ESDS Knowledge Base


Removing Virus / Malware / Trojan From The Website

solving-malware-virus-torjan-problemMy site was hacked and now?

First thing to do in these cases is to calm down and read this post from beginning to end, not only just read the part that most interests you or the part that you “think” that will solve your problem, but you must first understand how to identify the type of invasion because of which your site has suffered and finally work to solve and prevent this problem from occurring again in the future.

What kind of invasions are there?

There are several types, some of them are follows:

  1. Invasion by hidden malicious code in PHP files
  2. Carelessness or use of easy passwords because of which the database in the administrative area of your website is accessible.
  3. Programmed Site incorrectly or security loop holes developed by developer or yourself.
  4. Computer site or hosting infected by viruses or trojans, which has the intention to steal your passwords or administrator database.

Logically there are other ways because of which a malicious user with sufficient knowledge in web programming and hosting invade your web site (regardless of platform and hosting used), such as invasion through folders with permissions 777, but everything is a matter of lack of attention or even failure of security by the user or developer.

What are hidden or encrypted malicious code?

Malicious codes are usually hidden within random PHP files, because of which your website has security flaws where the malicious user can invade at any time because of which he gets access to your database and FTP files, most malicious codes are encrypted by the eval () function, this helps them in finding the loop holes. Just because most web sites have a proper or secure open system (open source), does not use encryption in PHP code. Many users of CMS systems such as Joomla, WordPress and others are the main victims of this type of invasion, because these CMS systems are free and widely used by Most developers or administrators of web sites, then malicious users distribute their malicious code usually using templates, modules and plug-ins for the other users to download on the internet.

This never happened before, why only now?

Many users and administrators who have hacked web sites (invaded) by malicious code, ask themselves, “But I use this platform for years and never had this problem before, why only now?” Or also have the question: “I have several web sites with the same files and the same system, why only a particular site has been hacked and the other not?”. The answer to these two most frequently asked questions is very simple, everything works perfectly until the problem occurs, be it invasion or other ie, nothing works forever, therefore, to use a system that has malicious code you are vulnerable to being hacked and this invasion may occur at any time, or may also be that ever occurring. The malicious users generally use search engines like Google to find what type of website vulnerability is this, they have their own ways of finding the vulnerability, ie, every site that has malicious code and are registered in search engines, are easily found by the invaders and become easy targets, then we can understand why some websites are hacked and not others, even using the same files allegedly containing malicious code, sites that have better placement in search engines are the first to be invaded, some intrusions are made silently just to steal important data and no damage is caused to the web site system, besides being other invasions to steal the data end up damaging the system of web site and purposely leaving a message to the administrator.

How do I identify the kind of invasion that my site is suffering?

Simple… If you have a web site developed in Joomla, Word Press or even other ready CMS platforms or BLOG, the first steps to identify the type of invasion are:

1. Before taking any hasty concussion that could harm the data that remain on web site, make a BACKUP of the database and also all your FTP files that are on the hacked site.

2. After performing BACKUP, you need to keep your site online and keep the attacker (malicious user) continue to have access to your files and database, regardless of the type of intrusion that your site is experiencing, first check with a qualified professional in the field of viruses and trojans to do a scan on your computer in order to find viruses or trojans, then change all your passwords, including cPanel, database where your site is configured, FTP passwords and mainly the password for all administrators who have access to the site because of no use you make all the changes of passwords and forget the passwords of the site administrators, that surely the malicious user (attacker) already has, and if not changed facilitated invasion of a new site.

3. Now you need to change the address of the public_html folder which is located inside the main folder of your FTP: public_html_website_data, example: suppose I have ESDS Hosting and cPanel is my login: login:

Then I will change the folder / login / public_html to / login / public_html_old

That is done, all attempting to access my site will not be able to access the site(is unavailable), due to the default HTTP system folder was changed, as our goal was to leave the files on the site unavailable to prevent further damage until the type of invasion is identified and proper solution outlet, go to the next step.

4. As yet we do not know what kind of website suffered invasion and also already have some knowledge about the types of intrusions and malicious code are what we will now start looking for these codes, it is not an easy task, because they can be hidden inside any PHP script of your website, first start looking for any PHP script that is not part of your site if your site is on a ready CMS platform like Joomla, WordPress and others, this task becomes easier, just download the original CMS of the same version from official website and compare any php file that is not part of the system, if there are any suspicious file, open it with any text editor and make sure it contains encrypted codes of type eval (anything) or even any other type of encryption, if any function of type eval (), we note that the invasion occurred on your site due to your PHP files in hidden malicious code, but do not think just remove this file and your problem will be solved, besides looking for PHP files that are not part of the system, you need to look inside each file for malicious code, which poses lie hidden in the script, in which there are usually encrypted type of eval (), if you see that your PHP files have improper or malicious files that are not part of your website system, then we can say that the security hole that allowed this invasion occurred on that account.

Found no malicious code into my website, and now?

If you find no malicious code in your PHP files, so everything indicates that the invasion occurred for other reasons, maybe easy password, or maybe your computer was infected by this virus, trojans or even can be a security flaw in your own web site, in which case we recommend contacting a professional in the area of web security, or you can take help of support team by opening a call through the central customer service requesting an aid to our developers and security experts, we put our professionals at your disposal to help you solve any problem, especially when it comes to security flaws, always treat these problems with high priority and you can account with us whenever needed.

I have Identified the type of invasion that my site is suffering, is by malicious code, how do I fix?

To solve the problem you have two options, first would remove all files from your FTP of a web site and do a fresh install of the system used on your web site using system files downloaded from the official website of the developer and not third-party sites, and especially avoid using modules, templates and unknown plug-ins that are not downloaded from the official website, or, before using any third-party code or script to check for hidden malicious code in PHP files before sending to accommodation, following the four steps of verification and identification that you read this post earlier, the second alternative would remove all malicious code that may be hidden in the PHP files and check which file was corrupted and reset again, always using source code directly downloaded from the official website regardless of their platform.

How to prevent many invasions?

First you need to watch out what hosting provider will host your site, do not analyze prices and costs, analyze the quality and safety that the provider offers.

ESDS has several features to prevent this type of invasion, most of our servers by default has additional security that prevents the execution of malicious code in your PHP scripts, you will hardly find this type of protection in other hosting providers, so just for the simple fact that most malicious code can not be executed On the ESDS servers, this is a big step in preventing invasions by malicious code, but even then you have to take some safety measures and prevention. Below you can find some tips and observations that will help you guard against any kind of invasion:

  • Take care of all your passwords, never use easy passwords, and be careful when typing your passwords on an unknown computer or likely to be infected by viruses or trojans.
  • Never use any script or system that is cracked (pirated), most of them have hidden malicious code such as toast.
  • Never download a script or system on third-party site, get to know the developer and download from the official website itself, or you will not make any download, use the automatic installer several scripts ready that ESDS offers in your hosting panel in which they are constantly updated and 100% secure.
  • Before installing, configuring, or sending your site for hosting double check script, module, plugin in PHP, do a search for codes of type eval () or any other malicious code you know.
  • Perform administrative blocks per IP in folders on your web site, it avoids the administrative site access to unauthorized users, to know how to perform this block, please contact support team via ticket board or by email.
  • Never use the 777 permission to a particular folder or file.


After identifying the type of intrusion your site has suffered, make arrangements to resolve the security flaw and prevent new invasions occur, you can change the name to the correct public_html_old public_html folder again, making your site back up and running for netizens again.

These are the basic tips for identifying and resolving an invasion by malicious code, hope this post has helped you, but if not, feel free to ask for assistance to technical support.

You can also use our MTvScan – Malware, Trojan, Vulnerability Scanner for Hassle free Vulnerability Removal.

Leave a Reply