If you have determined that your website is in fact infected it is best to take it down and restore it from a known clean backup. Yes, I assume much that you have a backup but in Part I of this post I spoke a length of the value and importance of doing so but I will say it again. Backup, backup, BACKUP your website so if any issue occurs you can recover. As was said in the previous post backup your database and files. (Note: In this case, I’m assuming you have shared or managed hosting (VPS or cloud) which means you don’t need to worry about backing up the server itself. If you have your own server (physical) or unmanaged server (cloud or otherwise) you should work with a qualified provider to develop a DR (Disaster Recovery) plan that will also address this server OS and webserver configuration. For the sake of this post I assume you have shared hosting and a single hosting account (no redundancy).
Take Down Your Infected Site
Taking down your site is an important step in recovering it. Remember having an infected site up and online can damage your brand, hurt SEO/SEM (Search Engine Marketing/Search Engine Optimization) efforts, so it is imperative you remove the site and rebuild.
Change All Your Passwords
Your passwords may have been compromised in the breach so it is import to change ALL of them. This includes web Cpanels, FTP, SSH, Mysql, etc. I recommend you move to stronger authentication mechanisms such as 2-factor authentication (where applicable/possible) or at the very least stronger passwords that change frequently and the use of a password manager.
Move to More Secure Protocols
Some protocols such as FTP and vanilla HTTP (for managing your CMS) have inherent weaknesses and should be avoided. Choosing to continue to use them puts your web efforts at risk so you should move toward more secure alternatives such as SFTP and HTTPS.
Restoring your database is different depending on the database technology involved. Again I’m assuming you have tested and validated that the contents of this database restore are clean and you are good to go.
All CMSs have files that will need to be restored to their previous state. This often involves using SFTP to restore those files from backup.
Reinstall & Patch Your CMS (if applicable)
If you are restoring to an older version of your CMS then you should immediately upgrade it after you have restored the database and these files. You can also reinstall from scratch and patch as another option.
Test & Scan
Now that your site is back up and running you should remotely scan it for malware. Check the source and validate that you are in fact back and in a clean state. Several online services will actually scan your site for malware and vulnerabilities a few of them worth investigating are:
Most hosting providers offer this now as service as well so check out your web hosting or cloud services provider to find out the options.
See Google’s Cleaning your site guidelines which will detail all the steps to get your site cleaned and back in its search results. In Bing the same process is detailed online documentation, “The merciless malignancy of malware Part 1” .
Plan for the Future
Looking forward it may make sense to work with a professional to improve the security (better design, pen testing, backups), availability (added redundancy and fail-over) and improvement of your disaster recovery process.
There is no rocket science to keeping your site safe – just simple planning and procedures. So start these today and enjoy the peace of mind of knowing you can restore should disaster or malware strike. Backup, have a clear DR plan