Removing viruses from a website: How to do it?

Author: halfhope

This article presents a step-by-step algorithm for removing viruses from an OpenCart-based website. This guide is best suited for technically skilled users who have a strong understanding of coding and can effectively utilize various tools to troubleshoot issues. Even if you are using another CMS or platform, the information provided here may still be useful.

From the Author

If you need help cleaning your website or server, contact me via Telegram (halfhope). I will provide you with details about the cost and timeline. The cleaning service includes a 1-year warranty.

Quick Algorithm

1. Create a backup of your website.
2. Download the backup.
3. Clean it on your local machine.
4. Change all possible passwords.
5. Delete the files and database from the server.
6. Upload the cleaned files and database back to the server.

If anything is missed, set up monitoring:

• Enable file change monitoring and logging.
• Any incidents will be recorded in logs for further analysis.

The recommended monitoring period is 3-4 weeks.

Detailed Description

Preparation

To download the site files and database to your local computer, the easiest way is to create a single zip archive. The image folder can be excluded since it contains images and no executable files. However, you should check it later before uploading the cleaned version of the site.

Use OpenServer/WAMP/LAMP/XAMPP or similar tools to create a new database and import the site’s database dump.

Extract the files into a folder that is convenient for your work.

Working with the Database

1. Locate the oc_user table and delete all users except the administrator. It is recommended to change the administrator username to protect the account from password guessing attempts.
2. Update the administrator password. Replace the current password in the oc_user table with the MD5 hash of the new password and clear the salt field.
3. Open the oc_modification table, which stores module modifiers. Check the modifier code for vulnerabilities, as some botnets since 2020 have used OpenCart modifiers for reverse shell connections.

Working with Files

1. Remove unnecessary elements: phpinfo, cache, logs, unused themes (except the default), languages, and modified files (e.g., system/storage/modification).
2. Check the files for malicious code. Use tools such as ai-bolit (Revisium), ShellDetector, LMD, antivirus software, and others.
3. Pay special attention to additional entry points through $_POST, $_GET, $_COOKIE, and hidden scripts.
4. Use tools like GIT, Beyond Compare, or WinMerge to compare current files with the original engine version for faster analysis.
5. Analyze server access logs to identify infected files.

Create a zip archive of the cleaned files.

Working on the Server

1. Add a stub with HTTP status code 503 (Service Unavailable) and restrict access by IP.
2. Change all passwords: control panel, database, FTP, and email accounts.
3. Delete the old database and import the cleaned version.
4. Remove all site files from the hosting server, except for the image folder and the stub. Delete all non-image files from the image folder.
5. Upload the cleaned files to the server and update passwords in the configuration files.
6. Access the admin panel and update the modifiers.
7. Set up additional HTTP authorization to protect the admin panel from brute-force attacks.
8. Enable query logging and set up file change monitoring using a PHP script.

Note that modern botnets can "hide" after file deletion. Extend the monitoring period to detect reinfections promptly.

General Recommendations

• Avoid using pirated software. Check the vendor’s legitimacy here.
• Use strong passwords or password generators.
• Avoid default usernames like "admin".
• Create separate accounts for contractors and disable them after their work is complete.
• Monitor file changes regularly.
• Make regular backups and test their validity.

For OpenCart

For OpenCart, I recommend the FSMonitor module, which tracks new, modified, and deleted files. It can be set up for automatic execution via Cron and send notifications about changes. You can also manually review files altered by contractors. Download the module here.