Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
prevent outgoing attacks from infected .php files uploaded
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

prevent outgoing attacks from infected .php files uploaded

donkodonko Member

Any advices about how i can prevent outgoing attacks from "customers" which upload something weird to their hosting account?
I found mostly which cause problem are scripts nulled which ocassionally someone upload, but i delete it as soon i receive the alert from AV.

Currently my best choice is perma-blocking outgoing traffic to 80-443 TCP ports but i guess that will broke much things, or not?, what can be broken if i block that?.

I have directadmin, cloudlinux and immunifyAV premium but i want to prevent the script running even if is 5 min because if it scan something, i will get an abuse report from hetzner and they're not friendly handling that.

Get free € 20 Credits to spend in Hetzner Cloud by signing up from my aff link

Comments

  • t0mt0m Member

    If you disable 80/443 outgoing traffic you will not be able to check/download updates for directadmin,wordpress and so on. You can work with a whitelist to allow certain destinations but it sounds time consuming.
    Maybe it's better to block/disable some PHP functions like file_get_contents in php.ini

    Thanked by 2donko raindog308

    load average: 0.00, 0.00, 0.00

  • TheLinuxBugTheLinuxBug Member
    edited September 3

    Get CXS, setup cxswatch to run regularly /on upload on the system to detect malware and exploited PHP code in the sites your hosting. It has an automated quarantine function you can setup which will then quarantine any abusive or infected code from the site content preventing the abuse you are seeing. This isn't guaranteed to per se resolve all of your issue(s), however, it will help you in detecting such abusive code a bit more quickly. The best part is it is a one time $60 license fee and that's it. If you are doing any type of shared hosting its almost a must-have in my opinion.

    my 2 cents.

    Cheers!

    Thanked by 1donko

    Have an Allwinner H3 device? Android? Check out H3Droid! | Lichee Pi Zero - The 6$ SBC | #SYSarm - Get It! | Atomic Pi - $35 x86 SBC
    21+ Years IT Experience in Linux/Windows Hosting, Administration and Development Services

  • Doesn’t ImunifyAV offer real-time scanning? You can set DirectAdmin to use ModSec on upload, check in Custombuild options.

  • Mod_security and maldet. It should sufice. No paid options really need.

    Thanked by 1donko

    hostWP.net -- Free Wordpress Hosting!

  • @LeonDynamic said:
    Doesn’t ImunifyAV offer real-time scanning? You can set DirectAdmin to use ModSec on upload, check in Custombuild options.

    I think is Imunify360 i have only ImunifyAV+.

    Thanks for all suggestions also i discovered i'm idiot and didn't had enabled php secure option for directadmin to disable_functions, i guess that helped allowing people running shells :neutral:

    Get free € 20 Credits to spend in Hetzner Cloud by signing up from my aff link

  • @donko that will prevent certain php functions running but I would look at using maldat with malware expert rules for real-time scanning of files being uploaded, etc.

    Thanked by 1donko
  • @donko said:

    @LeonDynamic said:
    Doesn’t ImunifyAV offer real-time scanning? You can set DirectAdmin to use ModSec on upload, check in Custombuild options.

    I think is Imunify360 i have only ImunifyAV+.

    Thanks for all suggestions also i discovered i'm idiot and didn't had enabled php secure option for directadmin to disable_functions, i guess that helped allowing people running shells :neutral:

    Disabling file_get_contents can break many applications especially those relying on external APIs. If you don't want that, get CXS + OSM + manual reviews of processes and scans.

    Thanked by 1donko

    ^-^!

Sign In or Register to comment.