MKhost
Knowledgebase

Need help? Search or browse our large collection of articles on a variety of topics including hosting, domains, emails and more.

0cPanel

What is ImunifyAV+ and what should you do if your hosting is infected by malicious files?

Through scanning of your hosting, the antivirus software ImunifyAV+ helps your websites to be cleaned up from any malicious file that could potentially appear.

ImunifyAV+ notifies any HTML-based or PHP-based (WordPress, Joomla, Drupal) website for every potential problem that can occur on the hosting.

Your website will be constantly scanned, and you will get an email notification if there is any malicious file found. If you have a technical expert that takes care of your website, report them the issue immediately. If not, you can contact our web team, in order to get a detailed offer from us.

 

What should you do in case malicious files appear on your hosting?

If you get an email notification that your hosting is infected by malicious files, you need to clean them up. In order to start with this process, login to your cPanel and go to the part Security > ImunifyAV.

avcpanel

After you click on ImunifyAV, you will see a list of files which are detected as malicious. Then, check if ImunifyAV+ has automatically cleaned these files up.

imunifyscan

 

The files with the status event ‘Infected’ or ‘Detected as malicious’ are not removed, so you can select ‘Clean up file’ in the ‘Actions’ column, in order to remove them. For faster finish of this action, you can clean all the files with one click, with choosing the option ‘Clean up All’.

If this action is successful, you will soon get ‘Cleaned’ status for those files.

 

What is next if ImunifyAV+ does not clean the malicious files?

Most of the time, with the option ‘Clean up file’, ImunifyAV+ will manage to remove the malicious code. However, sometimes it can happen that the malicious code stays intact. If that happens, you can contact our web team, or you can try to clean those files up yourself.

You can go to File manager in cPanel and open the file which could not be removed, then proceed to observe the code, and remove the part which is malicious. Usually, the malicious code is easy to detect, as it is encrypted, compared to the regular code on the website.

An example of how a malicious code looks like:


The most common method of encryption of the malicious code used by hackers is: eval(base64_decode('..[seemingly random string]...'). However, there are other examples, like:

eval(gzinflate(base64_decode('...');
eval(gzuncompress(base64_decode('...);
eval(gzinflate(str_rot13(base64_decode('...');

Check if the file contains any of those features. If you find some of them, you can be sure that this is a malicious code, which should be immediately removed.

 

How can you prevent the appearance of malicious files?

 

  • Install Web Application Firewall (WAF) and avoid changing firewall configuration

Web Application Firewall (WAP) helps protect your website or web application through filtering and monitoring of the traffic between your website and the network. WAF usually prevents attacks like cross-site forgery, cross-site-scripting (XSS), SQL injection, etc.

Depending on which technology is used (Laravel, Symphony, or CMS like WordPress, Joomla, Drupal, etc.), there are different packages and plugins available which have the same role as WAF, and can increase the security of your website. After installing WAF, avoid changing the default configuration settings, except if you have advanced technical knowledge.

 

  • Install SSL certificate and use the HTTPS protocol

SSL certificates are used to create an encrypted channel between the visitor and the server. Private data transmission through the internet, like credit card info, login credentials, as well as other sensitive data, should be encrypted, so a potential data breach can be prevented.

With the usage of SSL, the whole communication and data transmission on your website is happening safely and securely. SSL protects the website from phishing attacks, data breach, and other threats.

MKhost provides a free Let’s Encrypt SSL certificate for all of its hosting users. Additionally, if you have an ecommerce website, or other type of website that requires sensitive data, advanced SSL certificates are also required. You can read more about them on our website.

 

  • Update your software regularly

Most of the attacks occur because hackers have identified a vulnerability in obsolete themes, plugins or some other extensions on the CMS used by the website (WordPress, Joomla, Drupal, etc.

Like any software, websites also can have some bugs in the code. Some of them are relatively harmless, but others can make the code vulnerable.

When vulnerabilities are discovered, developers of those application are fixing them, and then proceed to release a new version. The new version should be updated as soon as possible on your CMS, because otherwise, the malicious code from the older version can cause harm.

 

  • Limit login attempts

One of the most common attacks is through brute force. That happens when an unknown person is trying to login to your website through entering different combinations of usernames and passwords. By default, people can continuously try to log into your site, with no restrictions on attempts.

However, most legitimate users don’t need more than a few tries. Therefore, you can limit the number of unsuccessful login attempts made from a specific IP address in a set amount of time. Any user who goes over the limit can be temporarily or permanently locked out, as a safety precaution. This can be done through a WordPress plugin, or directly through the website code if you use another CMS platform or framework.

 

  • Use strong passwords

A lot of websites are hacked just because of a weak password. Always be sure that the passwords for cPanel and the admin panel of your website are strong enough, made as a combination from big and small letters, numbers and symbols. If you have a weak password, you should change it immediately.

One type of the attacks on the websites with weak passwords are done through ‘dictionary attack’, where a list of weak and often used combinations are applied to the website by hackers.

Additionally, check if you have unknown user accounts on your website, and immediately delete them if you find one.