Backdoors on customers' websites

[DennisMidjord]

During the past year or so, we've seen a critical rise in infected Wordpress websites on our servers. Most of the time it's caused by backdoors that have been uploaded through a slider-plugin (which most of our customers somehow knew could be abused but still chose to use). Through these backdoors, a ton of randomly-named .php files are uploaded.
This causes spam to be sent from the client's account.

I was wondering if there's anything we could do to prevent this? I've thought about disabling file_uploads, but I'm not sure that would really work, or if it would be too much of an inconvenience. We're daily running maldet, but this tool surprisingly hasn't detected a single one of these backdoors yet. It seems to only find malware encoded with base64.

 

[fuzzylogic]

Most uploaded malware will have been sent to your server with a http POST requests, so a WAF like modsecurity is a great place to start. cPanel's OWASP3 modsecurity rule set does a good job at blocking a lot of these requests.
A good next level of protection is Configserver's CXS (it is not free).
It uses the ClamAV database as well as other malware signatures and patterns to identify bad stuff.
It adds a modsecurity rule so that all http POST uploads are passed through to the CXS scrutinizing scripts.
It also uses file-watchers to watch the filesystem for new files which it scans and quarantines if suspicious or malware signature match.
Making sure all web applications and their plugins are up to date is also good practice, but may be hard to enforce.
CXS can do a nightly scan which sends an email report to the server admin of out of date web applications.

 

[DennisMidjord]

Thank you for your input! Definately worth looking into all of this. I wasn't aware of the OWASP3 rulesets - thanks!

How are you using ClamAV?

 

[fuzzylogic]

The most important ways I use it as by the 2 methods CXS uses it as I described in the other post.
These use an immediate or pro-active type of blocking/quarantine action.

I also have the ClamAV plugin enabled (available through WHM >> cPanel >> Plugins), but that only provides scanning of email attachments, files uploaded through file manager and scheduled scans (as far as I'm aware)

 

[cPanelMichael]

Hello,

You may also find the discussion on the following thread helpful if you choose to enable the OWASP ruleset:

Issues with modsecurity OWASP and false positives.

Thank you.