<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">
Jun 4, 2025 12:29:35 PM
Vladimir Markevich
Vladimir Markevich
Imunify Product Manager

Admin-tools Detection in Imunify360

IM_admintoolsdetection

Admin tools like Adminer and TinyFileManager are invaluable for sysadmins, offering a simple web interface to manage databases and files. Their simplicity, often encapsulated in a single PHP file, makes them popular.

However, this simplicity can also be a vulnerability. Attackers can exploit compromised accounts by uploading modified versions of these tools with hardcoded credentials. Once these tampered versions are on your server, they can be used to upload malware, install webshells, and navigate the system undetected, effectively creating a backdoor that bypasses standard security measures.

Because attackers only alter the password/user credentials, the code remains legitimate, evading detection by current malware scanners. These scanners are designed to minimize false positives and often struggle to differentiate between legitimate and malicious versions of admin tools. This is because the functional code remains unchanged, with only the authentication credentials being different. For reference, here are the legitimate projects:

Once uploaded, these tools can escalate attacks and maintain persistent access to compromised systems. To enhance security, detecting and blocking such tools by default is crucial, significantly reducing the attack surface. In the security community, this type of software is classified as dual-use: both legitimate and potentially malicious.

How Imunify360 Addresses This Challenge

To assist server administrators in safeguarding their websites, we have developed a new feature that allows the detection of these dual-use admin tools. This feature is available starting from the following Imunify versions:

  • Imunify-antivirus-8.5.2
  • ai-bolit-32.5.1

Checking Your Version

To verify your current version, use the following commands:

# yum info imunify-antivirus
# yum info ai-bolit

Or Debian based:

# dpkg -l | grep imunify-antivirus
# dpkg -l | grep ai-bolit

Feature Activation

This feature is enabled by default, significantly enhancing server protection and preventing further reinfections.

How to Enable/Disable the Feature

To enable the feature via CLI, use:

# imunify360-agent config update '{"MALWARE_SCANNING": {"admin_tools_detection": true}}'

To disable the feature via CLI, use:

# imunify360-agent config update '{"MALWARE_SCANNING": {"admin_tools_detection": false}}'

Please note that the UI implementation for this feature is planned for future updates. In the meantime, you can submit a support ticket to express your interest and add weight to its development.

Feel free to reach out if you have any questions or need further assistance!

Admin-tools Detection in Imunify360

Jun 4, 2025 12:29:35 PM
Vladimir Markevich Vladimir Markevich

IM_admintoolsdetection

Admin tools like Adminer and TinyFileManager are invaluable for sysadmins, offering a simple web interface to manage databases and files. Their simplicity, often encapsulated in a single PHP file, makes them popular.

However, this simplicity can also be a vulnerability. Attackers can exploit compromised accounts by uploading modified versions of these tools with hardcoded credentials. Once these tampered versions are on your server, they can be used to upload malware, install webshells, and navigate the system undetected, effectively creating a backdoor that bypasses standard security measures.

Because attackers only alter the password/user credentials, the code remains legitimate, evading detection by current malware scanners. These scanners are designed to minimize false positives and often struggle to differentiate between legitimate and malicious versions of admin tools. This is because the functional code remains unchanged, with only the authentication credentials being different. For reference, here are the legitimate projects:

Once uploaded, these tools can escalate attacks and maintain persistent access to compromised systems. To enhance security, detecting and blocking such tools by default is crucial, significantly reducing the attack surface. In the security community, this type of software is classified as dual-use: both legitimate and potentially malicious.

How Imunify360 Addresses This Challenge

To assist server administrators in safeguarding their websites, we have developed a new feature that allows the detection of these dual-use admin tools. This feature is available starting from the following Imunify versions:

  • Imunify-antivirus-8.5.2
  • ai-bolit-32.5.1

Checking Your Version

To verify your current version, use the following commands:

# yum info imunify-antivirus
# yum info ai-bolit

Or Debian based:

# dpkg -l | grep imunify-antivirus
# dpkg -l | grep ai-bolit

Feature Activation

This feature is enabled by default, significantly enhancing server protection and preventing further reinfections.

How to Enable/Disable the Feature

To enable the feature via CLI, use:

# imunify360-agent config update '{"MALWARE_SCANNING": {"admin_tools_detection": true}}'

To disable the feature via CLI, use:

# imunify360-agent config update '{"MALWARE_SCANNING": {"admin_tools_detection": false}}'

Please note that the UI implementation for this feature is planned for future updates. In the meantime, you can submit a support ticket to express your interest and add weight to its development.

Feel free to reach out if you have any questions or need further assistance!
Subscribe to Imunify security Newsletter
aicpa soc
pci-dss
eu gdpr compliant
© All rights reserved. Imunify360 and CloudLinux Backup are the registered trademarks of CloudLinux Inc.