How do I use the free 20i Website Malware Scanner? 

Richard Chambers
Published: 21 May 2018
Share:

Overview

One of the major problems with malware is its persistence. This is why 20i’s free Website Malware Scanner makes daily scans of all the sites within your hosting account. It uses a combination of commercial and in-house tools and provides reports detailing identified malicious content and its location within your site files.

When malware is located on a site, PHP mail is automatically disabled. We do this to preserve sender reputation across the platform and ensure that any sites that are compromised do not send large volumes of spam emails.

A malware scan will only be triggered if a change is detected to the site files. If no change has been detected we won't run a new malware scan. 

As a reseller, you can offer this service to your customers free of charge by simply adding it to your Package Types, so they can use this feature in StackCP.

Note: when we refer to “signatures” in this guide, this is referring to the names given to each item of malicious code detected in a file.

 

Best practices when dealing with malware and infected files

  • Check the Malware Report produced by the malware scanner to identify if there are any infected files
  • Clean and remove the infected files from your webspace
  • Identify any vulnerabilities within the site and secure them

Taking regular backups means that you'll always have a restore point if you do find your site with compromised files. You can do this in My20i or automate the process with Timeline Backups

Checking the Malware Report

The Malware Scanner shows you a full list of sites that are currently infected within your account. To access this list: 

  • Login to My20i.
  • Select Malware Report.
  • If any of your sites are currently infected they will show up here.

It shows the package where the infection has been found, the time of the last scan and the number of infected files. To show a more detailed report, select View Report. You will now see the full list of infected files on the site. 

Note: Infections found marked in red indicate that the file could be a risk to the site.

We also have a yellow ‘warning’ state which shows that the signatures found are unlikely to pose a high risk to the site. For example log files, SQL files and .zip backups files. Essentially a yellow warning state is for ‘information only and won’t impact the sending of mail.

You can ensure that you're notified of any newly-discovered malware by checking the Receive Daily Email Alerts? box. An email will be sent to your primary 20i email address when brand new malware is found - you can also add additional email accounts to receive malware alerts through your Account Preferences, you may wish to create a dedicated mailbox to receive malware alerts.

Cleaning and removing infected files

In most cases, the best way to resolve an issue with malicious content is to remove the compromised files and replace them with versions from a known clean download. That is, download the software again and replace just the files that have been infected from the initial install.

If the files are not needed, then you could also just delete the files completely.

Sometimes an infected file will just have the attackers script 'injected' in the first or last line within a specific file. Sometimes this can be very obvious, in which case you could look to simply remove the malicious script. 

You’ll want to do this for all the files that have been found by the Malware Scanner.

Further actions you can take

Remove unnecessary or unused plugins and applications from the site. Doing this will not only reduce the number of potential vulnerabilities but also make general site 'housekeeping' simpler.

You should also make sure that any plugins you're using are always kept fully updated. Outdated software versions are much more likely to have security vulnerabilities - leading to compromised sites. 

Change passwords such as your database password and FTP password.

Note: Don’t forget to update any configuration files such as wp-config.php after making the changes. 

Rescanning the site

You can re-scan the site on demand. Once you believe you’ve removed the malware, head back to the Malware Scanner and select ‘Scan Again’.

If all infected files are removed, then PHP mail will automatically be re-enabled and there will be no infected files displayed. The scanner will continue to take daily scans of all your sites to ensure you’re always aware of any sites that have been compromised.