kenneth-vkd
Basic Pleskian
Hi
We have some issues regarding our hosting environment, where a few domains keep getting infected.
All domains in the entire server run on PHP 5.5.31 and a few on PHP 5.6.x. The installed CMS applications and 3rd party modules are fully updated.
We are using the dr.web antivirus application that comes preinstalled and we have also installed Linux Malware Detect and this runs a cron-task to scan the entire system 4 times a day. Also mod_security is enabled, but we are using the core ruleset and not owasp.
It seems as the websites have compromised user accounts in the CMS, where the user has got some kind of infection in their local computer and these users have permission to upload files in certain folders.
The intruders have managed to construct an html-form which posts a file upload to correct endpoint in the CMS and can therefore upload a html-file, whcich is not caught by our tools. This form allows the intruders to upload a malicious php-script into other modules folders, so that code-execution is allowed.
We have tried to track down the intruders, but have been unsuccesful. Currently the only thing we can do is to run with a very low hourly outgoing mail limit and each time we get a notification we can look in the mail queue and in the maillog and then check and delete malicious files. However only a few hours after either an automated scan has removed the file or we manually remove it, then another file shows up in the same or a different location and everything starts over again.
Is there a tool, extension, third party application, or advice that someone can recommend to us so that it will be easier for us to prevent these issues in the future.
We have some issues regarding our hosting environment, where a few domains keep getting infected.
All domains in the entire server run on PHP 5.5.31 and a few on PHP 5.6.x. The installed CMS applications and 3rd party modules are fully updated.
We are using the dr.web antivirus application that comes preinstalled and we have also installed Linux Malware Detect and this runs a cron-task to scan the entire system 4 times a day. Also mod_security is enabled, but we are using the core ruleset and not owasp.
It seems as the websites have compromised user accounts in the CMS, where the user has got some kind of infection in their local computer and these users have permission to upload files in certain folders.
The intruders have managed to construct an html-form which posts a file upload to correct endpoint in the CMS and can therefore upload a html-file, whcich is not caught by our tools. This form allows the intruders to upload a malicious php-script into other modules folders, so that code-execution is allowed.
We have tried to track down the intruders, but have been unsuccesful. Currently the only thing we can do is to run with a very low hourly outgoing mail limit and each time we get a notification we can look in the mail queue and in the maillog and then check and delete malicious files. However only a few hours after either an automated scan has removed the file or we manually remove it, then another file shows up in the same or a different location and everything starts over again.
Is there a tool, extension, third party application, or advice that someone can recommend to us so that it will be easier for us to prevent these issues in the future.