Locked files on webspace after virus infestation

Article translated by machine

This text is a machine translation. A revised version is planned.

The 1&1 IONOS security team has informed you by email with a security notice that your web space has been misused.

What's the matter?

Your web space contains files that contain malicious code. These corrupt files have been locked by revoking read privileges. Thus, visitors are not endangered by visiting your website.

How did we find out?

Our security mechanisms have detected that malicious files have been uploaded to your web space or existing files have been infected.

What counter measures must be taken?

To clean up your web space, please follow the steps below:

1. identify the files

The email from the 1&1 IONOS security team contains information about the malicious files detected by our security mechanism. We will inform you immediately after the detection so that you will be informed about the incident without delay in order to initiate countermeasures. If the continuing scan is not yet complete, the email does not contain a complete list of all corrupted and infected files.

Connect to your web space using an FTP client such as Filezilla or WinSCP and navigate to the"./logs/forensic/" folder. There you will find the log file with a list of the affected files. If there is no file there, please call us.

Tip: Open the file with a text editor such as Wordpad or TextEdit to keep the formatting.

2. check the file contents

You can often tell from the file name or time stamp that you have not uploaded the file.

Step 1

Right-click the file you want to check, then click Permissions.

Step 2

Now change the authorizations from 200 to 400.

step 3

Now you can download the file and check its contents.

Tip: If you are using anti-virus software that detects the malware, clean it up from your anti-virus program.

3. clean the files

Please check if the insecure scripts above fulfill a function for your website. If you no longer need them, simply delete them.

If you cannot detect the malware, replace the file with an older backup.

4. adjust the file permissions

To make your website accessible again, change the permissions of the cleaned files from 200 to 604.

Please note: If malicious code is still present in a file, its file permissions are automatically reset to 200.