MDS - AN INTELLIGENT MALWARE DATABASE SCANNER FOR WEBSITES

Imunify360 team decided to work on some security shortages and eliminate them. It was a supported practice for web hosting clients, to manage their own security settings such as Proactive Defense.

Today websites are essential for business and operations. To make web design more efficient with added website functionality, web designers use various Plugins. Plugins are the building blocks of a website - they are the little programs that perform a definitive task - based on the needs and personalized requirements of the website owner. It is a lot like providing additional add-ons to the website.

As of writing this article, there are more than 52,000 plugins on the market. There are free to use and commercial plugins available from third-party companies and developers. There are also Nulled Plugins which are pirated copies of legitimate versions of different premium plugins, nulled plugins act as a backdoor for many harmful activities. In this article, Krithika Rajendran, malware analyst at Imunify Security will go over the behavior of wp-sleeps and will tell more how to keep your servers protected.

What if we told you that ~15% of infection sources are database infections? If you have ever tried to clean up malicious injections (usually, thousands of them) from the database table, you know how much time and pain it would take. There's a lack of professional solutions to detect and clean up malware in the database automatically. We want to save your time and provide you with another top-notch solution to detect threats in the databases (in addition to our trailblazing Imunify file scanner). We call the solution “Malware Database Scanner” (MDS).

The new week started with a new campaign trying to widely use the Arbitrary File Upload vulnerability in the Simple File List plugin for WordPress.

The high severity vulnerability in Post Grid WordPress plugin that appeared in public resources is suspected to be the cause of attackers’ interest to exploit the affected systems.

The discovered vulnerability allows an attacker to forge the template with further inclusion of its code to the application's backend with the ability to perform malicious actions involving privileged users. This could end up with a stolen administrator session or malware injection.

Frequently during an investigation of malicious activity, we face infections that spread through the attack vector that could not be covered by plain WAF rule. For instance, it is possible when

• • a user uploads the “nulled” theme or plugin from an untrusted source which already has malware and could append injection to the application’s core files after installation, or
  • the attacker gains access to the server with a stolen FTP, SSH, cPanel, WHM password. Read our new article with best practices on how to stay on top of cpanel security.

On Wednesday, 2 September, the Imunify360 Web Protection Team detected a significant rise in blocked malware that day. Most of the malware was located in the /wp-file-manager/lib/files/ directory path.

When we investigated, we determined that there was a critical vulnerability in the File Manager plugin for WordPress, and that this vulnerability affected a variety of applications.

The Imunify security team recently detected a vulnerable plugin in the WordPress plugin directory. It’s called PressForward, and it’s used to manage editorial workflow. This free plugin included an iframe that could be used to send visitors to a malicious web page. 

The Imunify team identified the vulnerability in this plugin on the first of July, 2020. At the time it was discovered, the plugin was installed on 800+ websites, where it could be used to send visitors to phishing sites and conduct black SEO campaigns. The plugin’s change log indicates that it has been there for almost a year:

 

What are the issues?   

In rare cases, users of Imunify360, versions 4.9.2 and up, may experience issues with Webshield stability.

These issues are related to peculiarities of ip utility output, so servers having bondings with VLANs will not generate upstreams.conf. After the upgrade, attempting to restart Webshield leads to undetected interfaces, and Webshield refuses to start.

bbPress, a popular WordPress plugin, was recently found to contain a serious vulnerability. 

How should bbPress users address it? The best way is to update the plugin and install the latest version. But if they can’t or don’t do this, Imunify has them covered. Read below to find out how.