How to Find and Remove Website Backdoors
When a site gets hacked, it seldom happens that the hacker has not left behind a malware to get access to the website again, in the future. These malicious codes which are deliberately planted on a website with an intention of further exploitation are known as “website backdoors”. Website Backdoors basically serve as an entry gate for an attacker to exploit it again and again.
In practicality, a backdoor can also be used by a developer as a legitimate way to get access to the website. However, irrespective of who creates a backdoor (a developer or a hacker), it is always a risk to the website’s security.
How to Detect Website Backdoors?
Usually detecting website backdoors is no easy task as backdoors are very smartly disguised in between the good files and databases. In fact, detecting a backdoor on a website is a hard nut to crack as most backdoors are generally confused for good codes. And this is exactly how it dodges attention.
Diving deeper into the case, now we will see how many kinds of backdoors are actually there. Well, backdoors can broadly be classified into the following categories:
Complex, Multiple-liner Backdoors
Website Backdoors consisting several lines of codes can be termed as big and complex codes. A very apt example of this would be this code snippet, which lets an attacker to run
Simple, One-liner Backdoors
One-liner codes which uses basic commands in it can be called simple backdoors. An example of this would be this piece of code, using which a hacker runs a command on the website server.
CMS Specific Backdoor
As we have seen in the recent turn of events, PHP based CMSes are hot targets for cyber attacks and backdoor insertion. For instance, this piece of code is a classic example how a hacker downloads contents of a text file and uploads it on /wp-includes/class.wp.php.
How to Remove Backdoors From the Website?
After you have cleaned the malware from a website and done the necessary post hack rituals. The thing that is most often left forgotten is finding and removing the Website backdoors. Only cleaning your website of malware is not sufficient as malware infections have a tendency to reinfect. Thus, removing the backdoors would ensure that all the possible doors for an attacker are sealed.
Related article: WordPress backdoor hack
Following are a few techniques to remove backdoors from your website:
Whitelisting: Checking with good files
Checking all your files (whether it is core, plugin & themes files) against the good ones in your backup store will serve the purpose. These authentic files have a numerical signature also known as the checksum.
In addition to that, every CMS like WordPress, Drupal, Magento, Opencart, etc also has its own set of core files. You can also check your current files with these to find out if there has been any modifications or any unfamiliar addition to your core files.
Blacklisting: Blocking known bad codes
There are hundreds of common Website backdoors already identified. Blacklisting them in advance would solve half of the problem. It will block any malicious attempt of inserting backdoors on your website. These backdoors are easily available online.
Unfamiliar Files: Scan for alien files
If a code snippet or a file has skipped the above two techniques, then we have to manually check the functions and commands in it. If they are legitimate ones, we can approve them and in case they do not match with the original ones, you can get rid of them.
In case you face any problem with the manual auditing, Astra is happy to help. Engineers at Astra will do a thorough audit of the files for you. You can take an Astra demo here!
How to prevent backdoors from coming back?
Phew! You have successfully removed the backdoor from your website. But what could you do to prevent it from coming back? Here listed are some tips and tricks that will go a long way in protecting you from any reinfection:
- After the hack removal process, update to the latest versions of plugins, themes, and extensions.
- Reset your passwords, and make sure to use only strong ones.
- Add an extra layer of protection to your website by using a Website Firewall.
- A Malware Scanner is also a great way to have your site checked regularly for any irregularities.
- Update your software.
Conclusion
Backdoors can be an indication or a symptom of a much bigger problem in your website. Probably a hack that redirects to several spammy pages. It could also happen that your website is being used as a host for these attacks and hence the attacker wants to retain the access.
Now that you know what is a backdoor, how to find & remove it and the ways to prevent it from coming back. Still, you need to make sure there is no cyber attack nexus being promoted using your website. If you are worried about how to do a malware removal from your website, drop us a message in the chat widget. And we will be happy to help.
