In a previous post, we have explained what website backdoors are and what they look like. Today, we want to focus on ways that we identify and remove backdoors to prevent reinfection.
Techniques to Find Backdoors
Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:
Whitelisting
We know what good files look like. One of the ways to identify a legitimate file is its checksum – a numerical signature of the file that can be compared to known good files.
For example, we can compare the individual website to the official core files of main content management systems (CMSs), like WordPress, Joomla, Magento, Drupal, and others. We also have the checksum for most plugins, modules, extensions, and themes.
Using this whitelisting technique, we can tell right away if any of the core files were modified or if a new one was added. This way, we can safely ignore the good files, which eliminates a significant part of the work.
Blacklisting
Sucuri has always been committed to research and progression. We maintain an evolving list with thousands of backdoors and their variations. If you’re interested, you can even browse the malware entries and malware signatures in our Labs Notes.
Blacklisting these malicious signatures blocks them from executing on client websites and makes sure that they are quickly detected.
Anomaly Checks
When a file is not in our whitelist of core files and not in our blacklist signatures of malicious files, we do our anomaly checks.
We analyze all the functions/variables and manually inspect them to see if they are backdoors. From there, we flag them for investigation if we can’t verify that the file is good. Our professional security analysts can investigate further in the case of a new or very complex backdoor.
When we find a new backdoor, we update our blacklists and correlation engines to catch them in the future. If after analyzing the functions and variables we find out that they are not harmful, we add them to our whitelist.
Prevention
You can take some actions to protect your website from the initial infection:
- Keep all your software updated.
- Keep an eye open for any kind of strange files on your server, especially files with typos.
- Use strong and different passwords.
- Use a Website Application Firewall that acts as an unseen virtual filter for potential hacks and attacks.
- If you use WordPress, install the free Sucuri scanner to monitor and audit your site.
Tips to Cleaning a Compromised Website
If you are trying to clean a compromised site by yourself, we have some recommendations. First, replace all the files you can (core files, plugins, etc) with known good ones. Then manually analyze custom files that cannot be overwritten to ensure your website is clean.
It is critical that all backdoors are closed to successfully clean a hack, otherwise your site will be reinfected quickly.
We have written a guide to give you more instructions on how to clean a hacked website.
Conclusion
Finding a website backdoor can be very challenging. We combine whitelisting and blacklisting techniques with our own manual analysis to find all the backdoors in a website.
Sucuri is dedicated to providing solutions, whether you want to clean up a website yourself by following our free guides or have us do it for you.
John Castro
Allison Bondi
Luke Leal
Stephen Johnston
Ashley Sand
Denis Sinegubko
Marc Kranat
Cesar Anjos