How to Remove Malware from your Web Server

General Information ID:    INFO1269
Version:    6.0
Published:    01/23/2009
Updated:    06/08/2012

Description

Malicious code can be added to your Web pages or embedded in your Web server or database. This article will provide guidelines for removing malware that has been identified by Symantec’s malware scan.

As a Norton Secured Seal customer, you benefit from Symantec malware scans. We scan your Web site daily for malicious code. This code is targeting your Web site visitors’ (end-users’) Personal Computers (PCs) with a type of malware called Drive-by Downloads.
 
If malware is found on any page within your Web site you will receive an email notification that your Norton Secured Seal has been turned off and the details of the malware found will be displayed on the Malware tab of your Symantec Trust Center account. If you have not already done so, sign in to your Symantec Trust Center account to see if malware has been found on your Web site.
 
How does Symantec determine if there is malicious code on my Web site?
 
Symantec’s malware scan follows the malicious code back to its source and identifies pages that are actively delivering malware to your end users’ PCs. This means that if a Web page on your Web site is identified to have malicious code, your Web site visitors are receiving malware on their PCs.
 
How do I remove malicious code from my Web site?
 
The method to remove the malware from your Web site depends on whether the malware is on your Web pages or injected into your database. Below are some general guidelines for removing the malicious code. If you are not familiar with how to your Web pages or database, consult an IT professional for further assistance.
 
When your Web site is infected with malware, it is very likely that one of the following has occurred:
  • the password to your Web server has been compromised. You need to change your password immediately to prevent future malware attacks.
  • there is a vulnerability in your database. You should consider having a vulnerability scan done on your database to prevent future injections of malicious code.
  • an advertisement (ad) being served to your site is delivering malicious code. You should contact the ad provider and ask them to validate that the ads they are serving you are free of malware.
 
Replace infected pages with a clean backed-up version: If you back up your Web pages regularly, and you believe you have a clean version of the Web pages, you can always replace your infected Web pages with the clean backed up version.
 
Remove malicious code from infected Web pages manually: If you do not have a clean backup of your Web pages, then you can remove the malicious code from the infected Web pages. To do this, you will have to get the Web pages from your Web server; typically, you can use FTP software to do this. Open the page in an HTML editor, find the malicious code that was identified in the malware tab of the Symantec Trust Center, and delete the malicious code from your Web page. Then put the Web page back on your Web server. Do this for each page that is shown in the malware tab.
 
Remove malicious code from your database: If the same malicious code appears on multiple pages or you previously removed malicious code from your site and it reappears, then the malicious code most likely is residing in your database. To remove malicious code from your database, you will need to search for the malicious code string in character fields. Once you have found the malicious code string, you must delete it from your database. If you have Web pages that are infected, make sure to remove the malicious code from the pages as well.
 
Ensure that all instances of malware are removed from your site: If malicious code is found on your site, there is an increased likelihood that additional hidden instances exist on your Web pages that are not actively delivering malware to your end users’ PCs. As a best practice, we highly recommend that you review your Web pages for any iframes that point to sites that you do not recognize or that appear suspicious to you.
 
Where do I see what malicious code was found on my Web site?
 
1.      Sign in to your Symantec Trust Center account.
2.      On the Summary page, click the Show me my malware link to go to the Malware tab, where you can view details about the malware found on your Web site. (For easy reference, copy or print the page.)
3.      Select a page from the Page/Occurrences table to view the malicious code. The page that is infected is displayed in the Malware found on section. The malicious code that you need to remove is displayed in the Malware requiring removal section.
 
I have removed the malicious code from my site, what do I do next?
 
4.      Sign in to your Symantec Trust Center account.
5.      On the Summary page, click the Show me my malware link to go to the Malware tab.
6.      Click the I removed the malware button to initiate a rescan of your Web site. When the scan is complete, the results will be posted to your Symantec Trust Center account. If additional malware is found, you will receive an email notification and the information will be posted to your Symantec Trust Center account.
 
 
  
Other related articles:
iDefense Web Malware 101, section 3.3 Repairing the Damage (see attached file)

Attachment

iDefense_Section3.3.pdf
36K • < 1 minute @ 56k, < 1 minute @ broadband


Contact Support

Knowledge Center


Search Tips