Jump to content

How to remove badware from my website?


sashavalentina

Recommended Posts

My website has recently been attacked by badware and my SSL certificate has been revoked by Sectigo. I already tried the method suggested in https://www.stopbadware.org/badware.
I found out that malicious files have been added to my server, which cause my website cannot be loaded. On the other hand, there was once I notice that all my files in the sever have been deleted.
i remove the malicious codes added to my server and also did a review from Google Seach Console. There are no security issues found in my websites that have been reviewed by the google search console. Furthermore, I also use the Virus Scanner provided in my server to scan if there are any virus files that I have mislooked while checking it. But no luck, my SSL certificate has been revoked by Sectigo again due to phishing detected on my website.

What are the other steps that I could do to solve this hacking problem that is occurring on my website? It has been bugging me for a long time and i know SSL certificate is so important to a website. What can i do with it? Any help will be appreciated. Thanks!

Link to comment
Share on other sites

How should I know? It's your website, not mine.

You have to perform some forensic work to find out exactly what happened and when, then track that down to the flaw in your application/webserver/whatever, then address the flaw.

Here, I think the most likely problem is an unvalidated upload of PHP code. So look for files that don't belong on the server.

Link to comment
Share on other sites

  • 2 weeks later...

You have to realize that your server has probably been compromised to the point that you need to reinstall the operating system, services and have your application and database restored from a backup/source control.  It's not always the case, but at the point that the exploit is installing files on your server, that frequently means that they are able to get enough access to be able to install root kits, password sniffers, and software that turns your server into a node on a botnet, they can use to send spam, host secret ftp servers and other things that steal from your resources.

We also don't know what you are running.  For example, popular CMS's like Wordpress or forums routinely have bugs that can be exploited repeatedly until the bugs are patched with the most current version.  Many of these applications have plugins, and sometimes the plugins open these security holes.  If you have a custom coded website, there might be versions of services you are running which have exploits.  There are many different attack vectors, and if you restore everything, it is highly probable you will just be compromised again.  You need some real forensics to have even a hope of figuring out what happened and how you might figure that out, and if you are lucky, you might have logs that contain tell tale signatures which point out what happened, and/or you might have a database that has had data and configuration information changed when the site was hacked.

You did not tell us what OS you are running, or much else about your site that would help us guide you.  So when you state that you "removed" malicious things, and did a virus scan, that doesn't tell us much.    For example, if we knew that you were running some distro of linux, with a particular package manager, there are some things built into those that might help you determine if files and packages were changed, but you need some pretty good sysadmin skills to attack a problem like that.  Again we don't have anything to go on, other than the minimal story of what happened to you.

For what it is worth, it sucks to have this type of thing happen to you, but you are certainly not alone, although I'm sure it doesn't make you feel better.  If you have more information you want to provide, we might be able to suggest other things you could do.  Unfortunately these types of things are like puzzles, and there often aren't easy fixes, where you can run a program to make things good again.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.