Ask a Question

Alert ID : INFO1316

Last Modified : 05/03/2018

How to Find Unidentified Malicious Code

Description

You received a notification from your Norton Secured Seal that a malware scan of your domain found malware on one or more pages of your Web site. However, when you sign in to your Symantec Trust Center account and go to the Malware tab, the "Malware requiring removal" section doesn't show exactly what the malicious code looks like. The question that you ask yourself now is, "How am I going to find the malware and get rid of it?"

The malware code may look similar to one of the following examples listed below. Review the source code in the Web page and the database for any code that seems out of place or is of unknown origin.

Malware code could look like this:

  • <script src=http://unknown-third-party-host.com/load.js ></script>
  • <iframe src=http://unknown-third-party-host.com/loader.php ></iframe>

    …or have JavaScript that begins like this:
     
  • <script>eval(xyz);……</script>

The majority of malware identified by the Norton Secured Seal service will display in the "Malware requiring removal" section of the Malware tab in your Symantec Trust Center account. However, there are some instances when it may not be possible to display the specific location of the malware. This will require you to pay special attention to the identified Web pages and analyze them carefully. When analyzing your Web site for malware, pay attention to the following key identifiers:

  • Any code that opens 3rd party URLs
  • Uncommon or obscure JavaScript
  • Iframes that are set to "hidden" with dimensions set to zero
  • Iframes with a display status set to "none"
    • Note: Inline Frames (iframes) are windows cut into your Web page that allow your visitor to view another page on your site or off your site without reloading the entire page.

Procedure

If the Norton Secured Seal service detects suspicious content on a page within your Web site:

  1. Note the identified page listed in the "Malware found on" section.
  2. Examine your Web page source code and database for code that seems out of place or is of unknown origin.
  3. Open the page in your development environment. Find and delete the malware code. Save your changes.
  4. Repeat this process for all identified occurrences.
  5. Sign in to your Symantec Trust Center account.
  6. In the Malware tab, click the I removed the malware button to initiate a rescan of your Web site.

When the scan is complete, the results will be posted to your Symantec Trust Center account. If additional malware is found, you will receive an email notification.

Tips

  • Identify the malware by comparing the current Web page to an earlier version or a baseline image.
  • If your domain is a dynamic Web application that is supported by a backend database, it may not be possible to find the malware in the Web application code itself. Instead, check the database or examine the HTTP logs for signs of unfamiliar SQL.
  • If neither the Web code nor the database exhibits signs of uncommon code then it may be necessary to look for signs of spoofing.