How to Remove Harmful Code from Your Website or Webserver

How to Remove Backdoor:PHP/WebShell.A and Backdoor:PHP/Shell.G from Your Webserver

To begin with, we should say that the problem of malware threats burst out long time ago and each year it’s getting worse and worse. Actually, almost every website could become a victim of a hacker. And of course it is better to prevent hacking sites and servers with proper administrating. But still it is really important to know how to minimize your losses in short deadlines, in case if you were not able to avoid such hacking.

The reason for writing this article was one accident that happened in our company recently. One of the SEO experts noticed that one of the divs in a header was on the wrong place. The website was based on CMS WordPress with shared hosting without ssh acces. All our team decided to find out what the problem was. It turned out that the problem was in harmful javascript that automatically inserted iframe with malware website link into the header and footer code.

To be honest, the only antivirus that properly reacted on this threat was Kaspersky Internet Security 2012 on the highest security settings. The others antiviruses kept working as if nothing had happened. Nothing was found even with the paid services.

We decided to check other sites whether the virus didn’t affect them, because dozen of our websites where hosted there. We were so shocked when we found out that all websites with non—default theme appeared infected. We hadn’t any current backups, so rule #1: ALWAYS BACKUP YOUR SITES and update them at least once a week to be able to return everything back with few clicks.

The first thoughts on the possible causes of cracking have been hacking through FTP (which happens more often in the absence of ssh access) or, of course, well-drawn SQL-injection. Both database analyses and FTP access logs didn’t show anything. So the next step should have been detailed analysis of all suspicious files. Suspicious files are those with strange names that definitely shouldn’t be on the server. After few hours of working such a file was found. It was media.php in /public_html/your-site/wp-content/your-theme folder.

There was encrypted php script inside:

$auth_pass = “”;
$color = “#df5”;
$default_action = ‘FilesMan’;
$default_use_ajax = true;
$default_charset = ‘Windows-1251’;

Later we managed to decipher the script and it was the PHP Shell Script WSO 2.4, which is located in public domain and which allows you to gain full access to remote server, up to the root privileges, with the help of its rich functionality.

WSO 2.4

Shell source code

Then we found 2 more encrypted, but less remarkable php file, which are responsible for the formation of the js code with iframe. After neutralization of these files, a malicious js was still successfully generated inserting into the iframe, which indicated that the hacker was clearly not limited to the two files and is likely to leave a spare backdoor. And it was true.

After long hours of searching about 2 dozens encrypted php files and one Shell file were found. After that, the whole public_html folder along with all the sites had been downloaded and verification was carried out locally. Firstly, using different antiviruses. This time Kasperskiy Internet Security showed us nothing, but MS Essentials found Backdoor:PHP/WebShell.A  and Backdoor:PHP/Shell.G. Google requests ”how to remove Backdoor:PHP/WebShell.A”, ”how to remove Backdoor:PHP/Shell.G” etc didn’t show us anything useful. The rest of the infected files had gone unnoticed because they were carefully camouflaged with encryption code (obfuscation).  As a result, identification of suspicious code was possible only with the specific functions javascript unescape () or fromCharCode (), used for encryption. One way to find such functions with access to ssh could be special commands, such as:

find $PWD -name ‘*.*’ -exec grep -li “iframe” {} \;

find $PWD -name ‘*.*’ -exec grep -li “unescape” {} \;

find $PWD -name ‘*.*’ -exec grep -li “fromCharCode” {} \;

But in our case, there was no ssh access, that is why only specialized test script could help and which to my great surprise, found only a few infected files, one of which was another PHP Shell Script WSO 2.4.

Link to Script

This script checks all files in all folders on the site if they contain malware or suspicious code. All you need to do is to upload this file as .php file to the root folder on the server (usually it is public_html) and start browser, for example, www.your-site/lookforbadguys.php. The result would be a list of all files with suspicious code and detailed descriptions of them.

Since the automatic check did not give 100% assurance that the sites are clear, we started to check all the files manually one by one. And only after all files have been checked in the same sequence, one after another, they were moved to new hosting.

Finally I would like to talk about basic safety rules, which certainly don’t give any guarantee against a possible cracking, but keeping them will significantly reduce the probability of penetration of unwanted guests on your server:

  • Create a long and complex passwords for FTP, using the letters of the lower and upper case letters, numbers and special characters, a good service for generating passwords –
  • If you are working with small number of sites try to avoid saving your passwords in different FTR clients, such as FileZilla, CuteFTR, Notepad++ etc.
  • Right settings of iptables (embedded Linux Firewall) will reduce possibility of interference.
  • Absence of security vulnerabilities in databases and timely software updating will also give you an extra confidence in your site security.

I hope this article will be useful for you and everyone will be able to learn something new.

P.S. The only resource, that gave us an answer to the question: “What are viruses Backdoor:PHP/WebShell.A and Backdoor:PHP/Shell.G?” was Microsoft website.
You can read about it here.

Learn more about removing harmful code from your website or webserver with our help today!