<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

MDS An Intelligent Malware Database Scanner for Websites

Oct 16, 2020 2:50:01 PM / by Vitalii Rudnykh

 

IMUNIFY360_MALWARE-DATABASE_V1_01

 

What if we told you that ~15% of infection sources are database infections? If you have ever tried to clean up malicious injections (usually, thousands of them) from the database table, you know how much time and pain it would take. There's a lack of professional solutions to detect and clean up malware in the database automatically. We want to save your time and provide you with another top-notch solution to detect threats in the databases (in addition to our trailblazing Imunify file scanner). We call the solution “Malware Database Scanner” (MDS).

When may you face the database infection? It is typically used when an attacker is intended to execute malicious code client-side, i.e., in the visitor’s browser rather than server-side, on the server. Injected malicious JavaScript or HTML are the most common causes. They often affect domain reputation when a website gets blacklisted by search engines or antivirus services, which causes a drastic traffic drop (up to 90%).

To address this type of infection, Imunify360 version 5.1 introduces a Malware Database Scanner (MRS) - a CLI tool with a proprietary malware database designed for safe and automatic database cleanup (we will integrate it with the UI of Imunify360 soon).

MDS can do scan, cleanup, and restore operations and accepts the  following arguments from the command line:

    • --scan - only scan the database; no changes will be applied.
    • --clean - scan database and cleanup malicious. Includes scan as well.
    • --restore - restore data affected by the cleanup from the backup CSV file.
Note: “clean” operation includes “scan”, so you don’t need to run a scan before the cleanup. Whereas the “scan” can be used for non-disruptive checks of the database.Note: cleanup mode will create a backup file that can be used to rollback all changes back. It makes MDS safe to use and prevents websites from breaking and data loss.

You can run --help to see help. The easiest way to use MDS is to run it with  --search-configs argument, and MDS will try to find the config files and print out database credentials that should be later specified for scanning. 

Argument --creds-from-xargs can be used to run MDS without a need to manually enter credentials. It allows automating the process of credentials discovery and the scan process.

Example:

# /opt/alt/php74-imunify/usr/bin/php /opt/ai-bolit/imunify_dbscan.php --search-configs . | xargs -n1

Scan

If there is a malicious injection in the database, MDS helps to detect and clean it up.

 

Here is typical command for scan:

# /opt/alt/php74-imunify/usr/bin/php /opt/ai-bolit/imunify_dbscan.php \
      --search-configs /var/www/vhosts/wp_shop/httpdocs \
     | xargs -n1 /opt/alt/php74-imunify/usr/bin/php -n \
     -d extension=json.so -d extension=pdo.so \
     -d extension=mysqlnd.so -d extension=nd_mysqli.so \
     /opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
     --report-file=`pwd`/report.json --log-level=ALL \
     --log-file=`pwd`/log.txt \
     --avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
     --scan

 

In the example above, logging was enabled and it should help to get more details about the scanning progress.

It can take a while until the scan finishes. After scanning is complete, you can find report details and logs in the report.json and log.txt accordingly.


As you can see, malicious injections were detected in the database in table wp_posts. Note, running MDS with a --scan argument will prevent MDS from making any data changes, so it’s absolutely safe.

Cleanup

The cleanup procedure is fully automated and it is simple as a scan procedure. Here is a real world cleanup scenario:

# /opt/alt/php74-imunify/usr/bin/php /opt/ai-bolit/imunify_dbscan.php \
     --search-configs /var/www/vhosts/wp_shop/httpdocs \
     | xargs -n1 /opt/alt/php74-imunify/usr/bin/php -n \
     -d extension=json.so -d extension=pdo.so \
     -d extension=mysqlnd.so -d extension=nd_mysqli.so \
     /opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
     --report-file=`pwd`/report.json --log-level=ALL \
     --log-file=`pwd`/log.txt \
     --avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
     --procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
     --clean

Cleanup results will be stored in the report.json. Also, backup of the affected data will be created with a filename similar to the mds_backup_1597223818.csv where the set of digits it’s a current timestamp.

Information about the affected records can be found in the report.json and log.txt.

 

Restore

At the moment MDS is an experimental feature and it was designed in a way to minimize possible impact in case of issues. In order to undo changes MDS can be run with a key --restore:

# /opt/alt/php74-imunify/usr/bin/php /opt/ai-bolit/imunify_dbscan.php \
     --search-configs /var/www/vhosts/wp_shop/httpdocs \
     | xargs -n1 /opt/alt/php74-imunify/usr/bin/php -n \
     -d extension=json.so -d extension=pdo.so \
     -d extension=mysqlnd.so -d extension=nd_mysqli.so \
     /opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
     --report-file=`pwd`/report.json --log-level=ALL \
     --log-file=`pwd`/log.txt \
     --avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
     --procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
     --restore=mds_backup_1597223818.csv

Please, report about any issue you face to our support team. Your feedback will help to improve the scanner and make it better.

You can find more detailed information in our documentation here How to use Malware Database Scanner (MDS)

 

Testing MDS

MDS contains SMW-INJ-16483-eicar.tst.mds signature for testing purposes. It is similar to EICAR-file signature but designed to trigger on specially crafted DB content. In order to place test content in the WordPress database, the following SQL query can be used:

UPDATE wp_posts
SET post_content = '<script>X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-MDS-ANTIVIRUS-TEST-FILE!$H+H*'
WHERE id = <YOURTESTPOSTID>;

where <YOURTESTPOSTID> it’s a post ID from the wp_posts table that you wish to use for testing. Note, the post can be unpublished; it is ok for testing purposes.

MDS expected to find and clean the malware in the post's content.

zoom_0

 

Archive containing files for MDS testing is here.

 

Limitations

The initial MDS version contains the CLI tool only, and it is designed to work with WordPress databases. MDS GUI and support of other CMS are planned for further versions. Stay tuned.

 

Support

Please let us know what you’ve found in the database, do not hesitate to submit a ticket to the Imunify360 support team at cloudlinux.zendesk.com so we could help you with the analysis.

 

Topics: Imunify360, MDS, Developer Blog, Advice, Malware Scanner

Vitalii Rudnykh

Written by Vitalii Rudnykh

Senior Malware Analyst / Security Researcher

    Subscribe to Email Updates

    Ready to try Imunify?

    30-DAY TRIAL

    Recent Posts