The detection rates of anti-malware and antivirus scanners varies considerably. Knowing how to manually scan for and remove malware is an important and useful skill with which to confirm a scanner's effectiveness or compensate for its failings. In this article, Andrey Kucherov, Malware Analyst at Imunify360, describes some essential manual website malware detection and cleanup techniques.

Imunify360 researchers have recently found a wave of attacks exploiting a known vulnerability in Chamilo LMS (CVE-2023-34960) to escalate and execute arbitrary commands. Chamilo is an e-learning platform, also called Learning Management Systems (LMS), widely used by Universities and NGOs with a total of ~85k installations.

Imunify360 has a robust set of mitigation that acts proactively against advanced attacks, and its layer works either on L7 (http request) against known vulnerabilities and also at runtime by our innovative Proactive defense module, and behind the scenes, there's a team of malware experts researching 24x7 and figuring out in-depth the malware behavior.

---

Cronjob is a time-based job scheduler in Unix-like operating systems, including Linux, that allows users to schedule and automate repetitive tasks. The name "cron" comes from the Greek word "chronos," which means time.

---

Infection of cron files is a serious threat to any Linux system that uses task automation. Hackers can use these files to regularly launch malicious programs and scripts.

Infection description

On Sep 15, we detected a malicious campaign. It was evident that the attackers we discovered were using phishing techniques to trick users into downloading a malicious binary file. They used a fake message on websites stating that a user has been blocked by Cloudflare. Meanwhile, infected websites getting the message would not necessarily even use Cloudflare services.

Hi ImunifyAV(+) user!

We care about your security first and foremost, so there will be times when you may receive a message like this:

Dear Client,

You are receiving this message because our system, which is designed to keep you informed of security threats, detected malicious files on server abcd.atm.cloudlinux.com (123.45.67.89) on the account "johndoe.” 

...

Please review the scan details and take the appropriate actions to remove malware as soon as possible to mitigate security risks.

For website owners unfamiliar with common malware, having malware on your site that doesn’t  cause any obvious issues is seemingly harmless to the site owner. How bad can malware be if it just injects links? If site owners do not understand the repercussions of malware, then they will not take it seriously. It often means that these site owners don’t have the necessary monitoring and malware protection in place to defend sites. For shared hosting providers, this issue can have severe consequences and long-term effects on the server’s reputation and potential profitability. Additionally, read our website hosting security article and learn how to keep your website secure in 2021.

In 2020, approximately one million websites hosted on WordPress were actively targeted by cyber-criminals. Large-scale campaigns are common and your server could easily be compromised without you noticing it. Even when malware is silent and undetectable, it can cause long-term side effects that damage your business reputation, customer retention, revenue, and lead generation from search engines. It’s imperative to business continuity that you detect attacks, mitigate ongoing attacks, and remediate them quickly after they are found.

Have you ever wondered why malware is so hard to get rid of, and why, no matter how many times you run your malware scanner, infected files keep reappearing, as if by magic?

In this article, I’m going to show the inner workings of such persistent malware, by dissecting and unraveling some malware samples recently discovered by the Imunify360 cybersecurity product.

You’ll see how this particular strain of malware propagates and evades detection, and what you can do to stop it infecting your system.

When it comes to building and managing professional-quality web sites, content management systems have become the default way to do that. WordPress is by far the most popular CMS: it’s used to build and manage around six out of every 10 sites.

The popularity of WordPress makes it a prime target for hackers. In one of our regular investigations, we recently encountered a particular strain of malware that targeted it. Here’s an analysis of that malware that we’d like to pass on to sysadmins.