Case study : How we help cPanel server owners prevent frequent malware infections
Google blacklists about 8,000 to 11,000 websites per day for hosting malware or phishing contents. Of these, up to 98% are classified as “compromised” websites – which means, these sites belong to legitimate businesses, but were infected with malicious code without the knowledge of the website owners.
Search engine blacklisting such as these can end up being very costly to businesses. It leads to loss in website traffic and SEO ranking. Building back the site traffic can take several weeks, if not months.
Another severe consequence of malware infection is IP spam blacklisting. Website malware is widely used in spam campaigns, which causes server IPs to be blacklisted. Critical business correspondence then fail, and could even lead to lost business opportunities.
Through our Server Management Services, Bobcares helps server owners recover from website security issues, and prevent the sites from getting hacked again. Today we’ll take a look at the popular ways cPanel/WHM servers get infected, and how we prevent such attacks.
How malware infections happen in cPanel servers
In our cPanel server management services, we’ve seen 5 different ways in which cPanel servers get infected by malware:
- By exploiting web application vulnerabilities
- By exploiting vulnerabilities in web app plugins or add-ons
- Uploading malicious code through stolen login credentials
- By cross-site contamination due to insecure hosting environment
- By exploiting server application vulnerabilities
Of these, the most commonly used methods are web application exploits and malware uploads using login credentials.
An important part of our hack recovery service is server hardening, to prevent further hacks. As part of this, we investigate how the server was compromised in the first place. We’ve found that almost 85% of malware infections in cPanel servers used web app exploits, and the rest were uploaded using stolen FTP, Control Panel or web application login details. So, our server hardening focuses primarily on securing these two channels.
Member of Executive Group, Bobcares
1. Web application vulnerability
Studies show that close to 90% of all websites are vulnerable. Some applications like WordPress respond very fast to release security patches on reported vulnerabilities, but there are others which do not release a patch for weeks on end. Our experience shows that even if a vendor release a security patch, many a times the webmaster won’t know about it until a hack actually happens.
Malware authors scan for vulnerable versions of web applications, and use specially crafted exploit code to inject malware into the websites. Visitors to these sites unknowingly download these malware into their PCs, exposing sensitive information like banking records, login details, identity information, etc.
2. Vulnerabilities in plugins, themes or add-ons
Almost all web applications these days use third party plugins. We’ve seen that close to 93% of all exploits are made through vulnerable plugins. For eg. a quick search of WordPress vulnerabilities in US National Vulnerability Database shows that 92.14% of all reported vulnerabilities of WordPress sites are related to plugins and themes.
Many of these vulnerabilities remain open for many weeks on end, exposing the site to attackers. Fortunately, these vulnerabilities are usually exploited through known methods of attack (such as Cross Site Scripting, SQL injection, CSRF, etc.), which can be blocked through specially configured firewalls.
3. Stolen logins to website and FTP accounts
Attackers use a variety of ways to make people install malware in their computers. Some of these include phishing mails that ask you to open an attachment, and antivirus ads which says your PC is infected and you need to click on the ad to start a scan. Many webmasters fall for it, and attackers gain access to critical information like server login details, bank details, etc.
With the login details, the next task of attackers would be to inject malicious code into the website, which will install malware in the computers of all visitors. Search engines like Google detect this behavior in websites, and prevent visitors from navigating to your site. Since the malware is uploaded through authentic login details, the defense against this is to scan the files while its being uploaded.
4. Malware infection from other sites
It is common for webmasters to install multiple web applications and maintain multiple websites in the same server. Some of these sites would no longer be maintained, and are left there as relics of old projects. However, these un-maintained sites pose a serious security risk. An attacker who gains access to one the oldest of these sites can easily infect all others. This is called Website Cross Contamination.
This primarily happens due to poor hosting environment security. For eg. in cPanel servers, Apache’s ability to follow symbolic links (aka soft links) can be used by an attacker to navigate to other websites in the server. So, even if you have kept all your current websites updated, your site could be vulnerable to website cross contamination if the server is not secured.
5. Server application vulnerability
Even if all your web applications are up-to-date, it is still possible to infect your website if the server software is vulnerable. For instance, recently a vulnerability was discovered in a server-side image manipulation tool called ImageMagick. It allowed attackers to execute arbitrary commands in the server, enabling easy upload of malware.
A patch for such vulnerabilities may not be readily available. So, it is important to find other ways to prevent attackers from exploiting these vulnerabilities. For eg. in the case of the ImageMagick vulnerability, we blocked the upload of file formats that allowed embedding links or commands within them.
How we block malware infection in cPanel servers
At Bobcares, we use a security approach called “Defense in depth” or “Layered security”. It means that we do not use just one software or technique to secure a server. Instead we use a series of server hardening steps that include hardened kernels, zero-day vulnerability patching, web application firewalls, process monitoring, and more.
Almost all attacks on websites are carried out using automated exploit scripts. These scripts search for a vulnerable web application, and try to exploit it in a few pre-programmed ways. With Defense in Depth, we put in so many layers of security that any attack attempt will hit a wall in one of these layers – most often it’ll be the outer-most connection layer.
Sr. Systems Engineer, Bobcares
1. Web application firewall
Web applications are exploited in various ways. This include Cross Site Scripting (XSS), SQL injection, Cross Site Request Forgery (CSRF), and more. These modes of attack leave certain signatures that can be detected by specialized firewalls. We use open source web application firewalls (WAF) like ModSecurity and NAXSI to detect and block web application exploit attempts.
For eg., during the recent GuruIncSite malware attacks on Magento websites, Bobcares blocked exploit attempts in customer websites using custom signatures in NAXSI WAF.
cPanel provides built-in integration to ModSecurity WAF. But the default installation in itself is not enough for security. Additional rules need to be applied and maintained to make sure the firewall blocks all new exploits, and that it doesn’t lead to performance issues.
2. Blocking malware upload through FTP, Control Panel and Web Applications
Compromised FTP and Control Panel accounts are another major source of malware uploads. Desktops, laptops and mobile devices get infected with trojans all the time, and web masters losing their FTP login details is a common cause of malware uploads. We put a block on this channel by deploying file upload scanners.
We configure the cPanel system to monitor file system changes, FTP traffic, and web traffic to look for malware signatures. We integrate virus and malware database from various sources like LMD, ClamAV, SaneSecurity, and more to make sure no malicious code gets past these filters into the website.
3. Periodic security audit and server hardening
The default settings of cPanel is optimized for feature richness, and not security. It allows hackers a lot of options to run their exploits. An example is the infamous Symlink Race Condition vulnerability which allows an attacker to spread malware from one account to another. We prevent such issues by:
- Implementing bullet proof server security – We analyze each server setting ranging from Linux kernel to individual account settings to make sure all loose ends are tied up. Some of the steps include Sysctl hardening, root login limits, file system hardening, password policy enforcement, symlink traversal prevention, php hardening, and more.
- Periodic security audit and hardening – New threats and new methods of attack come out all the time. We periodically audit the server to find out if it is vulnerable to methods of attack. During our sweeps we find out if any web application is outdated, and work with the web master to update the site.
4. 24/7 security monitoring and emergency reaction
We live in a world where even CIA and NSA sites get hacked. So, even the best laid defenses are susceptible to a well planned attack. But even such attacks can be defeated if someone can detect and block these attacks.
Our security experts monitor server processes, network connections, and file system changes to detect anything out of the normal. If we find anything resembling a brute force, DDoS or a hack attempt, we block the connecting IP, and further harden the services the attack was directed against.
5. Active vulnerability monitoring and mitigation
Our security experts keep a close eye on new vulnerability disclosures. As soon as a new vulnerability or exploit is reported, all servers under our care are patched to block all exploit.
For example, when the ShellShock vulnerability was disclosed, Bobcares security team patched all vulnerable Bash packages within hours of the issue being reported.
Malware infections can be very costly for online businesses. Bobcares helps cPanel/WHM server owners prevent malware infections by implementing bullet-proof security, 24/7 monitoring, active vulnerability patching and periodic server hardening. If you have any questions on how we can help you in improving your server security, we’d be happy to talk to you! 🙂