Files are definitely or potentially infected with malware.
We recommend to have a (potentially) malware infected store checked by experienced developers or security companies.
When an online store is successfully attacked, the perpetrator often leaves behind their own files, which they use to add additional functionality to the store (e.g., leaking credit card data) or run other applications on your website or cluster (e.g., spam sending or phishing applications). Such files are called malware, abbreviated from the English "malicious software". These files often use typical patterns, either to enable their function themselves (e.g. WebShell code) or to make analysis more difficult as part of an obfuscation tactic.
In a malware scan, we check the files on your cluster for typical malware patterns and show you the files that have these patterns in the report.
Solution: Checking the files
In addition to restoring a clean state by removing the malware, we should also analyze how the malware infestation came about (e.g., by analyzing the accesses made to uncover the invasion vector) or what the consequences of the malicious program code were. If required, we can provide you with the names of companies that carry out a security check of the files and, if necessary, other areas of the cluster.
Malware can either be integrated into existing files or placed in its own, newly created files. This often involves complex program code whose function in your store may not be apparent at first glance. During testing, the program code is examined for this very function, and its behavior under various inputs and conditions is analyzed. For example, the unchecked passing of the contents of GET parameters to the PHP function
eval(), can lead to the execution of arbitrary PHP code with the corresponding file call.
- Suspicious files should be checked manually in any case. Typical malware patterns are not widespread in regular software, but they can occur.
- Do not call suspicious files directly in the browser, but check them with a plain text editor (e.g. nano or vim) on the server.
- Modified files should be restored from a clean backup or replaced with a redeployment of clean code. When using a version control system, a clean state is easy to find. However, malware can also be stored in a VCS repository or backup, so in each case it is important to verify that the file being restored is then malware-free.
- Files that contain only malware can often be deleted or moved from the application directory to disable the malware. However, in some cases, there are cross connections to modified files in your store system, so these should be cleaned up first.
If you would like to migrate your store to a completely clean system, we will be happy to provide you with an additional independent cluster. Contact our consulting department for the conditions and the necessary procedure.
Further recommendations for action
The most common cause of malware infestation observed by us is the operation of old software versions on a cluster. In addition to the store system itself, other applications (e.g. blog system or database administration) may be outdated and therefore have known security vulnerabilities. We therefore generally recommend the following behaviors:
- Install all security updates promptly. This includes those for plugins and for additional software.
- If necessary, separate particularly critical systems (store with customer data) from possibly not well maintained systems (development environment).
- Do not store backup files, database exports, log files, etc. in directories accessible from the web server. These files may contain information that can easily be used to attack your applications.
- Use strong passwords that you do not already use elsewhere.