広告のパーソナライゼーション、リマーケティング、広告のパフォーマンス分析など、広告に使用されるクッキーを管理します。
2.15.2.2. Virus cleaning
Attention!
The information in this article is of a recommendatory nature and does not provide precise instructions on how to clean a site from viruses. You should clean sites from viruses on your own or with the help of third-party specialists.When the antivirus on the hosting finds malicious code during scanning, a notification is sent to the hosting account owner with information about the problem. The malicious code must be removed, as it may cause data security problems both for the infected site and for neighboring sites in the same hosting account.
Malicious code should be removed after reviewing antivirus scan results and analyzing the malicious code itself. Simply removing the malicious code may cause problems with the site's performance due to its injection into important scripts of the site's system.
Cleaning a site of malicious code alone is often not enough to ensure site security. In addition, you need to identify the source of the infection and eliminate it. Without such actions, it may only be a matter of time before the infection reoccurs.
We recommend using additional site virus scanning tools, such as WPScan.
Attention!
Before doing anything create a backup of your site and database and download it to yourself to ensure you can restore your data if something goes wrong.Viruses can be removed in several ways:
Attention!
We regularly update the antivirus signature database, so there may be situations where viruses were on the site long before they were detected and will be present in the backups.Manual virus cleaning
For the situation of infecting the
functions.php file of a design theme in WordPress, the separate instruction is available.
To clean your hosting account from malware, review results of antivirus scan and resolve all found issues. It is necessary to open each of the infected files, examine its contents carefully and remove fragments of malicious code from it (antivirus highlights only found signatures in the file, virus code may be in other parts of the file and may not be highlighted, it is important to check the entire file and remove suspicious data). Infected files should be completely deleted only if they consist entirely of malicious code.
You can completely replace the site files with identical ones from your own backup or from official sources. For example, most WordPress files can be found in the repository on GitHub.
You can use the file manager in the control panel or any FTP client to search and edit files.
Pay attention to the code that is encrypted in Base64. This is the form in which malicious code is often placed. Such encoded code can be decrypted using specialized services such as base64decode.org or base64.guru.
Dangerous PHP functions include: eval, exec, shell_exec, system, passthru. When finding such functions, you should pay special attention to them, as they are often used in malicious code.
Analysis of emergence
To find the source of the infection, analyze site access logs for suspicious requests to it. You should check the logs for the date of the last modification of virus files.
Attention!
The date of the last modification does not always correspond to the actual date of virus files creation, you should not be focused only on it. The site could have been infected much earlier, but the appearance of virus files detected by our antivirus was due to some "trigger" (sending certain requests, running scripts, updating files from remote servers, etc.).Suspicious inquiries can include:
- POST and PUT requests.
- Requests to the site admin panel from third-party IP addresses.
- Requests to protected directories of the
systemorstoragetype (depending on the CMS used, some directories may be system directories for the site and must be protected from external access). - Queries involving Base64 encoded text, etc., or SQL queries.
- Requests for recently installed plugins.
In addition to checking server access logs, it's also worth checking FTP logs, outgoing connection logs, and authorization logs in the control panel. If suspicious entries were found in the logs, it is worth changing the passwords of FTP users, database users (will require updating passwords in site configuration files) and account, additionally setting two-step authentication. You can generate new strong passwords using our password generator or a similar service. If outgoing connections were found that should not be there, you can set restrictions on all or specific outgoing connections for the entire hosting account while the problem is fixed.
After checking the logs, you should check the site files for third-party code. First of all, you should check the files of recently installed plugins and modules. It is important to beware of unofficial plugins and modules, especially if they are paid, but were obtained for free from third-party sites. If there are any — they should be removed or restore a backup of the site until they are installed.
Do not use any file managers on the site itself. Most of them are unsafe and may pose a threat.
Attention!
All sites in the same hosting account can be infected at the same time due to vulnerabilities in one site. It is only possible to completely isolate sites from each other by placing them in separate hosting accounts.To ensure the security of the site, see Recommendations for hacking protection.
(3)
コメント