1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. ImanGM
  2. Saturday, 08 December 2018
  3.  Subscribe via email
Hello there,

I've installed Imunify360 on Plesk (CentOS). Set Proactive Defense mode to Kill Mode but it seems that proactive defense is not working. To test it, I've made a PHP file with the following content:


<?php system('wget -V');?>


and run it. It ran without a problem for a while (actually I've disabled system function in PHP so it shows only a white screen). There's not any logs in Proactive Defense page. But after some retries (a few minutes later) the file will be quarantines I guess via Imunify360 Malware Scanner and inotify (Permissions will set to 000).

I've checked to see if i360 extension is installed on all PHP versions by running the following command for each PHP handler:


/opt/plesk/php/{PHP Version}/bin/php -m


and in all of them, I see i360 as an active module. Any help how can I make proactive defense to work and stop shell and malwares immediately before they are detected by Malware Detector?

Thanks
Iman
Rate this post:
  1. 10.12.2018 09:12:23
  2. # 1
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Hi Iman,
would you please check the <?php phpinfo(); ?> output and post here a list of loaded extensions. Need to check if im360 extension is installed.
  1. 10.12.2018 10:12:18
  2. # 2
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hello Greg,

Thank you for your reply. actually I wanted to submit a ticket at first but since I didn't find many resources regarding issues with Imunify360 on internet, I decided to ask for help here to let other users who have similar problems, find a solution for their problems faster.

The answer to your question is Yes, as I said before, the extension is active in PHP. In phpinfo, I have /opt/plesk/php/5.6/etc/php.d/i360.ini and in i360 section I have this one:


i360 state activated
i360 action enabled
i360 path to log data sock:/var/run/imunify360_user/proactive.sock
i360 log type 2
i360 list of functions base64_decode,str_rot13,str_replace,gzinflate,pcntl_exec,symlink,socket_connect,register_shutdown_function,register_tick_function,mail,fopen,fwrite,file_get_contents,file_put_contents,include,include_once,require,require_once,curl_init,mysql_query,assert,exec,passthru,gzdeflate,system,shell_exec,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,eval,rawurldecode,preg_replace,trim
i360 send on shtdwn 0
i360 danger func danger: file_put_contents,curl_exec,fopen,fwrite,symlink,socket_connect,exec,system,passthru,shell_exec,proc_open,popen,eval


But for a reason it's not working. When I upload a PHP shell file or something that contains PHP system function, the file could be loaded without any problems for a few minutes but after a few minutes, it's permissions will change to 000 and it seems that the file is quarantined with Imunify360 Malware detector not Proactive Defense system.

I believe that if Proactive Defense was working fine, the attack should be stopped immediately. Anything else that I need to check?

Thank you.
  1. 10.12.2018 14:12:06
  2. # 3
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Thank you. Taking into account that it's not a common issue, I'd recommend submitting a ticket regarding the issue here https://cloudlinux.zendesk.com/hc/en-us/requests/new (Imunify360 product). Support team will help you with it and could request some more details that will help to resolve the issue quicker.
  1. 10.12.2018 14:12:54
  2. # 4
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hello Greg,

Thank you. I've opened a ticket. I'll update it here if the reason was something that could be common issue.

Cheers,
Iman
  1. 10.12.2018 15:12:21
  2. # 5
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Iman,
I've just spoken with our dev team: we're going to release lots of improvement for the Proactive Defense module but so far some of the rules were disabled, including the one that should detect those particular "system" invocations. I believe the 3.9 beta will contain the whole set of rules. I'd recommend enabling "beta" to get those capabilities ASAP.
  1. 10.12.2018 16:12:38
  2. # 6
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Good to hear that Dev team is working on it. Sure I'm up for Beta programs. Is there any specific way to turn on Beta mode in Plesk or should I enable it by reinstalling Imunify360 from CentOS cli?

Thanks,
Iman
  1. 10.12.2018 16:12:20
  2. # 7
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Iman,
each release notes includes CLI for a beta to upgrade. So it doesn't require any special settings in Plesk panel, just an extra argument for the CLI command.
  1. 18.12.2018 08:12:40
  2. # 8
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hello Greg,

It seems that this issue is fixed in Imunify360 v3.8.6 which was released today.

Thank you.
Iman
  1. 18.12.2018 16:12:01
  2. # 9
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Yes, 3.8.6 prod version includes fixes for it.
Thank you for choosing Imunify360.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.