home Solution AI-Bolit is an effective hosted virus and other malicious code scanner. AI Bolit Scanner - virus scan on hosting (how to use the script) Aibolit virus check

AI-Bolit is an effective hosted virus and other malicious code scanner. AI Bolit Scanner - virus scan on hosting (how to use the script) Aibolit virus check

is a virus scanner and malicious code a new generation that has already been used by tens of thousands of webmasters and server administrators.

It looks for viruses, hacker scripts, phishing pages, doorways and other types malicious scripts downloaded by hackers when hacking websites.

If your site has problems, for example:

antiviruses block access to the pages of the site,
links appeared on the pages
there is a mobile redirect when entering from a smartphone or tablet,
attendance dropped sharply
visitors complain about viruses,
hosting blocked mail for sending spam,
website is suspected of being hacked

check the site with the AI-Bolit scanner. It will help you find files that host a hacker backdoor or web shell, link selling code, or a spammer.

The AI-Bolit scanner is free for non-commercial use, any webmaster can upload the scanner to the site and check their resource for viruses and hacking.

AI-Bolit is recommended by many Russian hosting providers, some of them have already built the scanner into the control panel virtual hosting, which allows the account owner to perform a one-click anti-virus scan.

The scanner is designed by experts in information security company "Revizium", specializing in the treatment of sites and protection against hacking.

Every day, when disinfecting and restoring sites, Revizium specialists discover new malicious scripts and more sophisticated ways to hide malicious code. This information is used to correct the algorithm of the scanner and replenish the rule base, which makes AI-Bolit scanner more efficient with each new version.

What is unique about the AI-Bolit scanner?

The weak side of modern server-side malware scanners is their approach to malware detection and anti-virus database. Server antiviruses look for virus and hacker code using fixed parameters (file checksum, hash, string fragments). At the same time, the developers of modern malicious scripts have learned to trick scanners using code encryption, making each new copy unlike the previous one: they use variable obfuscation, executable code encryption, indirect calls, and other approaches. Therefore, the old methods of searching for viruses stop working. If earlier system administrator it was enough to execute the command

Find -type f -name "*.php" -print0 | xargs -0 fgrep -l "base64_decode($_POST" find -type f -name "*.php" -print0 | xargs -0 fgrep -l "if (count($_POST)< 2) { die(PHP_OS.chr(" find -type f -size -1000c -name "*.php" -print0 | xargs -0 grep -il "if(isset(\$_REQUEST\[.*eval(.*)" find -type f -name "*.php" -print0 | xargs -0 fgrep -l "base64_decode($_REQUEST" find -type f -size -1000c -name "*.php" -print0 | xargs -0 fgrep -l "eval(stripslashes($_REQUEST" find ~/domains/ -type f -name "*.php" -print0 | xargs -0 fgrep -l "eval($___($__)" find $-regex ".*\.php$" -o -regex ".*\.cgi$" $ -print0 | xargs -0 egrep -il "r0nin|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|filesman" find -type f -name "*.php" -print0 | xargs -0 fgrep -l "Euc

To search for all hacker shells, now this is no longer enough, since the hacker web shell looks like this:

And it changes its structure and string representation.

We need a more efficient mechanism for finding malicious code. Therefore, AI-Bolit takes a slightly different approach.

When searching for malicious code, the scanner uses source code pre-normalization, a regular expression search engine, and heuristics. All this together allows you to detect coded modifications of web shells and backdoors, as well as new, still unknown viruses and hacker scripts, identifying them by alternative parameters (for example, if the source code uses typical calls for hacker scripts, the files have randomly generated names , by non-standard file attributes, etc.). The use of an advanced malware detection algorithm allows the AI-Bolit scanner to find encrypted fragments of a polymorphic nature. For example, these:

As a result of the experiments, AI-Bolit showed many times the detection of hacker scripts, compared to ClamAv and MalDet, which are used on many hosting sites as free antivirus solutions.

How the AI-Bolit Scanner Works

To check the site, it is enough to upload the scanner to the site directory (on the hosting or on the local computer with the site backup) and run it. The scanner can be opened in a browser or run in command line mode via SSH. In addition, AI-Bolit can check the site backup locally on your computer.

The site check result is a detailed report in html or text format that it can automatically send by email.

The site has detailed video instructions and a guide for beginners.

Are you sure your site is not hacked?

Most site owners are unaware that their sites have been hacked and loaded with hacker scripts. Therefore, we recommend that you check your sites with the AI-Bolit crawler right now. If you have any questions about the scanner report, please send it to us at Revizium at [email protected](in the form of a .zip archive), we will help you figure it out.

Scanner updates are announced on our Twitter

The greatest functionality is available when running the AI-BOLIT scanner in command line mode. This can be done both under Windows/Unix/Mac OS X, and directly on the hosting, if you have SSH access and the hosting does not severely limit the consumed processor resources.

Please note that PHP 7.1 and higher console version is required to run the scanner. Earlier versions are not officially supported. Check current version with php -v command

AI-BOLIT Scanner Command Line Parameter Reference

Show help

php ai-bolit.php --help

php ai-bolit.php --skip=jpg,png,gif,jpeg,JPG,PNG,GIF,bmp,xml,zip,rar,css,avi,mov

Scan only specific extensions

php ai-bolit.php --scan=php,php5,pht,phtml,pl,cgi,htaccess,suspected,tpl

Prepare a quarantine file for sending to security specialists. The archive AI-QUARANTINE-XXXX.zip will be created with a password.

php ai-bolit.php --quarantine

Run the scanner in "paranoid" mode (recommended for getting the most detailed report)

php ai-bolit.php --mode=2

php ai-bolit.php --mode=1

Check one "pms.db" file for malicious code

php ai-bolit.php-jpms.db

Run scanner with 512Mb memory size

php ai-bolit.php --memory=512M

Set the maximum size of the scanned file to 900Kb

php ai-bolit.php --size=900K

Pause 500ms between files when scanning (to reduce load)

php ai-bolit.php --delay=500

Send scan report by email [email protected]

php ai-bolit.php [email protected]

Create a report in /home/scanned/report_site1.html

php ai-bolit.php --report=/home/scanned/report_site1.html

Scan the directory /home/s/site1/public_html/ (the report will be created in this directory by default if the --report=report_file option is not set)

php ai-bolit.php --path=/home/s/site1/public_html/

Execute the command when the scan is complete.

php ai-bolit.php --cmd="~/postprocess.sh"

Get a plain-text report named site1.txt

php ai-bolit.php-lsite1.txt

You can combine calls, for example,

php ai-bolit.php --size=300K --path=/home/s/site1/public_html/ --mode=2 --scan=php,phtml,pht,php5,pl,cgi,suspected

By combining the call of the AI-BOLIT scanner with other unix commands, you can perform, for example, a batch check of sites. Below is an example of checking several sites hosted within an account. For example, if the sites are located inside the /var/www/user1/data/www directory, then the command to launch the scanner will be

find /var/www/user1/data/www -maxdepth 1 -type d -exec php ai-bolit.php --path=() --mode=2 \;

By adding the --report option, you can control the directory in which scan reports will be generated.

php ai-bolit.php parameter list ... --eng

Switch the report interface to English. This parameter must come last.

Integration with other services and hosting panel

php ai-bolit.php --json_report=/path/file.json

Generate report in json format

php ai-bolit.php --progress=/path/progress.json

Save the status of the check to a file in json format. This file will contain structured data in json format: the current scan file, how many files have been scanned, how many files are left to scan, the percentage of scan, the time until the scan is completed. This mechanism can be used to show a progress bar and data about files being checked in the panel. When the scan is completed, the file is deleted automatically.

php ai-bolit.php --handler=/path/hander.php

External event handler. You can add your own handlers for the start/stop of a scan/scan progress/scan errors. An example file can be found in the scanner archive, in the tools/handler.php directory. For example, upon completion of the scan, you can do something with the report file (send it by mail, pack it into an archive, etc.).

I was looking on the Internet for a free "paid" theme for the site. Fortunately, there are enough such sites. True, they copy each other =) From the experience of working with such templates, I knew that sometimes you have to pay in full for such a freebie. Because very bad people insert all sorts of nasty things into such templates, which can cause very big troubles to decent programmers. I remember that my ESET antivirus used to find and swear at base64. Now he doesn't swear either. This I mean that if you check with an antivirus, it will not help.

Before Ai-Bolit, I checked files with Total Commander for the contents of certain words, and depending on what I found, I checked and corrected it. But this is a very tedious task. And I set out to find a more optimal and faster search solution. And found. This is - AI-Bolit - a unique free script for detecting viruses, trojans, backdoors, hacker activities on hosting.

And so, what this script can do:

look for viruses, all sorts of malicious and hacker scripts on the hosting: shells based on signatures, shells based on simple heuristics - everything that ordinary antiviruses simply cannot find.
work with all the most popular cms without exception, including joomla, wordpress, drupal, bitrix...
look for redirects in .htaccess to malicious sites
look for sape/trustlink/linkfeed code in .php files
identify doorways
show directories open for writing
look for invisible links in templates

Why is this script needed?

An experienced hacker can hack almost any site. And your site may be no exception. Why is a site hacked dangerous? Having gained access to the site, an attacker can do the following:

"merge" your traffic to your projects
download the contents of the server and database for sale to third parties
change contact or payment information on the site
downloads personal data of users
will place doorways with spam links on your site
will introduce viruses, trojans or exploits into the pages of the site, infecting visitors
will send spam from your server
will sell access to the hacked site to other attackers for subsequent unauthorized penetration
and so on... It's sad. Yes?

Ai-Bolit allows you to timely detect a lot of malware and suspicious hosting changes, reducing the risk of being banned by search engines for viruses and doorways. It also allows you to find out in a timely manner about possible potential information leaks and other troubles regarding your site. COOL!!!

How to use the script

There is a VERY clear instruction in the script archive. By default, the "doctor" scans in normal mode with a minimum number of signatures and a minimum number of false positives.

There are two verification options. They are both described in the instructions. I will give only the first - simplified.

Browser launch option (not recommended as it only performs an express scan)

Download archive with script (see attached files)
Unpack.zip
Change the password in the line define("PASS", "put_any_strong_password_here_8_symbols_min");
Enable "expert" mode in the line define("AI_EXPERT", 0); // replace 0 with 1
copy files from the /ai-bolit/ folder to the server in the root directory
copy from the know_files folder the files that match your cms
open in browser http://sitename.com/ai-bolit.php?p=My456Pass123 and wait for the report
!!!after displaying the report, delete the files from the aibolit and the script itself from the site!!!

That's all. Then, a report will appear in front of you and it remains for you to follow the errors and fix the vulnerabilities.

Feedback

The author is a very kind person. Always answers. If you have any wishes or questions, please write to:
web: http://www.revision.com/ai/
e-mail: [email protected]
Skype: greg_zemskov

AI-Bolit - an effective scanner for viruses and other malicious code on hosting

We are often asked - what is the uniqueness of the AI-Bolit scanner? How is it different from other similar malware detection tools like maldet, clamav or even desktop antiviruses? The short answer is that it is better at detecting malicious code written in PHP and Perl. Why? Answer below.

Every day, malicious code (hacker web shells, backdoors, etc.) becomes more sophisticated and complex. In addition to obfuscation of identifiers and code encryption

implicit function calls began to be used everywhere through methods with callable arguments, handlers and indirect function calls.

There are fewer and fewer malicious scripts with a linear structure and fixed identifiers. They try to disguise the code and make it as volatile as possible, “polymorphic”

or vice versa, make it as simple as possible and look like a regular script.

Sometimes, when analyzing a malicious script, it is impossible to isolate a fixed fragment by which it would be possible to uniquely identify the “malware”. Obviously, such malicious code cannot be found using a simple signature database (antivirus database), which is used in the vast majority of web antiviruses and hosted scanners. To effectively search for modern “malware”, it is necessary to use more sophisticated methods for determining virus patterns, and in some cases, heuristics. This is the approach we use in the AI-BOLIT malware scanner.
The use of a large database of constantly improving flexible patterns based on regular expressions, the use of additional heuristic analysis, developed on the basis of scanning a large number of infected sites, made the AI-Bolit scanner the most effective and actively used tool for administrators and web developers.

AI-Bolit is also widely known for its simple interface and the possibility of free use for non-commercial purposes. Any webmaster can download AI-Bolit absolutely free from the official website http://revisium.com/ai/ and check his resource for hacker shells, backdoors, doorways, viruses, spam mailers, hidden links and other malicious fragments and inserts. The scanner is also actively used by commercial companies - web studios, hosting companies and Internet agencies to check and treat client sites. Hosters integrate AI-Bolit into the control panel, web developers use it to search for malicious code and in their own site monitoring services.

Below is just a small list of the features of the Ai-Bolit scanner:

run from console and browser
three scan modes ("simple", "expert", "paranoid") and two modes of operation ("express" and "full scan")
search for hacker php and perl scripts (shells, backdoors), viral inserts, doorways, spam mailers, link selling scripts, cloaking scripts and other types of malicious scripts. Pattern and regular expression search, and use of heuristics to identify potentially malicious code
searching for signatures in encrypted, fragmented text blocks and encoded hex/oct/dec sequences
search for suspicious files with constructs used in malicious scripts
search for hidden links in files
looking for symbolic links
search code for search and mobile redirects and much more.

By the way, Ai-Bolit received a copyright certificate from RosPatent. And the scanner is also actively covered on third-party sites, in specialized magazines, at conferences and webinars.

Official script page

Unpleasant situations take us by surprise. Sometimes, some users install software on their sites that has vulnerabilities. Or attackers find "holes" in software that is freely distributed. After discovering such "holes", hackers begin to exploit the victim's account and inject harmful program code, all kinds of hacker shells, backdoors, spam mailers and other malicious scripts onto the site.

Alas, some users do not update the software on their sites on time and become victims of such intruders.

The essence of the problem

Our server software in most cases identifies the harmful load and automatically eliminates the "bad" activity.

What exactly does malware do? Very different things: it sends spam, participates in attacks on other resources, etc. One of the most striking examples of such viruses is "MAYHEM - a multipurpose bot for *NIX servers". This virus, for example, is very popularly explained by Yandex specialists in their blog or

Hostland constantly pleases its customers with new anti-virus tools!

We present you a very convenient and free tool for searching for viruses, malicious and hacker scripts on your account, shells based on signatures and flexible patterns, shells based on simple heuristics - everything that conventional antiviruses and scanners cannot find.

We present our user "AI-Bolit" from the company "Revizium"

AI-Bolit scanner features:

Search for hacker php and perl scripts (shells, backdoors), viral inserts, doorways, spam mailers, link selling scripts, cloaking scripts and other types of malicious scripts. Search by patterns and regular expressions, as well as the use of simple heuristics to identify potentially malicious code
Search for scripts with critical vulnerabilities (timthumb.php, uploadify, fckeditor, phpmyadmin, and others)
Search for scripts that are not typical for sites in php (.sh, .pl, .so, etc.)
Search for signatures in encrypted, fragmented text blocks and encoded hex/oct/dec sequences
Search for suspicious files with constructs used in malicious scripts
Finding Hidden Links in Files
Finding symbolic links
Finding code for search and mobile redirects
Search for connections like auto_prepend_file/auto_append_file, AddHandler
Search for iframe inserts
Determining the cms version and type
Search for hidden files
Search for .php files with double extensions, .php files uploaded as GIF image
Search for doorways and directories containing a suspiciously large number of php/html files
Search for executable binaries
Convenient filtering and sorting of file lists in the report
Interface in Russian

What else is important to know?

If malicious software was found on your account using AI-Bolit, then simply deleting these files will not solve the vulnerability of your site.

You need to find out how the hacker could inject a "bad" script to your site, find a "hole" in his software. Sometimes for this it is necessary to change passwords for FTP access, update the “site engine”, sometimes it is necessary to study the server log files (if they are turned off, turn them on), sometimes it is necessary to involve a third-party security specialist.

And the whole complex of the above measures will be the best help in solving the security problem of your site!

It is not possible to guarantee the detection of all malicious scripts. Therefore, the scanner developer and hosting provider is not responsible for the possible consequences of false positives during the operation of the AI-Bolit scanner or unjustified user expectations regarding functionality and capabilities.

You can send comments and suggestions on the operation of the script, as well as malicious scripts not detected to [email protected]