Our Work

Recent Products And case studies on how we have helped companies

App UI Kit
App Ui Kit
Food Deliver App
Food Deliver App
Grocery Store App
Grocery Store App
Ecommerce App
Ecommerce App
Travel App
Travel App
Animation Based UI
Animation Based Ui
How To Look For Malicious Code On Your Website Without Scanners

Blog Posts

How to look for malicious code on your website without scanners

How To Look For Malicious Code On Your Website Without Scanners

Modern malicious and hacker scripts are significantly different from those of 3-5 years ago. Now developers of malicious code mix obfuscation, encryption, decomposition, external loading of malicious code, etc. in order to cheat scanners and antiviruses. Consequently, the recognition of malicious code by scanners and antiviruses has fallen dramatically.

What should be done to more efficiently detect viruses and hacker script on the site? You need to do an automated scan first, and then do a manual analysis.

First, let's look at what exactly to look for when hacking.

1. Hacker scripts. Most often, when hacked, files are downloaded that are web shells,
backdoors, loaders, scripts for spam mailings, phishing pages + form handlers, doorways and hacking token files.

2. Injections in existing files. The second most popular type of placement of malicious and hacker code is injections. Mobile and search redirects can be injected into existing site files .htaccess, backdoors can be injected into php / perl scripts, viral javascript fragments or redirects to third-party resources can be embedded into .js and .html templates. Injections are also possible in media files, for example .jpg or. Malicious code often consists of several components: the malicious code itself is stored in the exif header of a jpg file, and is executed using a small control script, the code of which does not look suspicious to the scanner.

3.Injections in the database. The database is the third target for a hacker. Here, static inserts,,, are possible, which redirect visitors to third-party resources, "spy" on them, or infect the visitor's computer | mobile device as a result of a drive-by attack (attack using hidden download). In addition, in many modern CMS (IPB, vBulletin, modx, etc.), templating tools allow you to execute php code, and the templates themselves are stored in the database, so the php code of web shells and backdoors can be embedded directly into the database.

Injections in caching services.

4. As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data are possible “on the fly”. In some cases, a hacker can inject malicious code into website pages without directly breaking the latter. Injects / incited items in server system components.

5. If a hacker gains root access to the server, he can replace the elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time, it will inject dynamic redirects and malicious code into website pages. As in the case of an injection into a caching service, the site administrator will most likely not be able to detect the fact of a hacked site, since all files and the database will be original. This option is the most difficult to treat.

So, let's say that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the viral redirect is still on the page or the mobile redirect continues to work when the pages are opened. How to look further?

Manual search

Share: