Announcement

Collapse
No announcement yet.

Can IPs that access suspicious files/urls be black/grey listed?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can IPs that access suspicious files/urls be black/grey listed?

    A spam hacker got into a site today and created dozens of php files with names like albertus.php, alphonso.php and amada.php in various folders. Now Im trialing Imunify360 to see what it can do.
    I dont know if these files would have been picked up by the Malware Scanner (I hope/assume so) because I had deleted them all before we installed Imunify360.

    Assuming the scanner does identify the files, is there any way to set something up so that if any IP address tries to access one of these quarantined files then that IP is grey or black listed?
    And can a file be manually flagged as malicious and then quarantined?
    There is a 100% chance that anyone trying to access one of these files needs to be blocked and if that could be done by the firewall this would have kept the attacked website operational today. The website got so many requests for these deleted files that any legit users got a resource not available message or no response at all.

    Thanks,
    Phil

  • #2
    Hi Phil,

    First, you may want to enable Proactive Defense module that detects and terminates (in Kill Mode) PHP scripts that do harmful things.

    > Assuming the scanner does identify the files, is there any way to set something up so that if any IP address tries to access one of these quarantined files then that IP is grey or black listed?
    > And can a file be manually flagged as malicious and then quarantined?

    Id suggest the following course of action:
    1) perform an on-demand scan on the sub-directory with uploaded webshells. If the scanner detects them, youll get notifications in Malware tab of Imunify360 UI. A default action will be automatically performed (one of Warn/Quarantine/Delete).
    2) if some file is not detected, although you believe it is harmful:
    - submit a false-negative to us as described in http://docs.imunify360.com/command_line_interface.htm
    - chmod 000 that file (thats essentially what Quarantine does to all files detected as malware)

    > There is a 100% chance that anyone trying to access one of these files needs to be blocked and if that could be done by the firewall this would have kept the attacked website operational today. The website got so many requests for these deleted files that any legit users got a resource not available message or no response at all.

    A task with internal id DEFA-538 has been created to research a feature of blocking IPs that request quarantined files.

    Comment


    • #3
      We experienced the same last weekend, nearly 500 php files were added or edited to one account, according to the Maldet program report.

      Imunify360 didnt pick anything up. I initiated an On-demand scan on Monday, and 230+ files were listed and quarantined. We are running proactive monitor, in report mode, and that didnt detect anything all weekend.

      One thing to note is we are running Imunify360 over Litespeed, and we know that Litespeed and modsecurity do not play nice together with the Maldet hookscan script. And we have had no luck with Imunify360 detecting exploited uploaded files. It does, however, detect uploads when used with Apache.

      We are currently trialling Apache with mod_lsapi to get the benefits of fast PHP with the security of modsecurity, Apache and imunify360.

      Sadly, I still have to go and manually edit 150 files that had code added to them as Imunify360 (and the litespeed/modsecurity combination) didnt pick those up as being a problem, or block people from running the uploaded scripts.

      Comment


      • #4
        >> There is a 100% chance that anyone trying to access one of these files needs to be blocked and if that could be done by the firewall this would have kept the attacked website operational today. The website got so many requests for these deleted files that any legit users got a resource not available message or no response at all.
        >
        > A task with internal id DEFA-538 has been created to research a feature of blocking IPs that request quarantined files.

        Further to this, pre-Imunify360 we used ossec in server/agent mode across all our servers. We created rules that would block IP addresses based on them accessing known wordpress or joomla exploits. It would be good if Imunify360 could maybe follow this approach too. Not just quarantined files, but maybe maintain a list of exploits that hackers continually try, and block them immediately.

        Comment


        • #5
          > Further to this, pre-Imunify360 we used ossec in server/agent mode across all our servers. We created rules that would block IP addresses based on them accessing known wordpress or joomla exploits. It would be good if Imunify360 could maybe follow this approach too. Not just quarantined files, but maybe maintain a list of exploits that hackers continually try, and block them immediately.

          We already have this present on a WAF level (ModSecurity). Most popular CMSes are covered by their specific rules if Imunify360 full ModSecurity ruleset is installed.

          Comment


          • #6
            > We experienced the same last weekend, nearly 500 php files were added or edited to one account, according to the Maldet program report.
            >
            > Imunify360 didnt pick anything up. I initiated an On-demand scan on Monday, and 230+ files were listed and quarantined. We are running proactive monitor, in report mode, and that didnt detect anything all weekend.
            >
            > One thing to note is we are running Imunify360 over Litespeed, and we know that Litespeed and modsecurity do not play nice together with the Maldet hookscan script. And we have had no luck with Imunify360 detecting exploited uploaded files. It does, however, detect uploads when used with Apache.

            Nick,

            Can you please submit a ticket at https://cloudlinux.zendesk.com (Imunify360 department) so our support team can have a closer look at your LiteSpeed system with Imunify360?

            Thanks

            Comment

            Working...
            X