<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

MDS An Intelligent Malware Database Scanner for Websites

MDS: Malware database scanner for websites based on ai bolit

What if we told you that ~15% of infection sources are database infections? If you have ever tried to clean up malicious injections (usually, thousands of them) from the database table, you know how much time and pain it would take. There's a lack of professional solutions to detect and clean up malware in the database automatically. We want to save your time and provide you with another top-notch solution to detect threats in the databases (in addition to our trailblazing Imunify file scanner). We call the solution “Malware Database Scanner” (MDS).

Please, pay attention that information in this article is no longer actual.
If you are using the Imunify360 6.0 or later, you can control the MDS feature from the UI.

When may you face the database infection? It is typically used when an attacker is intended to execute malicious code client-side, i.e., in the visitor’s browser rather than server-side, on the server. Injected malicious JavaScript or HTML are the most common causes. They often affect domain reputation when a website gets blacklisted by search engines or antivirus services, which causes a drastic traffic drop (up to 90%).

To address this type of infection, Imunify360 version 5.1 introduces a Malware Database Scanner (MRS) - a CLI tool with a proprietary malware database designed for safe and automatic database cleanup (we will integrate it with the UI of Imunify360 soon).

MDS can do scan, cleanup, and restore operations and accepts the  following arguments from the command line:

    • --scan - only scan the database; no changes will be applied.
    • --clean - scan database and cleanup malicious. Includes scan as well.
    • --restore - restore data affected by the cleanup from the backup CSV file.
Note: “clean” operation includes “scan”, so you don’t need to run a scan before the cleanup. Whereas the “scan” can be used for non-disruptive checks of the database.Note: cleanup mode will create a backup file that can be used to rollback all changes back. It makes MDS safe to use and prevents websites from breaking and data loss.

You can run --help to see help. The easiest way to use MDS is to run it with  --search-configs argument, and MDS will try to find the config files and print out database credentials that should be later specified for scanning. 

Argument --creds-from-xargs can be used to run MDS without a need to manually enter credentials. It allows automating the process of credentials discovery and the scan process.

Example:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php --search-configs . | xargs -n1

Scan

If there is a malicious injection in the database, MDS helps to detect and clean it up.

malicious injection example

 

Here is typical command for scan:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
 --search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
 /opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
 --report-file=`pwd`/report.json --log-level=ALL \
 --log-file=`pwd`/log.txt \
 --avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
 --scan

 

In the example above, logging was enabled and it should help to get more details about the scanning progress.

It can take a while until the scan finishes. After scanning is complete, you can find report details and logs in the report.json and log.txt accordingly.

another malicious injection: ai bolit could clean
As you can see, malicious injections were detected in the database in table wp_posts. Note, running MDS with a --scan argument will prevent MDS from making any data changes, so it’s absolutely safe.

Cleanup

The cleanup procedure is fully automated and it is simple as a scan procedure. Here is a real-world cleanup scenario:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
--backup-file=<filename.csv>
--clean

Cleanup results will be stored in the report.json. Also, a backup of the affected data will be created with a filename that was assigned in the --backup-file=<filename.csv> line.

Information about the affected records can be found in the report.json and log.txt.

malicious code clean up ai bolit

 

malware clean up

Restore

At the moment MDS is an experimental feature and it was designed in a way to minimize possible impact in case of issues. In order to undo changes MDS can be run with a key --restore:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
 --restore=mds_backup_1597223818.csv

Please, report about any issue you face to our support team. Your feedback will help to improve the scanner and make it better.

You can find more detailed information in our documentation here How to use Malware Database Scanner (MDS)

 

Testing MDS

MDS contains SMW-INJ-16483-eicar.tst.mds signature for testing purposes. It is similar to EICAR-file signature but designed to trigger on specially crafted DB content. In order to place test content in the WordPress database, the following SQL query can be used:

UPDATE wp_posts
SET post_content = '<script>X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-MDS-ANTIVIRUS-TEST-FILE!$H+H*'
WHERE id = <YOURTESTPOSTID>;

where <YOURTESTPOSTID> it’s a post ID from the wp_posts table that you wish to use for testing. Note, the post can be unpublished; it is ok for testing purposes.

MDS expected to find and clean the malware in the post's content.

https://trial4.imunify360.com/

Archive containing files for MDS testing is here.

 

Limitations

The initial MDS version contains the CLI tool only, and it is designed to work with WordPress databases. MDS GUI and support of other CMS are planned for further versions. Stay tuned.

 

Support

Please let us know what you’ve found in the database, do not hesitate to submit a ticket to the Imunify360 support team at cloudlinux.zendesk.com so we could help you with the analysis.


MDS is a part of Imunify360 security suite. Imunify360 combines Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation all with easy UI and advanced automation. Try Imunify360 free, and you will be able to see the results of this linux malware scanner in just one week.

Make your servers secure now!

 

MDS An Intelligent Malware Database Scanner for Websites

MDS: Malware database scanner for websites based on ai bolit

What if we told you that ~15% of infection sources are database infections? If you have ever tried to clean up malicious injections (usually, thousands of them) from the database table, you know how much time and pain it would take. There's a lack of professional solutions to detect and clean up malware in the database automatically. We want to save your time and provide you with another top-notch solution to detect threats in the databases (in addition to our trailblazing Imunify file scanner). We call the solution “Malware Database Scanner” (MDS).

Please, pay attention that information in this article is no longer actual.
If you are using the Imunify360 6.0 or later, you can control the MDS feature from the UI.

When may you face the database infection? It is typically used when an attacker is intended to execute malicious code client-side, i.e., in the visitor’s browser rather than server-side, on the server. Injected malicious JavaScript or HTML are the most common causes. They often affect domain reputation when a website gets blacklisted by search engines or antivirus services, which causes a drastic traffic drop (up to 90%).

To address this type of infection, Imunify360 version 5.1 introduces a Malware Database Scanner (MRS) - a CLI tool with a proprietary malware database designed for safe and automatic database cleanup (we will integrate it with the UI of Imunify360 soon).

MDS can do scan, cleanup, and restore operations and accepts the  following arguments from the command line:

    • --scan - only scan the database; no changes will be applied.
    • --clean - scan database and cleanup malicious. Includes scan as well.
    • --restore - restore data affected by the cleanup from the backup CSV file.
Note: “clean” operation includes “scan”, so you don’t need to run a scan before the cleanup. Whereas the “scan” can be used for non-disruptive checks of the database.Note: cleanup mode will create a backup file that can be used to rollback all changes back. It makes MDS safe to use and prevents websites from breaking and data loss.

You can run --help to see help. The easiest way to use MDS is to run it with  --search-configs argument, and MDS will try to find the config files and print out database credentials that should be later specified for scanning. 

Argument --creds-from-xargs can be used to run MDS without a need to manually enter credentials. It allows automating the process of credentials discovery and the scan process.

Example:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php --search-configs . | xargs -n1

Scan

If there is a malicious injection in the database, MDS helps to detect and clean it up.

malicious injection example

 

Here is typical command for scan:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
 --search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
 /opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
 --report-file=`pwd`/report.json --log-level=ALL \
 --log-file=`pwd`/log.txt \
 --avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
 --scan

 

In the example above, logging was enabled and it should help to get more details about the scanning progress.

It can take a while until the scan finishes. After scanning is complete, you can find report details and logs in the report.json and log.txt accordingly.

another malicious injection: ai bolit could clean
As you can see, malicious injections were detected in the database in table wp_posts. Note, running MDS with a --scan argument will prevent MDS from making any data changes, so it’s absolutely safe.

Cleanup

The cleanup procedure is fully automated and it is simple as a scan procedure. Here is a real-world cleanup scenario:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
--backup-file=<filename.csv>
--clean

Cleanup results will be stored in the report.json. Also, a backup of the affected data will be created with a filename that was assigned in the --backup-file=<filename.csv> line.

Information about the affected records can be found in the report.json and log.txt.

malicious code clean up ai bolit

 

malware clean up

Restore

At the moment MDS is an experimental feature and it was designed in a way to minimize possible impact in case of issues. In order to undo changes MDS can be run with a key --restore:

# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
 --restore=mds_backup_1597223818.csv

Please, report about any issue you face to our support team. Your feedback will help to improve the scanner and make it better.

You can find more detailed information in our documentation here How to use Malware Database Scanner (MDS)

 

Testing MDS

MDS contains SMW-INJ-16483-eicar.tst.mds signature for testing purposes. It is similar to EICAR-file signature but designed to trigger on specially crafted DB content. In order to place test content in the WordPress database, the following SQL query can be used:

UPDATE wp_posts
SET post_content = '<script>X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-MDS-ANTIVIRUS-TEST-FILE!$H+H*'
WHERE id = <YOURTESTPOSTID>;

where <YOURTESTPOSTID> it’s a post ID from the wp_posts table that you wish to use for testing. Note, the post can be unpublished; it is ok for testing purposes.

MDS expected to find and clean the malware in the post's content.

https://trial4.imunify360.com/

Archive containing files for MDS testing is here.

 

Limitations

The initial MDS version contains the CLI tool only, and it is designed to work with WordPress databases. MDS GUI and support of other CMS are planned for further versions. Stay tuned.

 

Support

Please let us know what you’ve found in the database, do not hesitate to submit a ticket to the Imunify360 support team at cloudlinux.zendesk.com so we could help you with the analysis.


MDS is a part of Imunify360 security suite. Imunify360 combines Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation all with easy UI and advanced automation. Try Imunify360 free, and you will be able to see the results of this linux malware scanner in just one week.

Make your servers secure now!

 

Subscribe to Imunify security Newsletter