It has been stated very clearly under Google’s search quality guidelines: "Don’t create pages with malicious behavior, such as phishing or installing viruses, trojans, or other badware." Of course, what really happens today is that it is not you who is responsible for putting malware in your website; it is usually the result of successful hacking activity.
This tutorial will show you the most important ways of detecting the presence of malware in your website as early as possible. If malware is detected very early, it will not cause serious damage to both your websites and your visitors. Also, this tutorial is aimed at online entrepreneurs and website owners who are not technically inclined or do not have wide experience in online security.
Does Google find malware in your website?
Let’s start with the most important as well as the easiest approach. Google has the most effective tools for detecting malware in your website that result from hacking. First, follow these simple steps:
Step 1: Go to http://www.google.com/
Step 2: In the search box, type this (replace "yourdomain.com" with your specific domain name):
If you want Google to provide the maximum result of indexed pages (and you do), do not include "www" or your subdomain name in the query. Always use your domain name only. For example, my website is www.php-developer.org and I have a domain named blogs.php-developer.org as well as other sub-domains like tools.php-developer.org, or even an https version, and so on and so forth. You can check all of the indexed pages with only one command:
Step 3: When you press enter, Google will provide all the indexed pages in your website. However, it will show only 10 results per page (default). If you have thousands of indexed URLs, then this checking process might take a while. So to increase the number of results per page, click the "Advanced search" link besides "search" button. Under "Need more tools," change the "Results per page" from 10 to 100 and then press "Advanced search." Google should now display 100 results per page.
Also, at the bottom of the search results, click "repeat the search with the omitted results included" to display hidden results.
Step 4: Look for a result that is flagged with "This site may harm your computer." Google found malware hosted on that URL. Of course, if you get tired of looking for this phrase in each result separately, you can always select all (Control-A) and then Find (Control-F) the text "This site may harm your computer."
If you find one, then someone did break into your website and plant malware. Here is a sample screen shot of this result:
If you have a Google Webmaster Tools account, it is not necessary to use the previous method of detecting malware in your website. Instead, you can go directly to your Google Webmaster tools account.
Step 1: Sign in to your GWT (Google Webmaster Tools) account.
Step 2: Under Dashboard, click "Labs."
Step 3: Click "Malware details."
If you see the message "Google has not detected any malware on this site," then your website is fine.
One of the methods employed by hackers is to plant links in the site pointing to spammy websites selling Viagra, Cialis, or any malware domains. These spammy links are technically not malware. Since your site is not hosting malware, you can’t detect this kind of hacking with the methods discussed so far.
What you need is some way to scan all of your website’s external links. You can do this using Xenu Sleuth; read some tutorials here to get started. Your objective is to spot mysterious external links in the results. Of course, if you are the web master, you SHOULD know all the external links in your website going outside of your domains.
Using Xenu, you can spot mysterious external links and check them. If you are not the one adding those links, and you do not have an automatic link directory on your website, then a hacker can successfully get in and add links pointing to other domains.
Different hosting companies have similar ways of reporting server logs. A server log is the master list of those requesting information from the server. Usually, these come from a visitor requesting specific pages in your website. But sometimes these are hackers.
In Apache and IIS servers, these are called log files, and you can see which ones are accessing specific URLs in your website. Say for example that wp-admin pages (WordPress admin pages) are only accessible by a certain administrator (like you) at a certain, known IP address.
You can use your server logs to find other IP addresses accessing these restricted pages. If you find one, then someone did break into your admin pages. To do this, follow the simple steps below:
1. Log in to your hosting account.
2. Depending on your hosting control panel (it may differ and is not the same from one hosting company to another), look for "access and logs." If you have trouble finding this, you can read the hosting support FAQ or ask the hosting company.
3. Once you see the log, copy and paste it into an Excel file or OpenOffice Calc, in such a way that it looks like the screen shot below:
Finally, you can use spreadsheet manipulation to do two things. First, you can use it to filter you own IP address (exclude it from the analysis). Second, in the URLs, you can use it to filter for URLs containing the word "admin," since you want to know if there was a successful login from other IP addresses.
It should show a sample result like the one below:
The above log shows that there are hacking attempts detected at the specific IP addresses given in the log. Fortunately, all of them returned either a 404 (not found) or a 301 header status for those hacking attempts.
A successful hacking attempt may be detected if it returns 200 OK status, and you can trace (using server logs) that the hacker has been visiting other restricted pages in your domain.
1. Use the SSH protocol (not FTP) when logging in to your server. Consult your hosting support for details.
2. Enable logs in your server, especially for those admin pages. You can consult your hosting support on how to trace FTP/SSH logs, admin pages logs, etc.
3. Update your web software. Using the latest update will prevent hacking attacks employed previously.
4. Sanitize user input. Do not trust user input (especially on web forms or GET URL). This is an advanced method which requires knowledge of server side script validation using PHP or ASP/ASP.NET.
5. Use captcha. This will decrease the chances of a malware bot accessing sensitive parts of your domain.
6. Disable PHP functions which you do not need. For example, register globals, Fopen, etc. Consult your hosting support to disable these if you are not technically familiar.
7. Use strong passwords and have login/admin pages using SSL (secure http or HTTPS).
8. Do not store your passwords online (for example, in text documents).
9. Regularly scan your website for malware using Google or Xenu Sleuth.
10. Do not grant access to third parties which YOU do not trust.
11. Do not use default passwords generated by Cpanel or other web software. It is recommended that you change passwords every six months, or right away after a default installation.
12. Do not grant root (full) access to non-admin users of your domain. This is especially true for a database or FTP access.
14. Do not configure your web server if you are using dedicated hosting, particularly if you have no idea of how to secure your server. It is much better to consult with the hosting company to set this up.
15. Find a good and reputable web host. I have hosted a site before with a "not popular" free hosting service; their server got hacked (not my website, fortunately) and their website security got compromised. Established and reputable hosts perform much better in security.