How to Remove Virus from Website

Your website has a virus and you are afraid of being banned from the search engines as usually happen? Do you have access to the website files ? It might come handy if you can download the files from your website via FTP or access it via SSH and take a look at how your files look like now.

If you’re doing this operation for the first time, it will be ok to have a backup copy. This is a mandatory process, just in case you will broke something in process of removing the virus from the website.

What’s recommended in order to do your virus removal:

  • A FTP Client like FileZilla or WinSCP
  • If you have SSH access to the website, you will need a SSH client, we recommend Putty
  • An advanced find an replace software if you decide to do this on your own machine and upload the cleaned file.

I would recommend to take a look at the infection vector of the virus. What exactly the virus do ? There are many types of viruses who infect the websites, some of them just want to infect your visitors, making links, creating fake websites, sending spam, and so on.

The virus creators would try to hide the code in the php files, usually by adding spaces on the first line and writing the entire code in a very long string of code. This is ok, cause all the files can be found and virus removed from those files if you know what to look for.

If you have access to the website via SSH:

If you can compare two or more files and find similar piece of string, you can use the Putty SSH console to find that piece of code hiding in all the files. For this all you need to do is to log in on your website (using your credential) go to where your website files are located and type the following line of code, if we have identified 64_decode in two or more virused files:

grep -RrlnisI '"64_decode"'

This command will return a list with virused files from the machine. If you know what you’re doing, you can start to modify manually those files or make a more complex pipeline command who can replace the entire code, entire line or even delete the entire file.

For example, if the virus is in the first line hidden with a lot of spaces and all the string is found there, we can replace the entire line where “64_decode” is found using the following shell command:

grep -RrlnisI '"64_decode"' | xargs sed -i '1 s/^.*$/<?php/'

This will replace the entire line in the found files with a simple <?php string.

It will be ok to take a look at the last accessed files in real time, to see if there are any infected files or the infection vector can be determined from there. To see that, you can run the following Linux shell command (assuming that you are using nginx, find where the apache is store your access.log file or use the “locate access.log ” command and replace the path in tail -f).

tail -f /var/log/nginx/access.log | sed -e '/POST/!d' -e '/" 200/!d'

If you don’t have SSH access to the infected server:

Well, the idea is the same, just download the entire website using a FTP software, make a backup first, and start to look in the designated directory using an advanced find and replace software. Please make sure you understand what you’re doing before changing any strings. When the files have been cleaned from any viruses, upload the entire folder back to the server or just the cleaned files. Please take a look in your log files to see how the website get infected in the first place. Change all your access passwords if your FTP password could be found in any configuration files located on the website. This is important in order to avoid further website virus infection in the future.

If you want to have your website virus cleaned by professionals, price will be $99.00 and the turnaround time is usually less than 8 hours. To do that, simply send an email to the following email address, giving the website address, infection details and a phone number where you can be reached at: