Top

Author Archive | admin

PHP File upload vulnerabilities

Why PHP File Upload vulnerabilities is a Major Security problem ? There are lots of Web sites, which using some kind Content Management Systems (CMS), like WordPress, Joomla and etc., where an ability upload content like text, images and so on. There is no nothing bad for this, but there are also a lot of […]

Continue Reading

Decode signatures with Sigtool

When you are scanning malware example ClamAV or Maldet from files in server and get positive hit, you may difficult find where has injected code in the file. For decoding signature you can use ClamAV sigtool command line tool. This will help you find the right position from infected file and remove malware code. Positive […]

Continue Reading

scan FTP uploaded files on cPanel Servers with ClamAV

First we need install ClamAV, it has been now been included in cPanel/WHM. ClamAV is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner. You can also install it from your […]

Continue Reading

Whitelist rule with LocationMatch

Sometimes you need disable ModSecurity rules in specific url or program, because it causes false positives. This tutorial we show how you can whitelist rule or rules with apache LocationMatch directive. LocationMatch examples WordPress admin <locationmatch “/wp-(admin|login)/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> phpmyadmin <locationmatch “/phpmyadmin/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> Depend your server configuration, like […]

Continue Reading

styles.php malware

Again, we found interesting malware (styles.php), which try to add more backdoor files to the web server. This file is just copied from the original file: load-styles.php. If you look fast this file, it’s look normal PHP file, but there is a modification of the begin (comments not finished line 6): It self hidden malware […]

Continue Reading

Pure-FTPd with ClamAV at Directadmin Custombuild

This tutorial we integrate ClamAV into Pure-FTPd for virus scanning in Directadmin server with Custombuild. Whenever a file gets uploaded through Pure-FTPd, ClamAV will check the file and delete it if it is malware. Installing Pure-FTPd & ClamAV First we need change custom build options.conf setting Check options.conf #ClamAV-related Settings clamav=yes pureftpd_uploadscan=yes Building software Building […]

Continue Reading

ModSecurity Rules for Formidable Forms / Shortcodes Ultimate vulnerability

Sucuri reported Formidable Forms / Shortcodes Ultimate Exploits In The Wild On Monday, November 20th. – Formidable Forms vulnerability – read more – Shortcodes Ultimate vulnerability – read more We have not yet seen exploitation of the vulnerability, but we also decided to make the modsecurity rule for this vulnerability. If you server have certain […]

Continue Reading

WordPress Hidden Include

Today we found undetected malware, which keep it hidden and try loading again if it deleted. We generated Signatures to Detect these hidden includes: /index.php: {HEX}Malware.Expert.wordpress.hidden.include.0.UNOFFICIAL FOUND /wp-load.php: {HEX}Malware.Expert.wordpress.hidden.include.1.UNOFFICIAL FOUND /wp-includes/template.php: {HEX}Malware.Expert.malware.url.7od.info.0.UNOFFICIAL FOUND /wp-includes/Requests/IPconfig.ini: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND /wp-includes/js/utilities.js: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND WordPress index.php wp-load.php End of file: template.php IPconfig.ini Remove file utilities.js Remove file Final Words Use […]

Continue Reading

Log POST data with ModSecurity

Sometimes you may need to log all POST requests to debug or make ModSecurity rules to protect Web Server. For this you need that you have ModSecurity installed on server. Log POST data This simple rule logging all POST request data to ModSecurity AuditLog. SecRule REQUEST_METHOD “POST” \ “id:800000,phase:2,t:none,pass,nolog,auditlog,msg:’Malware.Expert – Log POST data'” This cause […]

Continue Reading

cPGuard – Essential Security Suite for cPanel Servers

cPGuard is an essential security addon for web hosting servers to help administrators to fight against malware threats and injections. As it exclusively works based on File System changes ( no more mod_security or FTP hooks dependency alone ), we can detect and scan any real-time changes on the server. In addition to malware/virus scanning, […]

Continue Reading