Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Backdoors on customers' websites

Discussion in 'Security' started by DennisMidjord, Sep 1, 2017.

  1. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    95
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    During the past year or so, we've seen a critical rise in infected Wordpress websites on our servers. Most of the time it's caused by backdoors that have been uploaded through a slider-plugin (which most of our customers somehow knew could be abused but still chose to use). Through these backdoors, a ton of randomly-named .php files are uploaded.
    This causes spam to be sent from the client's account.

    I was wondering if there's anything we could do to prevent this? I've thought about disabling file_uploads, but I'm not sure that would really work, or if it would be too much of an inconvenience. We're daily running maldet, but this tool surprisingly hasn't detected a single one of these backdoors yet. It seems to only find malware encoded with base64.
     
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    49
    Likes Received:
    22
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Most uploaded malware will have been sent to your server with a http POST requests, so a WAF like modsecurity is a great place to start. cPanel's OWASP3 modsecurity rule set does a good job at blocking a lot of these requests.
    A good next level of protection is Configserver's CXS (it is not free).
    It uses the ClamAV database as well as other malware signatures and patterns to identify bad stuff.
    It adds a modsecurity rule so that all http POST uploads are passed through to the CXS scrutinizing scripts.
    It also uses file-watchers to watch the filesystem for new files which it scans and quarantines if suspicious or malware signature match.
    Making sure all web applications and their plugins are up to date is also good practice, but may be hard to enforce.
    CXS can do a nightly scan which sends an email report to the server admin of out of date web applications.
     
    jndawson, cPanelMichael and Infopro like this.
  3. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    95
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Thank you for your input! Definately worth looking into all of this. I wasn't aware of the OWASP3 rulesets - thanks!

    How are you using ClamAV?
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    49
    Likes Received:
    22
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    The most important ways I use it as by the 2 methods CXS uses it as I described in the other post.
    These use an immediate or pro-active type of blocking/quarantine action.

    I also have the ClamAV plugin enabled (available through WHM >> cPanel >> Plugins), but that only provides scanning of email attachments, files uploaded through file manager and scheduled scans (as far as I'm aware)
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator

Share This Page