Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


prevent outgoing attacks from infected .php files uploaded
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

prevent outgoing attacks from infected .php files uploaded

Any advices about how i can prevent outgoing attacks from "customers" which upload something weird to their hosting account?
I found mostly which cause problem are scripts nulled which ocassionally someone upload, but i delete it as soon i receive the alert from AV.

Currently my best choice is perma-blocking outgoing traffic to 80-443 TCP ports but i guess that will broke much things, or not?, what can be broken if i block that?.

I have directadmin, cloudlinux and immunifyAV premium but i want to prevent the script running even if is 5 min because if it scan something, i will get an abuse report from hetzner and they're not friendly handling that.

Comments

  • If you disable 80/443 outgoing traffic you will not be able to check/download updates for directadmin,wordpress and so on. You can work with a whitelist to allow certain destinations but it sounds time consuming.
    Maybe it's better to block/disable some PHP functions like file_get_contents in php.ini

    Thanked by 2donko raindog308
  • TheLinuxBugTheLinuxBug Member
    edited September 2020

    Get CXS, setup cxswatch to run regularly /on upload on the system to detect malware and exploited PHP code in the sites your hosting. It has an automated quarantine function you can setup which will then quarantine any abusive or infected code from the site content preventing the abuse you are seeing. This isn't guaranteed to per se resolve all of your issue(s), however, it will help you in detecting such abusive code a bit more quickly. The best part is it is a one time $60 license fee and that's it. If you are doing any type of shared hosting its almost a must-have in my opinion.

    my 2 cents.

    Cheers!

    Thanked by 1donko
  • Doesn’t ImunifyAV offer real-time scanning? You can set DirectAdmin to use ModSec on upload, check in Custombuild options.

  • Mod_security and maldet. It should sufice. No paid options really need.

    Thanked by 1donko
  • @LeonDynamic said:
    Doesn’t ImunifyAV offer real-time scanning? You can set DirectAdmin to use ModSec on upload, check in Custombuild options.

    I think is Imunify360 i have only ImunifyAV+.

    Thanks for all suggestions also i discovered i'm idiot and didn't had enabled php secure option for directadmin to disable_functions, i guess that helped allowing people running shells :neutral:

  • @donko that will prevent certain php functions running but I would look at using maldat with malware expert rules for real-time scanning of files being uploaded, etc.

    Thanked by 1donko
  • @donko said:

    @LeonDynamic said:
    Doesn’t ImunifyAV offer real-time scanning? You can set DirectAdmin to use ModSec on upload, check in Custombuild options.

    I think is Imunify360 i have only ImunifyAV+.

    Thanks for all suggestions also i discovered i'm idiot and didn't had enabled php secure option for directadmin to disable_functions, i guess that helped allowing people running shells :neutral:

    Disabling file_get_contents can break many applications especially those relying on external APIs. If you don't want that, get CXS + OSM + manual reviews of processes and scans.

    Thanked by 1donko
Sign In or Register to comment.