admin This is very old malware, Timestamp December 2015 and in Joomla /cache/cache-db.php or /libraries/simplepie/simplepie.lib.php file. This is very cleverly made, and hide assert PHP execution inside the code. First time look source code, it looks like normal file. But when look better and trace first extra code Second hidden code added Third hidden code added … Read more
ssh If possible, don’t allow user login ssh to the server. Also disable root user login and use sudo to gain root access. Change: Restart ssh server! Note: Make sure you installed sudo and sudoers to your user! Filesystem You can prevent and hide access certain folders and files. php.ini There are certain functions in … Read more
Prerequisite If you dont have custombuild or version is 1.x, you need first upgrade to custombuild 2.x. Upgrade instruction https://help.directadmin.com/item.php?id=555 Update Custombuild Update custombuild: Configuration Edit options.conf file and change these lines to below: Build ClamAV scanner Optional can use Malware Expert ClamAV Signatures and Linux Malware Detect Build ModSecurity Mod_Security Rules In options.conf possible … Read more
During analysis of our logs we noticed that an automated attack against PHP is going on, using a vulnerability in PHP. Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this). POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E Decoding the URL gives: Using -d parameter … Read more
When you scan server files with Clamdscan or Maldet your scanner give postitive result and Extra ClamAV signatures to better ratio detect malware. We using clamdscan scanner to scan files. Example user www files: Now we open content-none.php file to look better: The first looks, there is no anything, but if you look better first … Read more
Login to cPanel server via SSH as the root user. Execute the below commands: Output install.sh script Remove unused gzipped tar file You can run a Linux Malware Detect scan now, it would run with no problem. However, it would not include ClamAV’s definitions, if you not before installed ClamAV scanner. Maldet without installed ClamAV … Read more
In ModSecurity auditlog we found magento webforms upload vulnerability. Looking better POST payload, found this image.phtml script, which first uploaded to customer website. If index.php / image.phtml file success uploaded, it can access from www and executed! image.phtml First it send email to fileputcontent@gmail.com notify details like Hostname, URL, IP: Then it try … Read more
Installing ClamAV cPanel server via WHM grahpical Login to WHM (Control Panel) as the root user Navigate to: Home » cPanel » Manage Plugins Select ClamAV tick the Install and keep updated box Click on Save Installing ClamAV via Command Line (SSH) This command tells the system that we want ClamAV to be listed as … Read more
php.ini Securing cpanel php.ini in controlpanel or manually. Login cpanel control panel and goto: Home » Software » MultiPHP INI Editor Find disable_functions: Change “disabled_functions =” to: Or manually change files below: Install ClamAV Scanner To install or uninstall ClamAV Scanner, use WHM’s Manage Plugins interface (Home » cPanel » Manage Plugins). Offical Ducumentation Install … Read more
Setting up a good firewall is an essential step to take in securing any modern operating system. Most Linux distributions ship with a few different firewall tools that we can use to configure our firewalls. In this guide, we’ll be covering the iptables firewall. A good starting point is check the current rules that are … Read more