s backdoors and web-shells
  • Mailing scripts
  • Phishing malware and spyware
  • Uploaders and droppers
  • Bruteforcers
  • Doorway pages, phishing pages
  • Hidden redirects injected in scripts
  • Blackhat SEO links injected into database and PHP

Malware Types

Let’s now look at this brief overview of different kinds of Malware that we know of.

Backdoor

Here’s a small piece of code (mostly a single-line code) which hackers use to hijack a website and take full control over it. Usually, misusers have backdoors to deliver payloads or some more functional web-shell scripts.

Plesk and revisium - what is backdoor malware?

Hacker’s web-shell

A hacker’s “control center”. It allows a hacker to execute commands manually via Web UI or remotely on a compromised website. For example, by getting a folder listing, creating/removing/editing files, executing SQL commands, getting server configuration, and more.

Plesk and Revisium - What a Hacker's Web-shell?
What\s a hacker's web shell? Screenshot 2 - Revisium and Plesk

Mailing script

A script with the intent to send out spam using some mailing list that the hacker creates. The mailing script automates spam mail-sending, including phishing emails and emails with malicious attachments (trojans).

What's a mailing script? website malware Revisium and Plesk

Spyware

A script or an injection in the legitimate scripts which intercepts and gathers sensitive data, such as login/password or credit cards, and sends it to the hacker directly.

Dropper

This script delivers malicious files (usually web-shells) to a server. Or uploads it into some folder on the website. It acts as a “transport” for backdoors and web-shells. Often, it combines the backdoor’s functionality with an uploader’s one.

Dropper malware - Site threats - Plesk and revisium

Hacker’s tools

Basically a whole bunch of different scripts and macros that automate a hacker’s activity. We’re talking bruteforce passwords, attacking other web resources, remotely injecting virus codes, defacing websites, and more.

Where do you find website malware?

You’ll locate the vast majority of server-side malware in a website folder structure – usually under upload/tmp/backup/images folders, which are writeable. Or injected at the beginning or at the end of a legitimate script.

Server-side malware mimics the legitimate scripts of the website to hide the evil code from webmasters. Moreover, server-side malware is obscure via encoding in order to become invisible for antiviruses.

Common dangers of website malware

We must admit that most compromised websites have a similar subset of malware. There are usually several types of backdoors, a web-shell, a mailing script and payloads, phishing pages, crypto-miners or doorways.

And actually, web-shells and backdoors don’t threaten the website until they are used. The hacker needs these types of malicious scripts to manage a compromised website. In order to run other malicious scripts, upload phishing pages, inject spyware, collect sensitive info, and so on. But the final goal is to use web hosting resources to steal or make money.

It may sound odd, but a hacker doesn’t need a compromised website itself. However, they do need chip hosting resources. Ultimately, the majority of websites hacked via automated untargeted attacks are used as a place to host malicious files and scripts. Or to send out spam.

For example, you can observe the following evil instances on hacked websites.

  • phish pages steal credit cards, bank accounts, Paypal, Google and Apple ID accounts – collecting and using this data in order to steal money and other sensitive info;
  • spam attempts to send out banking trojans;
  • crypto-currency miners, such as Monero Miner (both server-side and client-side), to make money on 3rd party resources;
  • hidden redirects on visitors’ mobiles and search engines to malicious or promo websites – in order to inject visitors or cash out of digital subscriptions.

What are the consequences of website malware activity?

All this malicious activity on a website may lead to the hosting provider blocking the account or VPS. Because it affects hosting security and their reputation. That’s why it’s very important to identify the threat and malware ASAP. So, keep eye on your website files and pages for danger flags.

Consider that you can’t detect server-side malware by online malware scanners. Because the only thing they can access is a web page HTML code. But not the infected server-side scripts. That’s the reason website administrators have to scan website files on hosting for backdoors, web-shells and other types of malware.

How can you detect server-side malicious scripts?

In order to identify server-side malware, you should regularly scan your websites by antiviruses. This, however, doesn’t mean that desktop antiviruses alone are suitable to scan and clean sites. They only know a small amount of website-specific malware – usually, less than 30% of the actual threats out there. And thus, are inefficient at cleaning up web-hosting.

Meaning that it’s important to use a specific type of antivirus software, designed for web hosting.  Let’s list the required features that a modern antivirus for sites has to have.

  1. Firstly, it has to be intelligent, which means it
  • is capable of decoding and decrypting malware,
  • has an heuristic approach to identifying the newest malicious scripts and injections which have not yet been added to the malware database.
  1. Secondly, it has to be capable of monitoring website infection and of notifying users instantly.
  2. Third, it has to have an exhaustive malware database that detects every single malicious entry on the website.

And finally – the good news! Now, Plesk Onyx, the control panel for web hosters, has an effective solution to scan website for malware.

The Revisium Antivirus Extension on Plesk

The Revisium Antivirus extension was released at the end of 2017. The antivirus core is a scanning engine (AI-BOLIT) which Revisium web security experts have evolved and improved over the last 5 years.

And moreover, many hosting providers have been using it as their main scanning tool for websites. Will you be one of them? Click below to find out more about its tools and benefits.

6 Comments

  1. Thanks for a good article! I think the problem we will be facing in the future, are malware attacks against the smart home concept. An article on that subject would be interesting!

  2. The VarianceTV adware functions as an adware program that shows interfering ads once it’s set on the PC.

  3. i tried immunify and it couldnt fix the malware errors. very disappointed.

  4. this will be really helpful with people who are working all the time on the web. how can one prevent these kinds of attack?

  5. Website malware continues to be a big problem for site owners. 18.5 Million websites are infected with malware at any given time. Greg explains the insidious methods hackers use to enter sites and the dangers of website malware . This article additionally provides the reader with information about the different types of malware and their effects. I would highly recommend this article for anyone wanting to increase their knowledge of website malware and its effects.

    Awesome read!

Add a Comment

Your email address will not be published. Required fields are marked *

We are Plesk

Value simplicity and automation too? We help devs, sysadmins, and resellers run, manage and secure via our control panel solutions, extensions and hyperscale opportunites. Discover how you fit with us.

GET LATEST NEWS AND TIPS

  • Yes, please, I agree to receiving my personal Plesk Newsletter! Plesk International GmbH and its affiliates may store and process the data I provide for the purpose of delivering the newsletter according to the Plesk Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

Related Posts

Knowledge Base

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt