What are the recent changes in IPDB?

What are the recent changes in IPDB?

What is IPDB Firewall?

In cPGuard, we have multiple modules that work at different layers to stop various attacks. The IPDB firewall module is a system-level firewall that can block many of the attacks before it reaches your application servers.

The main components of the IPDB firewall are

1. The Cloud Advisor:– is a server cluster containing multiple servers dedicated to collecting, building and distributing a list of unsafe IPs. We have a huge list of bad IPs built on data collected from attacks we have blocked (WAF, Bruteforce, CSF and access logs), our partners like Malware.Expert and other 3rd party sources. Our algorithms, after whitelisting major providers like Cloudflare, Google etc to avoid false positives, dynamically score IPs based on various parameters to build a refined list containing only the latest and relevant threats

2. The Server Agent: cPGuard server application downloads the list of bad IPs from the cloud advisor and creates a blocklist using IPSET and IPTABLES to effectively block requests from these IPs. The block list is periodically reloaded to fetch the latest IPs and drop old IPs from the list

What are the recent updates in IPDB?

Over the past few versions after the initial release of IPDB, we have been continuously working on it to enhance the performance of IPDB module. With that said, we were able to bring in so many updations so block more attacks with fewer false positives. Few of the major changes include

  • Refined blacklist Logic:- We now have a better algorithm to mark an IP address as bad and put it into the global blacklist. That helps to eliminate a significant share of false positives from the total blacklist.
  • Enhanced whitelist:- Based on the feedback from our clients, we have added many more major players including search engines, CDN providers, monitoring agents, etc into the blacklist which helped to refine the central list.
  • Better CLI Tools:- For a Linux geek, it is always handy to work from CLI than doing any tasks from GUI. So we have added more CLI tools to handle IPDB using commands
  • Network whitelist:- Now you can whitelist a Network using a defined format. This will help to whitelist a range of your IP address and that makes the tool handier. You can add whitelist from cPGuard settings or via our command line utility
$ /etc/cpguard/scripts/cpgbin allowip <ip address/range>
 
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx/24 

 

  • New IPDB stats UI:- You can now view requests being blocked in realtime from the new IPDB section in cPGuard UI. We will be rolling out more reports and stats on IPDB in coming versions.

Wait…I have some complaints or suggestions

We would love to hear from you and our team can work based on your feedback. Kindly reach our support team with your feedback and we will process it accordingly.

Contact Form 7 Unrestricted File Upload Vulnerability – How does cPGuard protect your websites?

Contact Form 7 Unrestricted File Upload Vulnerability – How does cPGuard protect your websites?

About the vulnerability

Contact Form 7 is a famous WordPress plugin that helps users to create different contact forms on the website. The plugin has a very big user base and having almost over 5 million active installations. So, any vulnerability to such a popular plugin will cause serious security issues to a big number of websites.

Recently there was a report related to this plugin where some security researchers were able to exploit its vulnerability which allowed them to files of any type, bypassing all restrictions set to allow the type of upload-able file types on a website. Also, it allows web shell injections which create it more dangerous and threatening to the website security.

How cPGuard handles the problem?

Immediately after the vulnerability is announced, our WAF team has started investigating it and released a WAF update to protect our user’s websites from the vulnerability. So far cPGuard WAF has the following set of protections against the particular vulnerability.

  • We have an explicit WAF rule which prevents exploiting the particular vulnerability
  • Our existing WAF rules will prevent uploading PHP files
  • Our existing WAF rules will prevent accessing PHP files from the target location.
  • Our scanner engine can report about the  file uploads/injections 

Do I still need to worry?

Our WAF and scanner engine are powerful enough to block such targeted and generic types of web exploits. Even though cPGuard provides security measures for this problem, we still encourage you to advise your users to upgrade the Contact Form 7 plugin to the latest version, 5.3.2.

If you need any additional details, please  contact our support team.

cPanel Scanner Layers – Incremental File Scanning

cPanel Scanner Layers – Incremental File Scanning

One of the frequent questions that we are receiving recently is, how efficient the scanner is, and what can be the option to do something similar to the Rapid scan offered by another solution. To answer this question we have to explain how the total scanning system works automatically or manually and the total workflow is much faster and efficient compared to any other competing solution.

The scanner levels

In cPGuard, we scan each new/updated files in multiple levels which helps to process the files in various ways, multiple times with the most recent virus signatures, and efficiently process them with very less load. Each of the layers is explained below.

1. HTTP Upload Scanner:- If you have WAF integration enabled, this is the first level of scanning if the file is uploaded/updated via the Web. This scanner will immediately deny file upload if it contains malicious code and notifies the customer. You can find the related log in Web Server ModSec log or under WAF logs in cPGuard WAF.

2. Automatic Scanner:- If you have Virus Scanner enabled under Settings >> Scanner, this will trigger. So this is the background scanner where it keeps track of all uploaded/modified files and scans them.

3. Daily Scanner:- If you have Dialy Scanning enabled from Settings >> Additional Settings, Daily files scanning will trigger every day. This option will scan all files uploaded/updated in the last 24 hours.

4. Weekly Scanner:- If you have Weekly Scanning enabled from Settings >> Additional Settings, Weekly files scanning will trigger every Sunday. This option will scan all files uploaded/updated in the last 7 days.

So how the incremental scanning work?

Like the different scanner level explained above, each layer works differently. So once you have cPGuard installed and configured on your server

  • Run ALL manual scan which will scan all Web Files on your server and take actions on them
  • Enable Daily Scan
  • Enable Weekly Scan
  • Make sure that WAF integration is enabled and works fine

So the above steps make sure that your server will be free from all known virus files. In addition to the scanner layers, our WAF rules are powerful enough to stop uploading/exploiting vulnerable files and add an extra layer of security.

Is the incremental scan really fast? 

Yes, it really works fast and efficiently than any other competing solution. Based on the analysis from multiple servers, it took less than a few minutes to complete daily scanning for 200GB web data and that too without any high load on the server. You can see how many files it scanned and how much time it took for each scan.

Is it possible to schedule Daily and Weekly Scans?

Yes, if you prefer to run the scheduled scans at any particular time you can do it easily. To do it

  • Disable Daily and Weekly scanners from Additional Settings
  • Use the cpgbin CLI utility to schedule Daily and Weekly scans at your preferred time.

More questions?

We are always happy to hear from you…if you need any more clarifications please reach our Support desk. 

 

How cPGuard protects your websites?

How cPGuard protects your websites?

This is one of the first questions that will raise when someone decides to try cPGuard on their servers. The answer is not simple and it needs to be explained from top to bottom as the protection is offered at multiple levels.

So let us check what all protection that cPGuard offers

  • Malicious file uploads/updates
  • Web attacks/exploits
  •  Incoming Spam Emails and IP/Domain  Reputation Checks
  • Extensive Reports

1. Malicious File uploads/updates

This is one of the common problems that every website owner is facing and affecting website reliability and integrity. This happens most commonly because of any exploits open in the website, compromised user account, or logins or possibly due to a compromised account hosted in the same shared environment. So to detect the malicious file contents, cPGuard has multiple layers of file scanning options to make sure that every file is passed through our scanner engine.

  • Layer 1 HTTP Upload Scanner:- This is the first level of file scanning if the file is uploaded/updated via Web. So whenever a file is uploaded using your website, it will pass through the scanner engine. We carefully manage this step to scan only relevant files and in case we detect any malicious pattern for which we do not have any definition, we will scan ti through our central system and take necessary actions.
  • Layer 2 Automatic Scanner:- This is the second level of scanning, which can catch any files updated/uploaded regardless of how it is done. We monitor the operation of the files to fetch the list of files to monitor and pass it through the scan engine. Since we monitor only website files and process them as batches, this consumes a very small amount of server resources and takes very little time to complete the scan compared to the competition.
  • Layer 3 Weekly automatic scan:- We run a weekly scanner to scan all files updated/uploaded in the last 7 days and scan them. This helps to ensure that all recent files are analyzed based on our constantly updated virus database and thus fetch new types of attacks even if they can bypass initially.
  • Layer 4 manual scan:- This is the last layer of scanner which needs manual intervention to start the scan against a defined target. This can help to find all new/old malicious files under the targeted path and help to create custom reports.

So the multi-layer file scanning that you can flexibly enable on your server ( you can customize each based on your preference from cPGuard Settings ) can scan all types of file changes on your server and take action on them. There is also a file auto-clean option using which you can attempt to clean files automatically and restore them to the original location, and it can prevent website outage due to core files infection.

 

2. Web attacks/exploits 

This is the WAF layer that actually helps to mitigate most of the attacks before it reaches your Web Applications. Our WAF is powered by Malware.Experts Commercial WAF rules and cPGuard ModSec rules. In this layer, it has multiple components to mitigate varieties of web attacks.

  • The WAF Integration:- It is the core WAF rules enabling that you can do from settings and it will load the core rules into your web server. This ruleset contains the mitigation rules for generic attacks, some latest CVEs reported, targeted CMS attacks ( WordPress, Joomla, etc ). We always recommend you to enable this and it can protect your websites from many web attacks.
  • Brute-force protection:- This module protects your websites from brute-force attacks against the defined URLs. This can effectively monitor the real IPs and block them if they cross the access threshold.
  • Scanner Rules under WAF :- When you enable this rules set, it will protect your websites from common abusive botnets. It can save server resources and unnecessary processing of the requests.
  • Webshell Rules under WAF :- These rules can stop processing any web shells if they are already uploaded ot your websites. This is a highly sensitive rules set and we do not recommend it unless you have complete control across all the websites on the server
  • Captcha Protection under WAF :- This module protects your websites from brute-force attacks against the defined URLs. This can greatly reduce your server load and protect your websites from abusive accesses.

The multiple protection layers in HTTP can protect your websites from most generic and common attacks and sources. We constantly monitor the Web abuses reported by WAF from our centralized system and making adjustments accordingly to increase the protection level.

3. Incoming Spam Emails and IP/Domain  Reputation Checks

cPGuard helps to reduce Incoming Spam Emails using the SRBL system which uses an intelligent algorithm to check all incoming email sources and find whether they are abusive or not and take actions accordingly. This can stop emails from now abusive IPs and thus reduce the incoming spam email count.

Additionally the systems helps to keep rack of the IPs/Domains on the server and check whether they are listed in major blacklists. It will alert you promptly when there is a blacklist detected and helps to take note of the total server reputation. You can even choose to suspend an account when a domain is blacklisted and it can save your IPs from being blocked in SEO and search engines.

4. Extensive Reports and Notifications

cPGuard produces a lot of reports and notifications which can give an overview of the total attacks against your server and security issues for particular accounts. There is more graphical representation of the web/virus attacks per day or certain period and the notifications are instant to alert you about recent attacks. You can flexibly turn on/off certain notifications and define the email addresses to which that you want to receive alerts.

The protection is not limited to above points….

Yes, the software offers more protection like automated Rootkit scanning, CSF integration, wp-cron.php job mangement, etc to ensure smooth managemrn tand security on your server. We constantly add more features, enhance the exisiting features and do everything that we can to deliver the best services to our customers.

If you really think that cPGuard can improve in any certain point by adding or enhancing any feature, please feel free to reach us and we will do every possible things to meet the requirements.

 

Tips to find malware in WordPress websites

Tips to find malware in WordPress websites

WordPress always the hot choice of website hackers and thus it is one of the web applications that receive major attacks. Especially on a shared web hosting server, it is very much interesting to check and compare the WordPress websites logs against the other websites on the same server. The result will be pretty self-explanatory in most cases, where you can see a ton of brute-force attempts, generic attacks like and targeted attacks to exploit the WordPress websites. The rate of attack attempts will be much higher for WordPress websites compared to the other web apps.

Where you can find the infections 

There are many methods to exploit WordPress websites and new types of attacks/vulnerabilities are being reported as time goes on. You can often find the infected code in  a WordPress website in 

1. The File System where you physically store the Website Files
2. The database associated with the website

 In both the above cases, the hackers will add some external code to execute their logic and thus exploit the compromised website. 

1. How to find hacked WordPress Files

The hacker targets the files and tries to update/upload the file contents with the malicious code many times. Many times they target the plugins, themes, or the uploads directory but it is not limited to the specific directories. When you can a manual lookup, you can start with the following steps

 

  • Check the DocumentRoot of the website and ensure that there are no unknown files/folders there. Especially if you find any unknown folders or files ( with gibberish names ) you should check them specifically
  • Check the wp-content/plugins directory and make sure that there is no plugin directory exists that is not installed by you. Also, search for the latest updated PHP files under the plugins folder and verify the list
  • Check the wp-content/themes directory and make sure that there is no themes directory exists that is not installed by you. Also, search for the latest updated PHP files under the themes folder and verify the list
  • Ensure that no PHP or other interpreted files are uploaded to the wp-content/uploads folder. This folder is specifically to store media files and thus not supposed to execute any code from it.
  • Use wp-cli tool to check the integrity of the core and plugins files. You can refer this link to know how to use it
  • You can use any WordPress security plugins like Wordfence to scan and find any other hidden hacked files under the website. 

1. How to find hacked WordPress Database contents

This is more tricky compared to finding the compromised files as it needs more manual effort to track the injected code from the database. It is advised to take a backup of the present database before any changes on your website database. To start with the investigation, you can do the following

 

  • Check WordPress admin user list and make sure that the list does not contain unknown users
  • Take a dump of the database and search for suspicious content (i.e., spammy keywords, links) that you found abusive in your website
  • Check the post contents and take note of any kind of JS injections
  • Take a look into the wp_options table and ensure that there are no unexpected entries there.

As I mentioned already, this needs some kind of expertise and if you do not know how to do this please look for an expert hand to do this for you. 

How to automate these checks for your website?

The search for malicious code in your files and database is not an easy task and doing it regularly is not an easy task. If you own a single website, what you can do is to depend on a security plugin or a Cloud solution to scan your website regularly and report any bad files. Also you can choose a hosting platform that has automatic virus checks enabled ( cPGuard does it along with WAF protection specifically for WordPress websites ) which can protect your website without any additional installation and cost. If you are a server owner, it is essential to install an anti-virus to protect your customer websites from such attacks and save your server reputation.

cPGuard contains built-in tools to protect your WordPress websites and the WAF module has explicit rules to stop attacks towards WordPress website/components. Our distributed network helps us to detect latest attack attempts, keep the software up to date and to defend the latest WordPress attacks.