Dealing with a malware infected server

Question

I have a web server which is heavily infected by malware. That is, around 12 websites (Outdated CMS) are infected by PHP shells and XSS. My websites are banned and are not accessible anymore. I have SSH access but I can not run root commands.

Question: What are the ways by which I can check for shells on my web server without being able to connect directly to the websites and low privilege SSH access.

NeoPI was helpful in finding some of them, which were checked manually.

ShellDetector gives a lot of false positives.

I am open to suggestions on clearing the malware.

[Nuke it from orbit](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) — Mark, Nov 28 '15 at 09:09
Close your account and open a new one. That is nuking from orbit for a shared server. — Neil Smithline, Nov 28 '15 at 20:10
How did you deal with it in the end? Could you give more details how it happened / which system was in place? Is there maybe a public post-mortem? — Martin Thoma, Oct 13 '20 at 11:19

Steffen Ullrich · Answer 1 · 2015-11-28T09:25:07.400

Since you have no root access yourself I consider this compromise only restricted to your own account. Otherwise the owner of the server would probably have taken care of the issue already.

The best way is probably to nuke the site and set it up again, but only after checking how the attacker came in and make sure it is no longer possible.

The best way to check where exactly your server is compromised is to compare all data with a known good version. I don't know about your setup but it is common to make the site development on a local system and then mirror the data to the remote system. Thus it should be possible to compare these both versions or to simply restore the site from your local copy. Not that you need to check also if files exist remotely which don't exist locally.

If instead you have done all the changes on the production system and do not have local copies then I'm very sorry for you since this effectively means that you have to look at all the files and see if they differ from what you remember. File modification times might be an indicator of a change but are not reliable since they can easily be set to other times (also older) without needing special privileges.

Additionally there might be changes to the database. If you web application dynamically creates HTML based on fragments in the database then you have to go through all records an look for anomalies.

If you have access to the log files of the server these are also a good source when looking for abnormal behavior, but it is up to you to know how your site works and what would then be considered abnormal.

And finally your site might be vulnerable by remote file inclusion attacks (RFI). In this case you will not find much traces on your local system, because the files used in the attack might reside on a remote system. Thus make sure your web application is secure. You should do this anyway because otherwise chances are high that you get compromised again fast.

Note that simply searching for known malware is not enough because even small modifications on existing malware will leave the malware working but you will not find it any more.

I am hosting my websites on a shared server. Is it the reason of no root access? — Sanidhay, Nov 28 '15 at 09:18
@Sanidhay: There are several kinds of shared access. A virtual machine (VPS, KVM...) is shared too but you usually have root access too. In your case your there are probably multiple users on the same OS, each restricted to a single account and maybe a database for this account. Having root access there would mean that you could affect all the other accounts on the system. — Steffen Ullrich, Nov 28 '15 at 09:22

Dealing with a malware infected server

1 Answers1