cPanel Scanner Layers – Incremental File Scanning

cPanel Scanner Layers – Incremental File Scanning

One of the frequent questions that we are receiving recently is, how efficient the scanner is, and what can be the option to do something similar to the Rapid scan offered by another solution. To answer this question we have to explain how the total scanning system works automatically or manually and the total workflow is much faster and efficient compared to any other competing solution.

The scanner levels

In cPGuard, we scan each new/updated files in multiple levels which helps to process the files in various ways, multiple times with the most recent virus signatures, and efficiently process them with very less load. Each of the layers is explained below.

1. HTTP Upload Scanner:- If you have WAF integration enabled, this is the first level of scanning if the file is uploaded/updated via the Web. This scanner will immediately deny file upload if it contains malicious code and notifies the customer. You can find the related log in Web Server ModSec log or under WAF logs in cPGuard WAF.

2. Automatic Scanner:- If you have Virus Scanner enabled under Settings >> Scanner, this will trigger. So this is the background scanner where it keeps track of all uploaded/modified files and scans them.

3. Daily Scanner:- If you have Dialy Scanning enabled from Settings >> Additional Settings, Daily files scanning will trigger every day. This option will scan all files uploaded/updated in the last 24 hours.

4. Weekly Scanner:- If you have Weekly Scanning enabled from Settings >> Additional Settings, Weekly files scanning will trigger every Sunday. This option will scan all files uploaded/updated in the last 7 days.

So how the incremental scanning work?

Like the different scanner level explained above, each layer works differently. So once you have cPGuard installed and configured on your server

  • Run ALL manual scan which will scan all Web Files on your server and take actions on them
  • Enable Daily Scan
  • Enable Weekly Scan
  • Make sure that WAF integration is enabled and works fine

So the above steps make sure that your server will be free from all known virus files. In addition to the scanner layers, our WAF rules are powerful enough to stop uploading/exploiting vulnerable files and add an extra layer of security.

Is the incremental scan really fast? 

Yes, it really works fast and efficiently than any other competing solution. Based on the analysis from multiple servers, it took less than a few minutes to complete daily scanning for 200GB web data and that too without any high load on the server. You can see how many files it scanned and how much time it took for each scan.

Is it possible to schedule Daily and Weekly Scans?

Yes, if you prefer to run the scheduled scans at any particular time you can do it easily. To do it

  • Disable Daily and Weekly scanners from Additional Settings
  • Use the cpgbin CLI utility to schedule Daily and Weekly scans at your preferred time.

More questions?

We are always happy to hear from you…if you need any more clarifications please reach our Support desk. 

 

How cPGuard protects your websites?

How cPGuard protects your websites?

This is one of the first questions that will raise when someone decides to try cPGuard on their servers. The answer is not simple and it needs to be explained from top to bottom as the protection is offered at multiple levels.

So let us check what all protection that cPGuard offers

  • Malicious file uploads/updates
  • Web attacks/exploits
  •  Incoming Spam Emails and IP/Domain  Reputation Checks
  • Extensive Reports

1. Malicious File uploads/updates

This is one of the common problems that every website owner is facing and affecting website reliability and integrity. This happens most commonly because of any exploits open in the website, compromised user account, or logins or possibly due to a compromised account hosted in the same shared environment. So to detect the malicious file contents, cPGuard has multiple layers of file scanning options to make sure that every file is passed through our scanner engine.

  • Layer 1 HTTP Upload Scanner:- This is the first level of file scanning if the file is uploaded/updated via Web. So whenever a file is uploaded using your website, it will pass through the scanner engine. We carefully manage this step to scan only relevant files and in case we detect any malicious pattern for which we do not have any definition, we will scan ti through our central system and take necessary actions.
  • Layer 2 Automatic Scanner:- This is the second level of scanning, which can catch any files updated/uploaded regardless of how it is done. We monitor the operation of the files to fetch the list of files to monitor and pass it through the scan engine. Since we monitor only website files and process them as batches, this consumes a very small amount of server resources and takes very little time to complete the scan compared to the competition.
  • Layer 3 Weekly automatic scan:- We run a weekly scanner to scan all files updated/uploaded in the last 7 days and scan them. This helps to ensure that all recent files are analyzed based on our constantly updated virus database and thus fetch new types of attacks even if they can bypass initially.
  • Layer 4 manual scan:- This is the last layer of scanner which needs manual intervention to start the scan against a defined target. This can help to find all new/old malicious files under the targeted path and help to create custom reports.

So the multi-layer file scanning that you can flexibly enable on your server ( you can customize each based on your preference from cPGuard Settings ) can scan all types of file changes on your server and take action on them. There is also a file auto-clean option using which you can attempt to clean files automatically and restore them to the original location, and it can prevent website outage due to core files infection.

 

2. Web attacks/exploits 

This is the WAF layer that actually helps to mitigate most of the attacks before it reaches your Web Applications. Our WAF is powered by Malware.Experts Commercial WAF rules and cPGuard ModSec rules. In this layer, it has multiple components to mitigate varieties of web attacks.

  • The WAF Integration:- It is the core WAF rules enabling that you can do from settings and it will load the core rules into your web server. This ruleset contains the mitigation rules for generic attacks, some latest CVEs reported, targeted CMS attacks ( WordPress, Joomla, etc ). We always recommend you to enable this and it can protect your websites from many web attacks.
  • Brute-force protection:- This module protects your websites from brute-force attacks against the defined URLs. This can effectively monitor the real IPs and block them if they cross the access threshold.
  • Scanner Rules under WAF :- When you enable this rules set, it will protect your websites from common abusive botnets. It can save server resources and unnecessary processing of the requests.
  • Webshell Rules under WAF :- These rules can stop processing any web shells if they are already uploaded ot your websites. This is a highly sensitive rules set and we do not recommend it unless you have complete control across all the websites on the server
  • Captcha Protection under WAF :- This module protects your websites from brute-force attacks against the defined URLs. This can greatly reduce your server load and protect your websites from abusive accesses.

The multiple protection layers in HTTP can protect your websites from most generic and common attacks and sources. We constantly monitor the Web abuses reported by WAF from our centralized system and making adjustments accordingly to increase the protection level.

3. Incoming Spam Emails and IP/Domain  Reputation Checks

cPGuard helps to reduce Incoming Spam Emails using the SRBL system which uses an intelligent algorithm to check all incoming email sources and find whether they are abusive or not and take actions accordingly. This can stop emails from now abusive IPs and thus reduce the incoming spam email count.

Additionally the systems helps to keep rack of the IPs/Domains on the server and check whether they are listed in major blacklists. It will alert you promptly when there is a blacklist detected and helps to take note of the total server reputation. You can even choose to suspend an account when a domain is blacklisted and it can save your IPs from being blocked in SEO and search engines.

4. Extensive Reports and Notifications

cPGuard produces a lot of reports and notifications which can give an overview of the total attacks against your server and security issues for particular accounts. There is more graphical representation of the web/virus attacks per day or certain period and the notifications are instant to alert you about recent attacks. You can flexibly turn on/off certain notifications and define the email addresses to which that you want to receive alerts.

The protection is not limited to above points….

Yes, the software offers more protection like automated Rootkit scanning, CSF integration, wp-cron.php job mangement, etc to ensure smooth managemrn tand security on your server. We constantly add more features, enhance the exisiting features and do everything that we can to deliver the best services to our customers.

If you really think that cPGuard can improve in any certain point by adding or enhancing any feature, please feel free to reach us and we will do every possible things to meet the requirements.

 

Tips to find malware in WordPress websites

Tips to find malware in WordPress websites

WordPress always the hot choice of website hackers and thus it is one of the web applications that receive major attacks. Especially on a shared web hosting server, it is very much interesting to check and compare the WordPress websites logs against the other websites on the same server. The result will be pretty self-explanatory in most cases, where you can see a ton of brute-force attempts, generic attacks like and targeted attacks to exploit the WordPress websites. The rate of attack attempts will be much higher for WordPress websites compared to the other web apps.

Where you can find the infections 

There are many methods to exploit WordPress websites and new types of attacks/vulnerabilities are being reported as time goes on. You can often find the infected code in  a WordPress website in 

1. The File System where you physically store the Website Files
2. The database associated with the website

 In both the above cases, the hackers will add some external code to execute their logic and thus exploit the compromised website. 

1. How to find hacked WordPress Files

The hacker targets the files and tries to update/upload the file contents with the malicious code many times. Many times they target the plugins, themes, or the uploads directory but it is not limited to the specific directories. When you can a manual lookup, you can start with the following steps

 

  • Check the DocumentRoot of the website and ensure that there are no unknown files/folders there. Especially if you find any unknown folders or files ( with gibberish names ) you should check them specifically
  • Check the wp-content/plugins directory and make sure that there is no plugin directory exists that is not installed by you. Also, search for the latest updated PHP files under the plugins folder and verify the list
  • Check the wp-content/themes directory and make sure that there is no themes directory exists that is not installed by you. Also, search for the latest updated PHP files under the themes folder and verify the list
  • Ensure that no PHP or other interpreted files are uploaded to the wp-content/uploads folder. This folder is specifically to store media files and thus not supposed to execute any code from it.
  • Use wp-cli tool to check the integrity of the core and plugins files. You can refer this link to know how to use it
  • You can use any WordPress security plugins like Wordfence to scan and find any other hidden hacked files under the website. 

1. How to find hacked WordPress Database contents

This is more tricky compared to finding the compromised files as it needs more manual effort to track the injected code from the database. It is advised to take a backup of the present database before any changes on your website database. To start with the investigation, you can do the following

 

  • Check WordPress admin user list and make sure that the list does not contain unknown users
  • Take a dump of the database and search for suspicious content (i.e., spammy keywords, links) that you found abusive in your website
  • Check the post contents and take note of any kind of JS injections
  • Take a look into the wp_options table and ensure that there are no unexpected entries there.

As I mentioned already, this needs some kind of expertise and if you do not know how to do this please look for an expert hand to do this for you. 

How to automate these checks for your website?

The search for malicious code in your files and database is not an easy task and doing it regularly is not an easy task. If you own a single website, what you can do is to depend on a security plugin or a Cloud solution to scan your website regularly and report any bad files. Also you can choose a hosting platform that has automatic virus checks enabled ( cPGuard does it along with WAF protection specifically for WordPress websites ) which can protect your website without any additional installation and cost. If you are a server owner, it is essential to install an anti-virus to protect your customer websites from such attacks and save your server reputation.

cPGuard contains built-in tools to protect your WordPress websites and the WAF module has explicit rules to stop attacks towards WordPress website/components. Our distributed network helps us to detect latest attack attempts, keep the software up to date and to defend the latest WordPress attacks.

How nulled WordPress Plugins can damage your website

How nulled WordPress Plugins can damage your website

It is a well-known fact that WordPress is one of the web applications that get the majority of web attacks when installed on a domain. In addition to the conventional attack vectors, there are plenty of other attack methods that are being used to attack WordPress website and applications. So all WordPress website owners should protect their websites using an additional security layer to protect their website from common attacks like brute-force, SQL injection, Cross-site attacks, etc and other unconventional types of attacks.

Nulled Plugins and Themes

When we talk about other types of attacks, one of the most tricky types is the installation of “Nulled Plugins and Themes”. We recently had a customer, who came to us regarding clean up of his websites which had nulled plugins installed. The funny fact is that the client knew that they were nulled but decided to install them as they are free but never knew they will open up a backdoor to his websites.

So how it can damage your websites?

The severity of the damage that can be done is based on the source of these nulled plugin/theme. In the specific case that we are taking as an example here, the plugins where downloaded from thewordpressclub [.] org and the websites faced the following issues.

  1. Repeated JS injections into the database which resulted in redirects to malicious websites upon website visit.
  2. Added junk records to the wp_options table for the backdoor
  3. The admin user password kept resetting without the knowledge of website owner
  4. Unwanted posts created under the websites

and many more…..

 Interestingly, the terms and conditions at thewordpressclub [.] org has a section Remote Access stating that by downloading and installing installing these plugins/themes you are allowing TheWordpressClub to remotely control your website 

What kind of injection were added to the nulled plugins?

We have noted the following files added to the plugin packages, which contained the core code.

rms-script-ini.php
rms-script-mu-plugin.php

For example, following are some sample paths in actual plugin installations

wp-content/mu-plugins/rms_unique_wp_mu_pl_flnm.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/rms-script-mu-plugin.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/plugin-fw/templates/panel/rms-script-mu-plugin.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/plugin-fw/templates/panel/rms-script-ini.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/rms-script-ini.php
wp-content/plugins/WP Smush Pro 3.6.3/rms-script-mu-plugin.php
wp-content/plugins/WP Smush Pro 3.6.3/core/external/dash-notice/rms-script-mu-plugin.php
wp-content/plugins/WP Smush Pro 3.6.3/core/external/dash-notice/rms-script-ini.php
wp-content/plugins/WP Smush Pro 3.6.3/rms-script-ini.php

In addition to that, they have added the following lines to other files to use  the malicious function and active the remote handler.

require_once('rms-script-ini.php');
rms_remote_manager_init(__FILE__, 'rms-script-mu-plugin.php', false, false);

How to get rid of such issues?

The answer is pretty straightforward; do not install plugins/themes from non-trusted sources. If you want to install a plugin/theme, you should use WordPress official repository to search and install or use the official website of the provider to download the package. If you try to enjoy the premium features of any paid solution for free using such shortcuts, you will end up with serious trouble including your data loss.

Though cPGuard can detect and clean the majority of these malicious injections, we strongly recommended to stay away from such plugin providers and use only the genuine software

Recent changes and features in cPGuard

Recent changes and features in cPGuard

What are the new features in recent cPGuard versions?

At OpsShield, our engineers are always keen to hear the feedback from our customers, read each of them carefully and make amendments to the software to make it useful and user-friendly. So in each versions, we try to add at least one of the requested features along with the other updates and bug fixes. So in recent cPGuard versions, we have added few such options which you might not have noticed yet. 

1. User-defined Captcha protected URLs

We have introduced our recent Captcha protection techniques a couple of months back, which will handle the Captcha requests in our cloud . This is one of the best and effective mechanisms out there and it will take out the load to handle attackers out of your server. This method can stop majority of the attacks against your server and reduce server load in a great scale.  We used to protect a set of pre-defined URLs like WordPress login page, Joomla login page, etc which get most of the attacks. But to make it flexible and to protect other web apps and URLs, we now make this list user-defined. So the user can now decide which all URLs should be protected using Captcha and it is the unique feature that is available to protect your web apps. You can simply add the  new URL from Settings >> WAF of cPGuard UI.

2. Weekly Scanner

We have added a weekly scanner recently, which will scan all files which are updated in past 7 days. This will ensure that all files will scan again using the updated rules set and thus can eliminate many bad files from the server. The scanner is designed to consume very few resources and finish in a short time span. This is also an optional feature, where users can opt to disable this from Additional Settings page, though we recommend to keep it enabled

3. Revamped License Checking 

One of the often complaints that we receive from our clients was about the license status. It failed to detect the license status some times because the license system was  located in central Europe and some clients had connections issues to the resource. So to fix it, we have migrated our licensing system to AWS and distributed the checks through their worldwide network. So now the license check can be done from any location without any failure

4. Command Line Utility

This is one of the other feature requests that we received in past…a clean and simple tool to manage settings from the command line. So that is available now…you can refer our KB  to know more about this tool and various command-line options it has. This is  a very useful tool for people who wish to change settings quickly and on multiple numbers of servers using some automation.

5. Enhanced daily reports

We have changed the daily report formatting and style to a modern way, in which a user will get all activities with a graphical representation. It is good enough to understand the whole attack statistics happened on the server.

The features are not limited to the above but you can find all the details about each version update in our changelog. Also if you wish to add any specific features into cPGuard, please feel free to contact us and we will see what we can do with it.