Back to Learn

Website Malware | NOC.org

What Is Website Malware?

Website malware is any malicious code that has been placed on a web server, injected into website files, or embedded in a site's database. Unlike desktop malware that targets individual computers, website malware operates on the server side and can affect every visitor who loads the compromised page. It can steal user data, redirect traffic, mine cryptocurrency using visitor browsers, serve as a launch point for further attacks, or simply vandalize the site.

Website malware infections have grown significantly as attackers automate the process of scanning for and exploiting vulnerable sites. A compromised site can be weaponized within minutes of the initial breach, and many site owners remain unaware of the infection for weeks or months.

Types of Website Malware

Backdoors

A backdoor is a piece of code that gives an attacker persistent, unauthorized access to a website even after the original vulnerability has been patched. Backdoors are typically the first thing an attacker installs after compromising a site, ensuring they can return at will. They are usually disguised as legitimate-looking PHP files, hidden in directories that administrators rarely inspect (such as upload folders, cache directories, or within core CMS files).

Common backdoor techniques include standalone PHP scripts that accept and execute commands via HTTP parameters, modified legitimate files with a few lines of malicious code inserted, and database-stored code that gets executed by the CMS during normal page rendering. Backdoors often use obfuscation such as base64 encoding, variable variable names, and string manipulation to avoid detection.

Webshells

A webshell is a more sophisticated backdoor that provides a full web-based interface for controlling the compromised server. Through a webshell, an attacker can browse the file system, upload and download files, execute system commands, interact with databases, and even pivot to other sites on the same server. Well-known webshell families include C99, R57, WSO, and China Chopper.

Webshells are particularly dangerous because they give attackers the same level of control as SSH access, all through a web browser. Some webshells include built-in password protection so that only the attacker who planted them can use them, and file managers that make it easy to modify any file on the server.

Website Defacements

Defacement is the modification of a website's visual appearance, typically replacing the homepage with a message from the attacker. Defacements are often motivated by hacktivism, political messaging, or simply bragging rights within hacking communities. While defacements are the most visible type of website malware, they are often the least harmful in terms of data loss. However, they indicate a serious security breach and usually mean the attacker has enough access to cause far more damage.

Cryptominers

Cryptomining malware, also called cryptojacking, injects JavaScript into web pages that uses visitors' browsers to mine cryptocurrency (typically Monero). When a user visits the infected page, their CPU usage spikes as the mining script runs in the background. The mined cryptocurrency is sent to the attacker's wallet. While each individual visitor generates a negligible amount, a high-traffic site can produce meaningful revenue for the attacker.

Cryptomining scripts are often injected through compromised JavaScript files, inline script tags added to templates, or third-party script includes that have been tampered with. The most well-known cryptomining service was Coinhive (now defunct), but numerous alternatives have emerged.

Redirect Malware

Redirect malware silently sends visitors to attacker-controlled sites. The redirects are often conditional, targeting only visitors arriving from search engines, mobile devices, or specific geographic locations. This means the site owner, who typically visits directly rather than through search, never sees the redirect. Destinations include phishing pages, exploit kit landing pages, tech support scam sites, and affiliate fraud schemes.

Redirects can be implemented through modified .htaccess files, injected JavaScript, PHP header() calls in template files, or database modifications that alter the site's URL settings.

Drive-by Downloads

Some malware injections turn your website into a distribution point for desktop malware. Visitors who load the page are served malicious iframes, exploit kit scripts, or social engineering prompts that attempt to install trojans, ransomware, or other desktop malware. This type of infection quickly triggers browser warnings and search engine blacklisting, making it one of the faster types to detect but also one of the most damaging to your reputation.

How Websites Get Infected

Website malware infections almost always trace back to one of these root causes:

  • Vulnerable software: Outdated CMS platforms, plugins, and themes with known vulnerabilities are the primary attack vector. Attackers use automated scanners to find sites running vulnerable versions and exploit them in bulk.
  • Stolen credentials: Compromised FTP, SSH, CMS admin, or hosting panel passwords allow direct access. Credentials are often stolen through brute force attacks, phishing, malware on the administrator's computer, or credential stuffing from data breaches.
  • SQL injection: SQL injection vulnerabilities allow attackers to read and modify database content, potentially inserting malicious code into stored page content, configuration values, or user records.
  • Cross-site scripting: Stored XSS vulnerabilities allow attackers to inject persistent scripts that execute for every subsequent visitor.
  • Supply chain compromise: Third-party scripts loaded from external CDNs or services can be compromised at the source, infecting every site that uses them.
  • Insecure file permissions: World-writable directories and files allow any process on a shared server to modify your site's content.

Detection Methods

Detecting website malware requires a combination of server-side and external monitoring:

Server-Side Scanning

File integrity monitoring compares your current files against a known-clean baseline, flagging any additions, deletions, or modifications. Malware-specific scanners look for known malicious code patterns, suspicious PHP functions (eval, base64_decode, gzinflate, preg_replace with /e), and obfuscation techniques. Regular scans should cover all files, not just PHP files, since malware can hide in image files, .htaccess, and configuration files.

External Scanning

External scanners visit your site the way a browser does and analyze the rendered output for malicious scripts, iframes, redirects, and known malware signatures. Tools like Sucuri SiteCheck, VirusTotal, and Google Safe Browsing check your site against known malware databases. These catch client-side infections that server-side scanners might miss.

Log Analysis

Server access logs can reveal the initial compromise. Look for POST requests to unexpected URLs, requests to files in unusual directories, and user-agent strings associated with known attack tools. Error logs may show failed exploitation attempts that preceded the successful one.

Web Application Firewall

A web application firewall can detect malicious requests in real time, blocking exploitation attempts before they succeed. WAFs also log blocked attacks, providing visibility into the threats targeting your site. A cloud-based WAF adds this protection without any server-side software installation.

Prevention Best Practices

  • Update aggressively: Apply CMS, plugin, and theme updates as soon as they are released. Most website malware exploits known vulnerabilities with publicly available exploit code.
  • Minimize your attack surface: Remove unused plugins, themes, and test installations. Every piece of software is a potential entry point.
  • Use strong authentication: Enforce strong passwords, enable two-factor authentication, and limit login attempts on all admin interfaces.
  • Deploy a WAF: Block exploitation attempts at the network edge before they reach your application.
  • Implement least privilege: Run your web server with minimal permissions. Use separate database users for read and write operations where possible.
  • Maintain backups: Keep regular, off-site backups so you can restore to a clean state if compromised. Test your restore process periodically.
  • Monitor continuously: Use file integrity monitoring, external scanning, and log analysis to detect infections early.

Summary

Website malware takes many forms, from stealthy backdoors and webshells to visible defacements and cryptominers. Regardless of the payload, all website malware infections share common root causes: vulnerable software, weak credentials, and insufficient monitoring. A defense-in-depth approach that combines regular updates, strong authentication, a web application firewall, and continuous monitoring is the most effective strategy for keeping your site clean.

NOC provides website security monitoring and protection to help keep your site free from malware. View our pricing to get started with a plan that fits your needs.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started