Skip to main content

Backdoors on customers' websites

Comments

4 comments

  • fuzzylogic
    Most uploaded malware will have been sent to your server with a http POST requests, so a WAF like modsecurity is a great place to start. cPanel's OWASP3 modsecurity rule set does a good job at blocking a lot of these requests. A good next level of protection is Configserver's CXS (it is not free). It uses the ClamAV database as well as other malware signatures and patterns to identify bad stuff. It adds a modsecurity rule so that all http POST uploads are passed through to the CXS scrutinizing scripts. It also uses file-watchers to watch the filesystem for new files which it scans and quarantines if suspicious or malware signature match. Making sure all web applications and their plugins are up to date is also good practice, but may be hard to enforce. CXS can do a nightly scan which sends an email report to the server admin of out of date web applications.
    0
  • DennisMidjord
    Thank you for your input! Definately worth looking into all of this. I wasn't aware of the OWASP3 rulesets - thanks! How are you using ClamAV?
    0
  • fuzzylogic
    The most important ways I use it as by the 2 methods CXS uses it as I described in the other post. These use an immediate or pro-active type of blocking/quarantine action. I also have the ClamAV plugin enabled (available through WHM >> cPanel >> Plugins), but that only provides scanning of email attachments, files uploaded through file manager and scheduled scans (as far as I'm aware)
    0
  • cPanelMichael
    Hello, You may also find the discussion on the following thread helpful if you choose to enable the OWASP ruleset: Issues with modsecurity OWASP and false positives. Thank you.
    0

Please sign in to leave a comment.