*Cube-Host– full cloud services!!

get a consultation
WhatsApp Telegram
EN

How to check a website for malware and viruses

How to check a website for malware and viruses

If your site redirects visitors, shows spam popups, gets blacklisted, or loads suspicious scripts — you need a structured malware check. This guide covers external checks (what visitors and search engines see) and internal checks (files, database, users, logs).

This is especially important for websites on Shared Hosting. If you need more control for server-level scanning and hardening, a Linux VPS or Windows VPS on reliable VPS hosting can simplify security operations.

Common Signs of Infection

  • Redirects to unknown domains (especially from mobile devices).
  • Injected ads, casino/pharma spam pages, or hidden links.
  • Google warnings / browser “Deceptive site” alerts.
  • Unknown admin users in CMS.
  • Sudden traffic spikes or outgoing email spam.
  • New PHP files inside uploads/media directories.

Step 1 — External Check (What the Internet Sees)

External checks help you confirm if the issue is visible to visitors/search engines and if your domain is flagged. Use reputable online scanners (by name) to check:

  • URL reputation / blacklist status (search engine transparency tools).
  • Injected JavaScript, suspicious iframes, hidden redirects.
  • Loaded third-party resources (unknown domains in page source).

Tip: check your site from an incognito window and also from a mobile network — some infections use conditional redirects.

Step 2 — Do a Safe Snapshot Before Cleaning

Before you delete anything, make a snapshot for rollback/forensics:

  • Download a full copy of site files.
  • Export the database.
  • Save a list of admin accounts and installed plugins/themes/modules.

On Shared Hosting, you can usually do this via file manager + database export tool in the control panel. If you have SSH access, use command-line methods below.

Step 3 — Scan Site Files (Two Practical Paths)

Path A: No SSH (typical shared hosting)

  • Download site files locally and scan the archive with a trusted antivirus.
  • Review recently modified files in hosting file manager (sort by “modified date”).
  • Check .htaccess (or web.config) for suspicious redirects.
  • Inspect uploads/media folders for unexpected .php files.

Path B: With SSH (faster and more reliable)

These commands are typical for Linux-based hosting environments:

# 1) Find recently modified files (last 7 days)
find . -type f -mtime -7 -not -path "./cache/*" -not -path "./tmp/*" | head -n 200

# 2) Look for common obfuscation patterns in PHP
grep -R --line-number --binary-files=without-match -E "base64_decode\(|gzinflate\(|str_rot13\(|eval\(|preg_replace\(.*/e" . | head -n 200

# 3) Suspicious PHP files in uploads (WordPress example)
find ./wp-content/uploads -type f -name "*.php" | head -n 200

What to look for: long unreadable strings, hidden iframes, strange require/include calls to unknown paths, and PHP files in media folders.

Step 4 — Check the Database (Injections Often Live There)

Even if files look clean, injected spam/redirect code can be stored in DB fields (posts/options/settings). Typical targets:

  • CMS “options/settings” tables (site URL overrides, injected JS).
  • Content tables (hidden links inside posts/pages).
  • User tables (new admin users).

Example approach: search for suspicious domains or <script> tags inside content. Use your DB tool in hosting panel or SQL queries if you have access.

Step 5 — Identify the Entry Point (So It Doesn’t Come Back)

Cleaning without fixing the root cause often leads to reinfection within hours/days. Most common entry points:

  • Outdated CMS core, plugins/themes/modules.
  • Weak admin passwords or reused credentials.
  • Writable directories + PHP execution where it shouldn’t be allowed.
  • Compromised FTP/hosting panel credentials (malware on a local PC).
  • Vulnerable forms/file uploads.

Step 6 — Cleaning Strategy (The Most Reliable Way)

  • Restore from a known clean backup (best option if you have one).
  • Update CMS core + plugins/themes immediately after restore.
  • Reset passwords: hosting panel, FTP/SFTP, DB user, CMS admins.
  • Remove unknown admin users and unused plugins/themes.
  • Harden permissions: files 644, directories 755 (as a typical baseline; hosting specifics may vary).

WordPress note: you can reinstall core files from a clean source while keeping wp-content. Still, you must scan wp-content carefully because that’s where most malware lives.

Step 7 — Hardening Checklist (After Cleanup)

  • Enable 2FA for hosting panel and CMS admin if available.
  • Limit admin access by IP where possible.
  • Disable PHP execution in uploads directories (if your environment allows it).
  • Set up automated backups and periodic malware scanning.
  • Monitor logs and file changes (simple “modified files” checks weekly).

Conclusion

To check a website for malware, start with an external scan, then inspect files, database, users, and logs — and always identify the entry point to prevent reinfection. If you host sites on Shared Hosting, keep updates and credentials tight. For deeper control and server-level tooling, consider moving security-critical projects to a Linux VPS or Windows VPS on stable VPS hosting.

Prev

More articles:

Menu