Ask Sucuri: How Do You Find Website Backdoors?

  • July 11, 2018
How to Find Website Backdoors?

In a previous post, we have explained what website backdoors are and what they look like. Today, we want to focus on ways that we identify and remove backdoors to prevent reinfection.

Techniques to Find Backdoors

Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:

Whitelisting

We know what good files look like. One of the ways to identify a legitimate file is its checksum – a numerical signature of the file that can be compared to known good files.

For example, we can compare the individual website to the official core files of main content management systems (CMSs), like WordPress, Joomla, Magento, Drupal, and others. We also have the checksum for most plugins, modules, extensions, and themes.

Using this whitelisting technique, we can tell right away if any of the core files were modified or if a new one was added. This way, we can safely ignore the good files, which eliminates a significant part of the work.

Blacklisting

Sucuri has always been committed to research and progression. We maintain an evolving list with thousands of backdoors and their variations. If you’re interested, you can even browse the malware entries and malware signatures in our Labs Notes.

Blacklisting these malicious signatures blocks them from executing on client websites and makes sure that they are quickly detected.

Anomaly Checks

When a file is not in our whitelist of core files and not in our blacklist signatures of malicious files, we do our anomaly checks.

We analyze all the functions/variables and manually inspect them to see if they are backdoors. From there, we flag them for investigation if we can’t verify that the file is good. Our professional security analysts can investigate further in the case of a new or very complex backdoor.

When we find a new backdoor, we update our blacklists and correlation engines to catch them in the future. If after analyzing the functions and variables we find out that they are not harmful, we add them to our whitelist.

Prevention

You can take some actions to protect your website from the initial infection:

  • Keep all your software updated.
  • Keep an eye open for any kind of strange files on your server, especially files with typos.
  • Use strong and different passwords.
  • Use a Website Application Firewall that acts as an unseen virtual filter for potential hacks and attacks.
  • If you use WordPress, install the free Sucuri scanner to monitor and audit your site.

Tips to Cleaning a Compromised Website

If you are trying to clean a compromised site by yourself, we have some recommendations. First, replace all the files you can (core files, plugins, etc) with known good ones. Then manually analyze custom files that cannot be overwritten to ensure your website is clean.

It is critical that all backdoors are closed to successfully clean a hack, otherwise your site will be reinfected quickly.

We have written a guide to give you more instructions on how to clean a hacked website.

Conclusion

Finding a website backdoor can be very challenging. We combine whitelisting and blacklisting techniques with our own manual analysis to find all the backdoors in a website.

Sucuri is dedicated to providing solutions, whether you want to clean up a website yourself by following our free guides or have us do it for you.

Juliana Laraburu is Sucuri’s Marketing Content Manager who joined the company in 2015. Juliana’s main responsibilities include managing projects, keyword research, and drafting blog posts and landing pages. Her professional experience covers over five years of creating website security content. When Juliana isn’t working on Sucuri’s blog, you might find her traveling around the world or hanging out with her family. Connect with Juliana on Twitter.

Related Tags
Related Categories
You May Also Like