• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
How to Find Website Backdoors?

Ask Sucuri: How Do You Find Website Backdoors?

July 11, 2018Juliana LewisEspanolPortugues

FacebookTwitterSubscribe

In a previous post, we have explained what website backdoors are and what they look like. Today, we want to focus on ways that we identify and remove backdoors to prevent reinfection.

Techniques to Find Backdoors

Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:

Whitelisting

We know what good files look like. One of the ways to identify a legitimate file is its checksum – a numerical signature of the file that can be compared to known good files.

For example, we can compare the individual website to the official core files of main content management systems (CMSs), like WordPress, Joomla, Magento, Drupal, and others. We also have the checksum for most plugins, modules, extensions, and themes.

Using this whitelisting technique, we can tell right away if any of the core files were modified or if a new one was added. This way, we can safely ignore the good files, which eliminates a significant part of the work.

Blacklisting

Sucuri has always been committed to research and progression. We maintain an evolving list with thousands of backdoors and their variations. If you’re interested, you can even browse the malware entries and malware signatures in our Labs Notes.

Blacklisting these malicious signatures blocks them from executing on client websites and makes sure that they are quickly detected.

Anomaly Checks

When a file is not in our whitelist of core files and not in our blacklist signatures of malicious files, we do our anomaly checks.

We analyze all the functions/variables and manually inspect them to see if they are backdoors. From there, we flag them for investigation if we can’t verify that the file is good. Our professional security analysts can investigate further in the case of a new or very complex backdoor.

When we find a new backdoor, we update our blacklists and correlation engines to catch them in the future. If after analyzing the functions and variables we find out that they are not harmful, we add them to our whitelist.

Prevention

You can take some actions to protect your website from the initial infection:

  • Keep all your software updated.
  • Keep an eye open for any kind of strange files on your server, especially files with typos.
  • Use strong and different passwords.
  • Use a Website Application Firewall that acts as an unseen virtual filter for potential hacks and attacks.
  • If you use WordPress, install the free Sucuri scanner to monitor and audit your site.

Tips to Cleaning a Compromised Website

If you are trying to clean a compromised site by yourself, we have some recommendations. First, replace all the files you can (core files, plugins, etc) with known good ones. Then manually analyze custom files that cannot be overwritten to ensure your website is clean.

It is critical that all backdoors are closed to successfully clean a hack, otherwise your site will be reinfected quickly.

We have written a guide to give you more instructions on how to clean a hacked website.

Conclusion

Finding a website backdoor can be very challenging. We combine whitelisting and blacklisting techniques with our own manual analysis to find all the backdoors in a website.

Sucuri is dedicated to providing solutions, whether you want to clean up a website yourself by following our free guides or have us do it for you.

FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Malware Cleanup, Website Backdoor

About Juliana Lewis

Juliana Laraburu is Sucuri’s Marketing Content Manager who joined the company in 2015. Juliana’s main responsibilities include managing projects, keyword research, and drafting blog posts and landing pages. Her professional experience covers over five years of creating website security content. When Juliana isn’t working on Sucuri’s blog, you might find her traveling around the world or hanging out with her family. Connect with Juliana on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.