Can IP's that access suspicious files/urls be black/grey listed?
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Phil
  2. Wednesday, 18 July 2018
  3.  Subscribe via email
A spam hacker got into a site today and created dozens of php files with names like albertus.php, alphonso.php and amada.php in various folders. Now I'm trialing Imunify360 to see what it can do.
I don't know if these files would have been picked up by the Malware Scanner (I hope/assume so) because I had deleted them all before we installed Imunify360.

Assuming the scanner does identify the files, is there any way to set something up so that if any IP address tries to access one of these quarantined files then that IP is grey or black listed?
And can a file be manually flagged as malicious and then quarantined?
There is a 100% chance that anyone trying to access one of these files needs to be blocked and if that could be done by the firewall this would have kept the attacked website operational today. The website got so many requests for these deleted files that any legit users got a resource not available message or no response at all.

Thanks,
Phil
Rate this post:
  1. 20.07.2018 13:07:13
  2. # 1
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Hi Phil,

First, you may want to enable Proactive Defense module that detects and terminates (in Kill Mode) PHP scripts that do harmful things.

Assuming the scanner does identify the files, is there any way to set something up so that if any IP address tries to access one of these quarantined files then that IP is grey or black listed?
And can a file be manually flagged as malicious and then quarantined?

I'd suggest the following course of action:
1) perform an on-demand scan on the sub-directory with uploaded webshells. If the scanner detects them, you'll get notifications in Malware tab of Imunify360 UI. A default action will be automatically performed (one of Warn/Quarantine/Delete).
2) if some file is not detected, although you believe it is harmful:
- submit a false-negative to us as described in http://docs.imunify360.com/command_line_interface.htm
- chmod 000 that file (that's essentially what Quarantine does to all files detected as malware)

There is a 100% chance that anyone trying to access one of these files needs to be blocked and if that could be done by the firewall this would have kept the attacked website operational today. The website got so many requests for these deleted files that any legit users got a resource not available message or no response at all.

A task with internal id DEFA-538 has been created to research a feature of blocking IPs that request quarantined files.
  1. 26.07.2018 06:07:00
  2. # 2
Nick Texidor Accepted Answer
Posts: 0
Joined: 20.11.2019
0
Votes
Undo
We experienced the same last weekend, nearly 500 php files were added or edited to one account, according to the Maldet program report.

Imunify360 didn't pick anything up. I initiated an On-demand scan on Monday, and 230+ files were listed and quarantined. We are running proactive monitor, in report mode, and that didn't detect anything all weekend.

One thing to note is we are running Imunify360 over Litespeed, and we know that Litespeed and modsecurity do not play nice together with the Maldet hookscan script. And we have had no luck with Imunify360 detecting exploited uploaded files. It does, however, detect uploads when used with Apache.

We are currently trialling Apache with mod_lsapi to get the benefits of fast PHP with the security of modsecurity, Apache and imunify360.

Sadly, I still have to go and manually edit 150 files that had code added to them as Imunify360 (and the litespeed/modsecurity combination) didn't pick those up as being a problem, or block people from running the uploaded scripts.
  1. 26.07.2018 07:07:41
  2. # 3
Nick Texidor Accepted Answer
Posts: 0
Joined: 20.11.2019
0
Votes
Undo

There is a 100% chance that anyone trying to access one of these files needs to be blocked and if that could be done by the firewall this would have kept the attacked website operational today. The website got so many requests for these deleted files that any legit users got a resource not available message or no response at all.

A task with internal id DEFA-538 has been created to research a feature of blocking IPs that request quarantined files.


Further to this, pre-Imunify360 we used ossec in server/agent mode across all our servers. We created rules that would block IP addresses based on them accessing known wordpress or joomla exploits. It would be good if Imunify360 could maybe follow this approach too. Not just quarantined files, but maybe maintain a list of exploits that hackers continually try, and block them immediately.
  1. 26.07.2018 12:07:40
  2. # 4
Posts: 187
Joined: 31.01.2017
0
Votes
Undo

Further to this, pre-Imunify360 we used ossec in server/agent mode across all our servers. We created rules that would block IP addresses based on them accessing known wordpress or joomla exploits. It would be good if Imunify360 could maybe follow this approach too. Not just quarantined files, but maybe maintain a list of exploits that hackers continually try, and block them immediately.


We already have this present on a WAF level (ModSecurity). Most popular CMSes are covered by their specific rules if Imunify360 full ModSecurity ruleset is installed.
  1. 26.07.2018 12:07:25
  2. # 5
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
We experienced the same last weekend, nearly 500 php files were added or edited to one account, according to the Maldet program report.

Imunify360 didn't pick anything up. I initiated an On-demand scan on Monday, and 230+ files were listed and quarantined. We are running proactive monitor, in report mode, and that didn't detect anything all weekend.

One thing to note is we are running Imunify360 over Litespeed, and we know that Litespeed and modsecurity do not play nice together with the Maldet hookscan script. And we have had no luck with Imunify360 detecting exploited uploaded files. It does, however, detect uploads when used with Apache.


Nick,

Can you please submit a ticket at https://cloudlinux.zendesk.com (Imunify360 department) so our support team can have a closer look at your LiteSpeed system with Imunify360?

Thanks
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.