Backdoors on customers' websites

DennisMidjord

Well-Known Member
Sep 27, 2016
283
43
78
Denmark
cPanel Access Level
Root Administrator
During the past year or so, we've seen a critical rise in infected Wordpress websites on our servers. Most of the time it's caused by backdoors that have been uploaded through a slider-plugin (which most of our customers somehow knew could be abused but still chose to use). Through these backdoors, a ton of randomly-named .php files are uploaded.
This causes spam to be sent from the client's account.

I was wondering if there's anything we could do to prevent this? I've thought about disabling file_uploads, but I'm not sure that would really work, or if it would be too much of an inconvenience. We're daily running maldet, but this tool surprisingly hasn't detected a single one of these backdoors yet. It seems to only find malware encoded with base64.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
Most uploaded malware will have been sent to your server with a http POST requests, so a WAF like modsecurity is a great place to start. cPanel's OWASP3 modsecurity rule set does a good job at blocking a lot of these requests.
A good next level of protection is Configserver's CXS (it is not free).
It uses the ClamAV database as well as other malware signatures and patterns to identify bad stuff.
It adds a modsecurity rule so that all http POST uploads are passed through to the CXS scrutinizing scripts.
It also uses file-watchers to watch the filesystem for new files which it scans and quarantines if suspicious or malware signature match.
Making sure all web applications and their plugins are up to date is also good practice, but may be hard to enforce.
CXS can do a nightly scan which sends an email report to the server admin of out of date web applications.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
The most important ways I use it as by the 2 methods CXS uses it as I described in the other post.
These use an immediate or pro-active type of blocking/quarantine action.

I also have the ClamAV plugin enabled (available through WHM >> cPanel >> Plugins), but that only provides scanning of email attachments, files uploaded through file manager and scheduled scans (as far as I'm aware)