Dmitry Belomestnykh

PHP malware obfuscation using goto

Imunify’s Malware Intelligence Team has been witnessing an increase in malware samples using the goto programming construct. Here’s a chart showing the recent surge of malware using goto as an obfuscating mechanism.

Continue reading
  173 Hits
  0 Comments
Naveen Velusamy

Malware Masquerading as a Web Server Image Processor

Introduction

Your web server's image processor could be malware hiding in plain sight.

I'm going to describe an interesting type of malware the Malware Intelligence Team recently uncovered during a recent research operation.

At the time of writing, there were 11,320 cases of it detected and neutralized on 265 websites across 183 servers.

It is a particularly ingenious and potentially destructive type of malware: it is designed to appear as a legitimate image processor, and can act as a backdoor to your web server.

A backdoor is malicious software that lets a hacker get back into your server even after you detect and remove their access credentials. When a hacker gets into your site, the first thing they do is upload a backdoor.

Continue reading
  597 Hits
  1 Comment
Greg Zemskov

An Introduction to Imunify Hooks

In Imunify360 v4.2 beta, we introduced “Hooks”, a new way to handle asynchronous events coming from the Imunify agent. It works like a simple event handler. For example, you can create a script that will run when malware is detected (right after the on-demand or background scan is finished).

The script is put on the server and registered via the Imunify360 command-line interface. In the script, you can specify a set of actions based on the scanning report received from Imunify360: for example, suspend a user account infected with malware, send out an email notification, or submit a ticket for the client. Hooks are just executables, so they can be written in any language (bash, php, python, etc.).

We’ve had a lot of questions regarding the practical use of hooks. So, we’ve created this article to show you an example of a hook that runs when malware is detected, and suspends the cPanel user account when the number of infected files exceeds three.

Here are the steps to create the hook:

Create a file (e.g. /root/hooks/hook.php) with the following content:

Continue reading
  469 Hits
  0 Comments
Andrey Kucherov

HiddenWasp: How to detect malware hidden on Linux & IoT

There’s a dangerous new malware affecting Linux and IoT devices known as HiddenWasp. In this article, I’ll dissect it to show you how it works and how you can stop it infecting your Linux server or IoT device.

Continue reading
  1169 Hits
  0 Comments
Paul Jacobs

Beta: Imunify360 4.2.2 updated

We are pleased to announce that the new updated Imunify360 version 4.2.2 beta is now available.

Fixes[DEF–8687] - Imunify360 is scanning php session files too[DEF–8731] - Imunify360 service in cPanel service manager should be updated[DEF–8757] - Sentry tags are missingHow to install

To install the new Imunify360 version 4.2.2 beta

Please follow the instructions in the documentation.

To upgrade Imunify360 on CentOS/CloudLinux systems

Run the command:

Continue reading
  581 Hits
  0 Comments
Paul Jacobs

Imunify360 Live Webinar – April 23 – “We Know How You Were Hacked”

Detecting a website infection isn't enough. To stop it happening again, you need to know how it got there.  50 to 70 percent of shared hosting websites have infections. Finding and removing malware and viruses is easy. But they'll come back unless you know how they got there and where they came from. Imunify360 knows, and we're holding a webinar to explain everything. Join  on Tuesday, April 23, 2019, at 10 AM (PST) / 1PM (EST). In the webinar, CloudLinux CEO Igor Seletskiy reprises this year's successful CloudFest presentation. Jamie Charleston , Senior Sales Engineer, will follow up with a live demo of Imunify360. A question and answer session will wrap up the webinar.  Regi...
Continue reading
  905 Hits
  0 Comments
Oleg Boytsev

[Threat Intelligence Report] Remote Code Execution in Drupal 8 (CVE-2019-6340)

The Imunify360 Threat Intelligence Group are monitoring a remote code execution vulnerability targeting installations of the Drupal CMS. This vulnerability has the identifier CVE-2019-6340 . It affects these versions of Drupal: All 8.5.x versions, up to and including 8.5.11 All 8.6.x versions, up to and including 8.6.10 Attack Method Remote code execution vulnerabilities allow attackers to execute arbitrary code on a platform, in this case, the Drupal CMS. The code can install other software, gather data for exporting, or permanently delete or modify data without the site owner's knowledge or consent. Attackers deliver malicious PHP payloads using automated scripts. It is this payload we hav...
Continue reading
  1133 Hits
  0 Comments
Andrey Kucherov

When Linux antivirus lets you down: How to remove malware from a website manually

By Andrey Kucherov, Malware Analyst at Imunify360 The detection rates of anti-malware and antivirus scanners varies considerably. Knowing how to manually scan for and remove malware is an important and useful skill with which to confirm a scanner's effectiveness or compensate for its failings. In this article, Andrey Kucherov, Malware Analyst at Imunify360, describes some essential manual website malware detection and cleanup techniques.   Introduction The reality of modern security creates new challenges for web hosts every day. It is well known that there is no absolute protection that guarantees a 0% chance of your website being hacked. Even major players in online markets suffer fro...
Continue reading
  2738 Hits
  0 Comments
Oleg Boytsev

How our InfoSec Professionals stay one step ahead

Stay in the light; be aware of the dark. Anonymous 'Know your enemy' is an overused cliche in the cybersecurity industry. We take a broader view: Know your world, and your place in it.  Our team knows the hacking world. We've recruited ethical hackers, OSCP-certified engineers, and seasoned IT professionals, all of whom are watching the dark web and its subversive operatives, watching how threats evolve and how attacks are planned. We routinely monitor zero-day exploits, examining use-cases thoroughly and responding with robust mitigation strategies. The fruits of intensive research and development are augmented by both human experience and machine learning. This sharpens our ability to...
Continue reading
  2339 Hits
  0 Comments
Andrey Kucherov

Host your website safely and avoid website cross-contamination issues

By Andrey Kucherov, Malware Analyst at Imunify360.  This article discusses the hidden pitfalls of hosting multiple websites on one hosting account, and how you can remediate the consequences of website cross-contamination. The structure of virtual hosting (also known as shared hosting) can be illustrated by a bee hive: each website (bee) has its own folder (cell). At the same time, all bees share the same hive (hosting account resources, such as disk space, database, RAM, CPU, etc.). In most cases, hosting companies do not provide resource isolation for shared hosting accounts (plans that let you host multiple websites on one account). In practice, that means that all website files are ...
Continue reading
  2600 Hits
  0 Comments
Greg Zemskov

New ISPmanager Lite panel with ImunifyAV

​For ISPmanager panel users, Revisium Antivirus changes its name to ImunifyAV , keeping its reputation as a popular and effective malware and virus scanner. Today, ISPsystem release a new version of their ISPmanager Lite hosting panel. This version comes pre-installed with ImunifyAV , the new name for Revisium Antivirus. With it, you can scan an unlimited number of websites and users per server, do automatic malware cleanup and create schedules for scanning. You can also get email alerts about any website infections. You can find ImunifyAV in the Tools menu: ​ If a user doesn't have an antivirus solution already configured, ImunifyAV becomes the default for that panel. Otherwise, a system ad...
Continue reading
  1590 Hits
  0 Comments
Greg Zemskov

Why do small sites get hacked?

If you think your site won't be hacked because it's too small to matter, think again. I'll show why that is a false and dangerous assumption. Many site owners and webmasters think that hackers only care about popular, highly-ranked websites. They are wrong. High traffic volume helps boost earnings on partner programs by redirecting visitors to other sites, gets more views of unauthorized advertisements and attracts more clicks on rogue links. But that is not the only way hackers make money. Unprotected sites with low traffic volume are equally attractive to hackers. It is the way they are used that differs from how hackers monetize more popular websites. Any normal site, with an audience of ...
Continue reading
  1543 Hits
  0 Comments
Greg Zemskov

Opsani VCTR is now Imunify QuickPatch, the free, vulnerability evaluator for Plesk

If you use Plesk, you'll know it's one of the leading control panels for web hosters and resellers, and one that supports Opsani VCTR, or, to give its new name, Imunify QuickPatch . Here's an introduction to what it does and why you need it if you care about the security of hosted websites. Making sure your system and its packages are up to date is a fundamental strategy for keeping systems secure. The problem is in the management overhead this creates. The packages and configurations of each system must be regularly checked and updated*. Imunify QuickPatch does this for you. Imunify QuickPatch is free. It scans and analyzes your system for security issues. Imunify QuickPatch analyzes server...
Continue reading
  1438 Hits
  0 Comments
Greg Zemskov

Revisium Antivirus becomes ImunifyAV in Plesk

Plesk panel users will soon notice a change in their panels. For Plesk panel users, Revisium Antivirus changes its name to ImunifyAV , keeping its reputation as a popular and effective malware and virus scanner, and joining the Imunify360 security solution for complete protection of Linux Web servers. As with its previous version, ImunifyAV comes in free and paid versions. The free ImunifyAV efficiently scans websites and detects all kinds of malware. Use it for an unlimited number of scans on all websites on a server. ImunifyAV+ is the paid upgrade that does this and more, with a one-click automated cleanup option for full sanitization of entire servers, effortlessly. Both versions have an ...
Continue reading
  1451 Hits
  0 Comments
Andrey Kucherov

What to do if your Website is Hacked: A Disaster Recovery Plan

Thousands of websites get hacked on a daily basis. Actually, thousands out of the many billions of websites on the Internet is quite a low percentage, but if you got unlucky and your website is among those, you need to take it seriously, and respond to the threat quickly and wisely. Unfortunately, very often, website owners are 100% sure that they won't ever be a victim, and do not have a valid disaster recovery plan for such cases. Or, if they do, the plan consists of just one bullet point: I was unlucky and the plan is to shut down my business. In this article, I cover that gap and offer you a solid disaster recovery plan if your website got hacked. Once Upon a Time, a Website Got Hacked… ...
Continue reading
  1707 Hits
  0 Comments
Oleg Boytsev

Imunify360 protects against a critical vulnerability in Van Ons WP GDPR Compliance WordPress plugin (CVE–2018–19207)

The popular Van Ons WordPress plugin for GDPR compliance, with more than 100,000 active installations, was patched on November 7th due to a privilege escalation vulnerability ( CVE–2018–19207 ) found in version 1.4.2. The WP GDPR Compliance plugin helps website owners meet the recent GDPR European data privacy regulation. This came into effect in May of this year, boosting the plugin's popularity. Starting on 10th November, our Threat Intelligence Group noticed a surge in attacks targeting this exploit vector.   Imunify360 customers were already protected by a WAF rule issued several days earlier. This rule detects and blocks malicious payloads attempting to exploit this attack vector. ...
Continue reading
Recent comment in this post
Branko Veljkovic
comment test
Tuesday, 07 May 2019 11:48
  1517 Hits
  1 Comment
Greg Zemskov

ImunifyAV: The Free, Powerful, Malware Scanner (now in Beta for cPanel and DirectAdmin)

Keeping watchful is the first step towards effective security; keeping malicious code out of your websites is essential to protect them. I'm excited to let you know about ImunifyAV, our powerful new malware scanner. It's currently available in beta for cPanel and DirectAdmin panels. I'm also happy to tell you it's free and will always be free (as in forever). Here's more about it. ​ ImunifyAV detects all kinds of malware in all types of files —it doesn't matter whether your websites are based on PHP (like WordPress, Joomla and Drupal), or built with classic, static HTML. Our advanced de-obfuscation techniques let it detect malicious code hidden in files using encryption or encoding. ImunifyA...
Continue reading
Recent Comments
Greg Zemskov
Hi Eric, Imunify360 is a superior product to AV. Imunify360 includes AV. AV cannot protect websites and server from attacks and ha... Read More
Monday, 12 November 2018 08:19
  2301 Hits
  2 Comments
Greg Zemskov

How Spammers Spam

Twenty years on and spam is still a problem. I'll look at why that is and what we can do to reduce or prevent it. Contrary to popular belief, hacking a site and uploading malicious scripts onto it is not the only way spamming gets a foothold. There are other ways. For example, it could be because of a compromised account, the use of script vulnerabilities, or an incorrectly configured mail server. The diagram below shows an overview of the methods. ​ In this article, I'll look at the different ways unsolicited email (spam) can emanate from a web server, and some of the ways you can stop it. Spamming by hacking A hacked site or server is the most common reason behind an outbreak of spamming a...
Continue reading
  2724 Hits
  0 Comments
Greg Zemskov

Why Does Site or Server Load Increase?

There's only one good reason why the load on your hosting server starts increasing–the rest are bad. I'll look at how and why they all happen. I was often contacted by site owners who had a problem with high server load. This common condition is first noticed when an owner gets a warning message from their hosting company. Such messages can be precursors to the blocking of the site, and it can happen to almost any site owner or webmaster. This article covers the different reasons why the load on a site or server might be increasing, and what can be done about it. Webmasters usually find out about excess load from their hosters. Hosting companies regulate and control resource usage for each h...
Continue reading
  2457 Hits
  0 Comments
Greg Zemskov

Patterns of thought: the psychology of weak passwords

In this article, I look at why webmasters, site administrators and their users choose and use weak passwords. Later, I recommend ways to create passwords that are reliable and resistant to brute-force attacks. Warnings that the internet is increasingly an unsafe environment appear with alarming regularity in studies commissioned by companies specializing in information security. The growing number of web attacks and the increasing activity of the hacker community require a new discipline and focus on security. But while cybersecurity experts are talking about high technology and advanced protection, it seems a rudimentary rule has been forgotten: the use of strong passwords. Unreliable passw...
Continue reading
  1858 Hits
  0 Comments