Removing malicious code from websites

Amp34 · 15 Oct 2008 at 12:52

It seems my site has had malicious code injected into some of it's webpages, I have managed to remove a lot of it but is there any way of checking to see if it is still there and where (as well as the underlying security issues)?

My site runs a couple of HTML pages as well as wordpress and Gallery2 software.

I've had a look at the report from google and checked stopbadware.org but am getting a little lost. stopbadaware recommends I use a "vulnerability auditing scanner", can someone recommend one, and how I use it?

unwashed potato! · 15 Oct 2008 at 21:14

have you got the original files on your pc or somewhere stored offline where they can't get infected? if so can you not replace all the files on the server with the healthy ones?

Amp34 · 16 Oct 2008 at 16:16

That is an option for some of them but I also have gallery software and Wordpress software up there which can't just be reloaded without loosing all the stuff in them (or since the last backup, which was a while ago). Googles webmaster tools has helped me a little as it shows some of the pages that are infected but I was wondering if there was some kind of online scanner that would be able to tell me in real time if I have removed everything, as well as perhaps show any security issues there may be.

JIM_BOB7813 · 16 Oct 2008 at 16:32

As long as you backup your database, and themes, and wp-config, you can just reinstall wordpress (similar to when you update it).
Or you can diff the wordpress core files. Either way you can redownload the theme/template and diff that, check your database etc.

I'm not 100%, but don't all of these malicious code injections usually involve a link to an off-site trojan/virus? So you could probably just parse all your files for http:// and manually check all links?

I don't know of any automated scanner though.

Amp34 · 16 Oct 2008 at 17:24

Ah ok, thanks. is this possible with gallery software as well and myBB forum software?

What do you mean by diff the files?

The codes are just seemingly random characters so I don't think that would work.

Amp34 · 17 Oct 2008 at 17:55

Ok just before I do some irreparable damage I take it I backup the database then just delete the entire folder? Or can I just reinstall straight over the top and then stick the database back in?

JIM_BOB7813 · 17 Oct 2008 at 18:23

Amp34 said:
Ok just before I do some irreparable damage I take it I backup the database then just delete the entire folder? Or can I just reinstall straight over the top and then stick the database back in?

Before you touch anything, take a full backup of everything.
For wordpress, you can just start with a fresh install, and then copy over the files it tells you not to delete in step 7, here.

* wp-config.php file;
* wp-content folder; Special Exception: the wp-content/cache and the wp-content/plugins/widgets folders should be deleted.
* wp-images folder;
* wp-includes/languages/ folder--if you are using a language file do not delete that folder;
* .htaccess file--if you have added custom rules to your .htaccess, do not delete it;
* robots.txt file--if your blog lives in the root of your site (ie. the blog is the site) and you have created such a file, do not delete it.

Then just restore your database. I'm not sure about other software, but it will probably be similar; some important config files that you need, and loads of generic files that can be replaced by fresh.