From time to time your website will become vulnerable, usually because of outdated components.  If a hacker finds this on your site, he may install a 2nd or 3rd backdoor that will persist even after your website is updated and fixed.  This is why keeping your website constantly up to date is so important today.

Two common ways someone will take advantage of your website are:

Ad Placement

Ads will be placed in parts of your sites to generate revenue for the attacker.

The side effect can be google flagging your site as being “Hacked” in search results because you are serving malicious ads.  Potential customers will see Google’s warning and skip on the next site.

Email Marketing

Your server will send out unsolicited emails using your domain name as a way to gain trust. The recipient will see a legitimate looking link something like yourcompany.com/offer.php.

The victim, trusting yourcompany.com, will click the link and may be infected with malware themselves – all the while making it appear that YOU and your website have infected them.


While getting rid of these ads and links ASAP is important so as to not affect your Google Ranking or SEO, we need to make sure that we bock access from the attacker adding the links back in.  The following strategies help.

Look at recently modified files

This can quickly let you see any new or modified files on your system.  From a terminal on your server (SSH / Terminal emulator in WHM) run the following command to see all the modified files in the last week.

find -type f -mtime -7

Broaden your search

Look at the type of method used in those files to broaden your search with those type of terms. Common examples are:

Lines using base64_decode, GLOBALS, eval, etc… or encoded lines that look similar to:


Don’t forget to look in media and image folders

A lot of times you will have backdoor files named the same way as your images, but with a php extension.  You could use search command like this to speed up the work:

find ( -path '/img/' -or -path '/image/' -or -path '/upload/' ) -type f -iname ".php"

An additional search that will find single line malware files can be detected with:

find -type f -iname "*.php" ( -size -1k -and -size +0 ) -exec cat -v {} \; | egrep -i "POST|eval|chr|base64|strto"

Check your server settings

You will also want to check settings, like your .htaccess configuration files for new “mod_rewrite” commands, and generally propagate your search based on what you find.


No one can guarantee protection, but there are many ways to prevent most attacks and, more importantly, minimize the downtime and impact of an attack.

Based on your type of website, there will be a number of solutions. Generally if you are using WordPress or Joomla, a security extension can help prevent and alert you of troubles.

For my clients, the biggest asset is a backup strategy of having all system files stored offline, along with having a component that will email you just the database part of the backup daily.  This will mean that you can generally just restore a site, patch the vulnerability, and be back in action in as little as an hour.  Having a known clean and recent backup can save you the complicated step of trying to find any additional backdoors introduced in the attack.

If you are having trouble with your site, or are looking to minimize potential downtime, call Mike now at 902 593 0246, or send me a request on our contact form.