What if we told you that ~15% of infection sources are database infections? If you have ever tried to clean up malicious injections (usually, thousands of them) from the database table, you know how much time and pain it would take. There's a lack of professional solutions to detect and clean up malware in the database automatically. We want to save your time and provide you with another top-notch solution to detect threats in the databases (in addition to our trailblazing Imunify file scanner). We call the solution “Malware Database Scanner” (MDS).
Please, pay attention that information in this article is no longer actual.
If you are using the Imunify360 6.0 or later, you can control the MDS feature from the UI.
When may you face the database infection? It is typically used when an attacker is intended to execute malicious code client-side, i.e., in the visitor’s browser rather than server-side, on the server. Injected malicious JavaScript or HTML are the most common causes. They often affect domain reputation when a website gets blacklisted by search engines or antivirus services, which causes a drastic traffic drop (up to 90%).
To address this type of infection, Imunify360 version 5.1 introduces a Malware Database Scanner (MRS) - a CLI tool with a proprietary malware database designed for safe and automatic database cleanup (we will integrate it with the UI of Imunify360 soon).
MDS can do scan, cleanup, and restore operations and accepts the following arguments from the command line:
You can run --help to see help. The easiest way to use MDS is to run it with --search-configs argument, and MDS will try to find the config files and print out database credentials that should be later specified for scanning.
Argument --creds-from-xargs can be used to run MDS without a need to manually enter credentials. It allows automating the process of credentials discovery and the scan process.
Example:
# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php --search-configs . | xargs -n1
If there is a malicious injection in the database, MDS helps to detect and clean it up.
Here is typical command for scan:
# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--scan
In the example above, logging was enabled and it should help to get more details about the scanning progress.
It can take a while until the scan finishes. After scanning is complete, you can find report details and logs in the report.json and log.txt accordingly.
As you can see, malicious injections were detected in the database in table wp_posts. Note, running MDS with a --scan argument will prevent MDS from making any data changes, so it’s absolutely safe.
The cleanup procedure is fully automated and it is simple as a scan procedure. Here is a real-world cleanup scenario:
# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
--backup-file=<filename.csv>
--cleanCleanup results will be stored in the report.json. Also, a backup of the affected data will be created with a filename that was assigned in the --backup-file=<filename.csv> line.
Information about the affected records can be found in the report.json and log.txt.
At the moment MDS is an experimental feature and it was designed in a way to minimize possible impact in case of issues. In order to undo changes MDS can be run with a key --restore:
# /opt/ai-bolit/wrapper /opt/ai-bolit/imunify_dbscan.php \
--search-configs /var/www/vhosts/wp_shop/httpdocs \
| xargs -n1 /opt/ai-bolit/wrapper \
/opt/ai-bolit/imunify_dbscan.php --creds-from-xargs \
--report-file=`pwd`/report.json --log-level=ALL \
--log-file=`pwd`/log.txt \
--avdb=/var/imunify360/files/sigs/v1/aibolit/mds-ai-bolit-hoster.db \
--procudb=/var/imunify360/files/sigs/v1/aibolit/mds-procu2.db \
--restore=mds_backup_1597223818.csvPlease, report about any issue you face to our support team. Your feedback will help to improve the scanner and make it better.
You can find more detailed information in our documentation here How to use Malware Database Scanner (MDS)
MDS contains SMW-INJ-16483-eicar.tst.mds signature for testing purposes. It is similar to EICAR-file signature but designed to trigger on specially crafted DB content. In order to place test content in the WordPress database, the following SQL query can be used:
UPDATE wp_posts
SET post_content = '<script>X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-MDS-ANTIVIRUS-TEST-FILE!$H+H*'
WHERE id = <YOURTESTPOSTID>;
where <YOURTESTPOSTID> it’s a post ID from the wp_posts table that you wish to use for testing. Note, the post can be unpublished; it is ok for testing purposes.
MDS expected to find and clean the malware in the post's content.
https://trial4.imunify360.com/
Archive containing files for MDS testing is here.
The initial MDS version contains the CLI tool only, and it is designed to work with WordPress databases. MDS GUI and support of other CMS are planned for further versions. Stay tuned.
Please let us know what you’ve found in the database, do not hesitate to submit a ticket to the Imunify360 support team at cloudlinux.zendesk.com so we could help you with the analysis.
MDS is a part of Imunify360 security suite. Imunify360 combines Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation all with easy UI and advanced automation. Try Imunify360 free, and you will be able to see the results of this linux malware scanner in just one week.