![\"picture](\"https:\/\/i0.wp.com\/www.stopbadware.org\/images\/obfuscated_script.png?w=640\" "\\"picture")
<\/p>\nWhat to look for<\/p>\n
The three most common forms of badware that StopBadware sees on compromised sites are:<\/p>\n
1. Malicious scripts
\n2. .htaccess redirects
\n3. Hidden iframes<\/p>\n
Malicious scripts<\/p>\n
Malicious scripts are often used to redirect site visitors to a different website and\/or load badware from another source. These scripts will often be injected by an attacker into the content of your web pages, or sometimes into other files on your server, such as images and PDFs. Sometimes, instead of injecting the entire script into your web pages, the attacker will only inject a pointer to a .js or other file that the attacker saves in a directory on your web server.<\/p>\n
Many malicious scripts use obfuscation to make them more difficult for anti-virus scanners to detect:<\/p>\n
Many malicious scripts use obfuscation to make them more difficult for anti-virus scanners to detect:<\/p>\n
<\/p>\n
Some malicious scripts use names that look like they\u2019re coming from legitimate sites (note the misspelling of \u201canalytics\u201d):<\/p>\n
![\"picture](\"https:\/\/i0.wp.com\/www.stopbadware.org\/images\/deceptive_script.png?w=640\" "\\"picture")
<\/p>\n
The Apache web server, which is used by many hosting providers, uses a hidden server file called .htaccess to configure certain access settings for directories on the website. Attackers will sometimes modify an existing .htaccess file on your web server or upload new .htaccess files to your web server containing instructions to redirect users to other websites, often ones that lead to badware downloads or fraudulent product sales.<\/p>\n
![\"picture](\"https:\/\/i0.wp.com\/www.stopbadware.org\/images\/htaccess_redirect.png?w=640\" "\\"picture")
<\/p>\n
An iframe is a section of a web page that loads content from another page or site. Attackers will often inject malicious iframes into a web page or other file on your server. Often, these iframes will be configured so they don\u2019t show up on the web page when someone visits the page, but the malicious content they are loading will still load, hidden from the visitor\u2019s view.<\/p>\n
![\"picture](\"https:\/\/i0.wp.com\/www.stopbadware.org\/images\/iframe.png?w=640\" "\\"picture")
<\/p>\n
How to look for it<\/p>\n
If your site was reported as a badware site by Google, you can use Google\u2019s Webmaster Tools to get more information about what was detected. This includes a sampling of pages on which the badware was detected and, using a Labs feature, possibly even a sample of the bad code that was found on your site. Certain information can also be found on the Google Diagnostics page, which can be found by replacing example.com in the following URL with your own site\u2019s URL: www.google.com\/safebrowsing\/diagnostic?site=example.com<\/p>\n
There exist several free and paid website scanning services on the Internet that can help you zero in on specific badware on your site. There are also tools that you can use on your web server and\/or on a downloaded copy of the files from your website to search for specific text. StopBadware does not list or recommend such services, but the volunteers in our online community will be glad to point you to their favorites.
\nRemoving the badware behavior<\/p>\n
Once you have located the code that is causing the badware behavior, removing it is often as simple as deleting the offending code from all files in which it appears. Sometimes, it is easier, if you have a clean backup of your site\u2019s contents, to re-upload all of the site\u2019s files, though be careful about overwriting files that may have changed since your last backup. In some cases, the bad content may be stored in one or more database records, in which case restoring a recent backup of the database or manually editing the relevant records may be necessary.
\nPreventing future infection<\/p>\n
Preventing badware on your website requires protecting three things: your site itself, the password(s) used to upload content to the site, and the computer(s) used to upload content to the site. The site itself must be protected because attackers often look for vulnerable software to exploit so they can modify your site\u2019s contents. The passwords are critical because, if they are guessed or stolen, they can be used to modify the site. Finally, computers are important because badware on your computer can steal your password and\/or modify the contents that you are uploading.
\nProtect your site<\/p>\n
* Ensure that any software you use (e.g., blogging software like WordPress, third party scripts, etc.) is kept up to date with the latest security fixes, either by you (if you installed the software) or by your hosting provider.
\n* Remove any scripts, services, or other software that you are no longer using.
\n* Change any default passwords that come with the software you are using.
\n* Use appropriate file permissions on your web server.<\/p>\n
Protect your password<\/p>\n
Use a strong password and change it occasionally, especially if you have reason to think it has been compromised.<\/p>\n
If we Hosting Marketers contacted you because your site has been hacked we request you to take the following security measures: 1) Scan your computer with a good anti virus for virus, Trojans and key-loggers, don’t type passwords, copy and paste<\/span>. You can also add the below lines to your .htaccess file to protect a site against some of the most common vulnerabilities:<\/p>\n What to look for The three most common forms of badware that StopBadware sees on compromised sites are: 1. Malicious scripts 2. .htaccess redirects 3. Hidden iframes Malicious scripts Malicious scripts are often used to redirect site visitors to a different website and\/or load badware from another source. These scripts will often be injected by […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[49],"tags":[51,142],"class_list":["post-184","post","type-post","status-publish","format-standard","hentry","category-reported-attack-page","tag-hacked-site","tag-reported-attack-page"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p9Yxzd-2Y","jetpack-related-posts":[{"id":3,"url":"https:\/\/hosting-marketers.com\/news\/2006\/08\/13\/shared-or-dedicated-hosting\/","url_meta":{"origin":184,"position":0},"title":"Shared or dedicated Hosting","author":"Admin","date":"August 13, 2006","format":false,"excerpt":"When looking for a hosting solution for your web site you'll discover you have the choice of shared or dedicated hosting. This article will breifly explain the difference between them. Shared hosting is what it says it is. Your web site shares a server with other web sites. You don't\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":426,"url":"https:\/\/hosting-marketers.com\/news\/2013\/11\/15\/suphp-and-server-error\/","url_meta":{"origin":184,"position":1},"title":"suPHP and “Server Error”","author":"Admin","date":"November 15, 2013","format":false,"excerpt":"why you may get 500 Server Error on your site?","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6,"url":"https:\/\/hosting-marketers.com\/news\/2006\/09\/08\/what-is-the-difference-between-windows-and-unix-web-hosting\/","url_meta":{"origin":184,"position":2},"title":"What is the difference between Windows and UNIX web hosting?","author":"Admin","date":"September 8, 2006","format":false,"excerpt":"Windows and UNIX are in fact two different systems and of course we are referring to computer systems. A web host uses computers, (we shall refer to them as servers, just computers, but sometimes larger) to host websites, and all computers need a operating system, so Windows and UNIX are\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1353,"url":"https:\/\/hosting-marketers.com\/news\/2025\/02\/24\/how-to-secure-your-wordpress-and-laravel-sites-on-a-hosting-marketers-shared-accounts\/","url_meta":{"origin":184,"position":3},"title":"How to Secure Your WordPress and Laravel Sites on a Hosting Marketers Shared Accounts","author":"Admin","date":"February 24, 2025","format":false,"excerpt":"Website security is critical for protecting your data, preventing hacks, and ensuring your site runs smoothly. While your hosting provider has CSF Firewall to protect the server from external threats, securing your WordPress or Laravel site is your responsibility. Many hacks happen because of poor security practices\u2014such as outdated plugins,\u2026","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"How to Secure Your WordPress and Laravel Sites on a Hosting Server with CSF Firewall","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1244,"url":"https:\/\/hosting-marketers.com\/news\/2023\/11\/09\/protect-your-site-from-phishing-attacks-by-removing-social-engineering-content\/","url_meta":{"origin":184,"position":4},"title":"Protect Your Site from Phishing Attacks by Removing Social Engineering Content","author":"Admin","date":"November 9, 2023","format":false,"excerpt":"[et_pb_section fb_built=\"1\" theme_builder_area=\"post_content\" _builder_version=\"4.23\" _module_preset=\"default\"][et_pb_row _builder_version=\"4.23\" _module_preset=\"default\" theme_builder_area=\"post_content\"][et_pb_column _builder_version=\"4.23\" _module_preset=\"default\" type=\"4_4\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.23\" _module_preset=\"default\" theme_builder_area=\"post_content\" hover_enabled=\"0\" sticky_enabled=\"0\"]Social engineering content is any type of content that is designed to trick users into performing a specific action, such as revealing confidential information, clicking on a malicious link, or downloading malware. Social engineering\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1323,"url":"https:\/\/hosting-marketers.com\/news\/2024\/05\/28\/effortlessly-separate-web-and-email-hosting-a-step-by-step-guide-to-setting-up-a-dedicated-mail-server-with-whm-cpanel\/","url_meta":{"origin":184,"position":5},"title":"Effortlessly Separate Web and Email Hosting: A Step-by-Step Guide to Setting Up a Dedicated Mail Server with WHM\/cPanel","author":"Admin","date":"May 28, 2024","format":false,"excerpt":"[et_pb_section fb_built=\"1\" _builder_version=\"4.23\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.23\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.23\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.24.2\" _module_preset=\"default\" global_colors_info=\"{}\"]In today\u2019s digital landscape, efficiently managing your web and email hosting can significantly enhance your server performance and security. If you\u2019re using WHM\/cPanel and looking to streamline your hosting setup, separating your web and email hosting\u2026","rel":"","context":"In "email"","block_context":{"text":"email","link":"https:\/\/hosting-marketers.com\/news\/category\/email\/"},"img":{"alt_text":"EmailServer","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2024\/05\/DALL%C2%B7E-2024-05-28-07.48.22-A-sleek-modern-data-center-with-two-distinct-server-racks-labeled-Web-Hosting-and-Email-Hosting.-The-Web-Hosting-rack-is-connected-to-a-cPanel-.webp?fit=1200%2C686&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2024\/05\/DALL%C2%B7E-2024-05-28-07.48.22-A-sleek-modern-data-center-with-two-distinct-server-racks-labeled-Web-Hosting-and-Email-Hosting.-The-Web-Hosting-rack-is-connected-to-a-cPanel-.webp?fit=1200%2C686&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2024\/05\/DALL%C2%B7E-2024-05-28-07.48.22-A-sleek-modern-data-center-with-two-distinct-server-racks-labeled-Web-Hosting-and-Email-Hosting.-The-Web-Hosting-rack-is-connected-to-a-cPanel-.webp?fit=1200%2C686&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2024\/05\/DALL%C2%B7E-2024-05-28-07.48.22-A-sleek-modern-data-center-with-two-distinct-server-racks-labeled-Web-Hosting-and-Email-Hosting.-The-Web-Hosting-rack-is-connected-to-a-cPanel-.webp?fit=1200%2C686&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2024\/05\/DALL%C2%B7E-2024-05-28-07.48.22-A-sleek-modern-data-center-with-two-distinct-server-racks-labeled-Web-Hosting-and-Email-Hosting.-The-Web-Hosting-rack-is-connected-to-a-cPanel-.webp?fit=1200%2C686&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/comments?post=184"}],"version-history":[{"count":5,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/184\/revisions"}],"predecessor-version":[{"id":189,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/184\/revisions\/189"}],"wp:attachment":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/media?parent=184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/categories?post=184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/tags?post=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nUpdate your script to the latest version!<\/span><\/strong><\/p>\n
\n2) Change the password for you control panel and ftp accounts, if possible change the password for your database as well.
\n3) Check for the file\/folder permission in your control panel. File permissions should be set to 644 and folder permissions should be set to 755.
\n4) You can scan you Mail, Entire Home Directory, Public Web Space, Public FTP Space using Virus Scanner present in your control panel under Advanced section.<\/p>\n# prevent access from santy webworm a-e\r\nRewriteCond %{QUERY_STRING} ^(.*)highlight=\\%2527 [OR]\r\nRewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]\r\nRewriteCond %{QUERY_STRING}% s:(.*)252echr [OR]\r\nRewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]\r\nRewriteCond %{QUERY_STRING} ^(.*)rush=\\%65\\%63\\%68 [OR]\r\nRewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]\r\nRewriteCond %{QUERY_STRING} ^(.*)wget\\%20 [OR]\r\nRewriteCond %{QUERY_STRING}% s:(.*)wget\r\nRewriteRule ^.*$ http:\/\/127.0.0.1\/ [R,L] \r\n\r\n# prevent pre php 4.3.10 bug\r\nRewriteCond %{HTTP_COOKIE}% s:(.*):\\%22test1\\%22\\%3b\r\nRewriteRule ^.*$ http:\/\/127.0.0.1\/ [R,L] \r\n\r\n# this ruleset is to \"stop\" stupid attempts to use MS IIS Web Server expolits on us\r\n# NIMDA\r\nRewriteCond %{REQUEST_URI} \/(admin|cmd|httpodbc|nsiislog|root|shell)\\.(dll|exe) [NC]\r\nRewriteRule .* - [F,L]\r\n\r\n# CODERED\r\nRewriteCond %{REQUEST_URI} \/default\\.(ida|idq)$ [NC,OR]\r\nRewriteCond %{REQUEST_URI} \/.*\\.printer$ [NC]\r\nRewriteRule .* - [F,L]\r\n\r\n# IE's \"make available offline\" mode\r\nRewriteCond %{HTTP_USER_AGENT} MSIECrawler [OR]\r\n\r\n# unknown bot\r\nRewriteCond %{HTTP_USER_AGENT} ^NG [OR]\r\n\r\n# You may want to enable these lines below to disallow php and perl scripts to access your site\r\n RewriteCond %{HTTP_USER_AGENT} ^.*PHP.*$ [OR]\r\n RewriteCond %{HTTP_USER_AGENT} ^.*libwww-perl [NC,OR]\r\n\r\n# Ignorant user trying to edit my site\r\nRewriteCond %{HTTP_USER_AGENT} FrontPage [OR]\r\n#this one will ban everything microsoft. Use with caution.\r\nRewriteCond %{HTTP_USER_AGENT} ^(Microsoft|MFC).(Data|URL|WebDAV|Foundation).(Access|Control|MiniRedir|Class) [NC,OR]\r\n\r\n# MSOffice\r\nRewriteCond %{REQUEST_URI} ^\/(MSOffice|_vti) [NC,OR]\r\n\r\n# Various\r\nRewriteCond %{REQUEST_URI} ^\/(bin\/|cgi\/|cgi\\-local\/|cgi\\-bin\/|sumthin) [NC,OR]\r\nRewriteCond %{THE_REQUEST} ^GET\\ http [NC,OR]\r\nRewriteCond %{REQUEST_URI} \/sensepost\\.exe [NC,OR]\r\nRewriteCond %{REQUEST_METHOD}!^(GET|HEAD|POST) [NC,OR]\r\n\r\n# Cyveillance is a spybot that scours the web for copyright violations and ?damaging information? on\r\n# behalf of clients such as the RIAA and MPAA. Their robot spoofs its User-Agent to look like Internet\r\n# Explorer, and it completely ignores robots.txt. I have\r\n# banned it by IP address.\r\nRewriteCond %{REMOTE_ADDR} ^63\\.148\\.99\\.2(2[4-9]|[34][0-9]|5[0-5])$ [OR]\r\nRewriteCond %{REMOTE_ADDR} ^63\\.226\\.3[34]\\. [OR]\r\nRewriteCond %{REMOTE_ADDR} ^63\\.212\\.171\\.161$ [OR]\r\nRewriteCond %{REMOTE_ADDR} ^65\\.118\\.41\\.(19[2-9]|2[01][0-9]|22[0-3])$ [OR]\r\n\r\n# NameProtect peddles their ?online brand monitoring? to unsuspecting and gullible companies\r\n# looking for people to sue. Despite the claims on their robot information page, they do not\r\n# respect robots.txt; in fact, they spoof their User-Agent in multiple ways to avoid detection.\r\n# I have banned them by User-Agent and IP address.\r\nRewriteCond %{REMOTE_ADDR} ^12\\.148\\.196\\.(12[8-9]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])$ [OR]\r\nRewriteCond %{REMOTE_ADDR} ^12\\.148\\.209\\.(19[2-9]|2[0-4][0-9]|25[0-5])$ [OR]\r\nRewriteCond %{HTTP_USER_AGENT} ^NPBot\t[NC,OR]\r\n\r\n# Web Content International\r\nRewriteCond %{REMOTE_ADDR} ^65\\.102\\.12\\.2(2[4-9]|3[01])$ [OR]\r\nRewriteCond %{REMOTE_ADDR} ^65\\.102\\.17\\.(3[2-9]|[4-6][0-9]|7[01]|8[89]|9[0-5]|10[4-9]|11[01])$ [OR]\r\nRewriteCond %{REMOTE_ADDR} ^65\\.102\\.23\\.1(5[2-9]|6[0-7])$ [OR]\r\n\r\n# dumb bot\r\nRewriteCond %{HTTP_USER_AGENT} \"^Mozilla\/4.0$\" [OR]\r\n\r\n# Wordtracker\r\nRewriteCond %{REMOTE_ADDR} ^128\\.242\\.197\\.101$ [OR]\r\n\r\n# Unknown\r\n# unknown.Level3.net\r\nRewriteCond %{REMOTE_ADDR} ^64\\.156\\.198\\.(6[89]|7[0-9]|80)$ [OR]\r\n\r\n# host25x.keebler.com\r\nRewriteCond %{REMOTE_ADDR} ^65\\.223\\.250\\.25[0-3]$ [OR]\r\n\r\n# Turnitin spybot\r\nRewriteCond %{REMOTE_ADDR} ^64\\.140\\.49\\.6([6-9])$ [OR]\r\nRewriteCond %{HTTP_USER_AGENT} TurnitinBot [OR]\r\n\r\n# this ruleset is for formmail script abusers...\r\n# we don't use Perl for Postnuke so this is not really needed.\r\nRewriteCond %{REQUEST_URI} (mail.?form|form|form.?mail|mail|mailto)\\.(cgi|exe|pl)$ [NC,OR]\r\nRewriteCond %{HTTP_USER_AGENT} ^.*FileHound.*$\r\nRewriteRule .* - [F,L]\r\n\r\n# dumb bot\r\nRewriteCond %{HTTP_USER_AGENT} \"^Mozilla\/3.0$\"\r\nRewriteRule .* - [F,L]\r\n\r\n<FILES .htaccess>\r\norder allow,deny\r\ndeny from all\r\n<\/FILES><\/pre>\n","protected":false},"excerpt":{"rendered":"