To keep servers safe, you must make sure your Imunify360 malware database is always up to date. We're striving to make Imunify360 the easiest way to keep Linux web servers secure. So we're announcing that, as of July 10, 2019, the Imunify360 and ImunifyAV malware and black hash databases get updates every business day.
Your web server's image processor could be malware hiding in plain sight.
I'm going to describe an interesting type of malware the Malware Intelligence Team recently uncovered during a recent research operation.
At the time of writing, there were 11,320 cases of it detected and neutralized on 265 websites across 183 servers.
It is a particularly ingenious and potentially destructive type of malware: it is designed to appear as a legitimate image processor, and can act as a backdoor to your web server.
A backdoor is malicious software that lets a hacker get back into your server even after you detect and remove their access credentials. When a hacker gets into your site, the first thing they do is upload a backdoor.
In Imunify360 v4.2 beta, we introduced “Hooks”, a new way to handle asynchronous events coming from the Imunify agent. It works like a simple event handler. For example, you can create a script that will run when malware is detected (right after the on-demand or background scan is finished).
The script is put on the server and registered via the Imunify360 command-line interface. In the script, you can specify a set of actions based on the scanning report received from Imunify360: for example, suspend a user account infected with malware, send out an email notification, or submit a ticket for the client. Hooks are just executables, so they can be written in any language (bash, php, python, etc.).
We’ve had a lot of questions regarding the practical use of hooks. So, we’ve created this article to show you an example of a hook that runs when malware is detected, and suspends the cPanel user account when the number of infected files exceeds three.
Here are the steps to create the hook:
Create a file (e.g. /root/hooks/hook.php) with the following content: