When a website owner is tell that their site has been infect with malware. It can come as quite a shock. After the shock wears off, and knowing the immediate impact. While, it’s important to take stock of what really happened behind the scenes and then clean it up. The best advice that anyone can give you is to make frequent, downloaded backups of your site in case anything happens to the live version. So that the clean backup will replace the compromised live version.
But what if there is no clean, viable backup available? In a world where websites have hundreds, if not thousands of files, how can any one person go about cleaning out an infection in just a small number of those files?
How to look for Malware in Files?
When checking for malware in files, a site administrator typically has a few options available. It is important to understand when determining. Which direction to choose how each enable (or disables) one to really find the nasty stuff we are looking for.
File Manager
The most easily accessible, but usually least versatile, is the “file manager” offer by most web hosts. These tools are generally engineer for basic file modification. And are not geared towards searching for specific content, like we’ll need to do. Nonetheless, you can always refer to your host’s local knowledgebase to see what they might be able to do for you.
Local Search
Another choice is to move your live site to your local computer and run a search in a more familiar environment. For example, in a Windows environment, there is an easy way to search for the contents of your site files. Next, we’ll have to make sure that Windows knows how to check for file content and not just its properties:
- Navigate to the folder you downloaded your site into
- If there are no menu options available in the window, press the “Alt” key on your keyboard and then select the “Tools” menu, and then the “Folder Options” option
- A new options window will open up with a few tabs – Click on the “Search” tab
- At the top is a “What to Search” section with a couple of options. Select the second option to “Always search file names and contents”
- Click the “OK” button and we’re all set
Now that Windows knows how to scan the content, the search bar find in the top-right corner of the folder window can be use to search for any content you want to find.
Command Line
When scanning for malware the most effective option is the server command line on which your site resides. While somewhat unusual in a shared hosting situation to have access to a command line. While those who do have that level of access will find it much more useful when conducting a quest like this “needle in a haystack.” If the command line is from an operating system based on UNIX. We can both search for files that have been modified recently, in addition to searching for specific contents within files.
- Using the “find” command with some specific options will allow us to locate any and all files that have been modified within a specified timeframe. First, make sure you’ve navigated to the folder in which your website resides, then consider the following example of the “find” command: –mtime -7
- Breaking this down, first the “find” command is specific, follow by a simple period to indicate we’ll be searching in the current directory. Next we use the “mtime” option to indicate the modified time, and the “-7” indicates less than 7 days. Put it all together and we’ll get a list of all files in the website directory that have been modified in the last 7 days. Of course, that number can be changed to suit your needs.
- The output will simply be a list of filenames preceded by their location:
- ./some/directory/filename.php
- ./some/other/directory/anotherfile.php
- For more information on the “find” command, read its manual page by using the “man find” command.
- The other, more specific approach is to use the “grep” command, which will search for the content within files. Again, we’ll want to be in the directory that contains the website files and from there we can consider the following usage of the “grep” command: grep –Hn “search” ./*.php
- In this example, first we have the command “grep,”. And then we specify the option “H” to include the matching filename in the output, and the option “n” to include the specific line number of code where a match is found. First, the statement we are looking for is in the quotes. Finally, the “./*.php” means that we are looking for all files with a name of”.php” in the current directory.
- The output of this command will look something like this. With the filename, line number and then matching line’s content separated by colons:
- ./directory/file.php:57: random php code that matches search
- For more information on the grep command, look at its manual page by running the “man grep” command.