Hello all, have a good day.
I noticed a few days ago that in my website folders there are web shell. I am trying to remove it and will change paswords.
Can someone please advice some scanner maybe or extra actions I can perform to find and close ‘hole’
- containment: use a different user for every subdomain.
- containment: use apache2 + nginx
- prevention: use 7g firewall or 8g firewall
- update your CMS
- update plugins, etc
- don’t download nulled plugins or themes
- avoid massive plugins such as elementor since many hackers specialize in those.
- don’t accept connections from Africa, Nigeria, china, Russia… If you don’t need to.
- set daily backups
- pro: change files to read-only
- pro: change database to read-only if you can
- pro: prevent creation of new files
1 Like
thanks for the answer!
- i do not use subdomains
- already in use (btw how it can prevent?)
- do i need to additionaly install it to my vps?
- almost 90% of my websites are simple html, i use CMS only for build website then i convert it to html
- understood
- never!
- yes. i use elementor =(
- will do!
- got it
- will try
- also will try
- how can i do it?
by the way. do you know maybe how can i identify where and when i was hacked? i tried to read web server logs with no luck.
Check the filesystem. The dates of the infected files.
I mean domain and or subdomain.
One user one web.
So if a client needs 2 websites, create two users. One for each.
Nothing else to do. The process will run under the user.
Yes!
If you want to prevent the file creation change the directory permissions to 444 or 440
well i have more than 150 domains already
having separated user will be an adventure)
i saw date was 29 of March 1:07 AM
what can i do with this information?
can changing permissions prevent Wordpress working correctly by the way?
For scanning malware and vulnerabilities, I used the free Wordfence CLI. The latest version also scans the database. I’ve created a cron job to run the scan automatically every day.
1 Like
sudo freshclam
sudo clamscan -ri /home/user
2 Likes
yes, like say @masernel I recommend that with a little variation…
This for update database
freshclam
if you have some error here, stop it with this
ps aux | grep freshclam
and them start it again
freshclam
and this for only see infected files. The root folder is good for search outsite a website (if have other problems). run this when the server is resting or with few visits (just in case)
clamscan -r --bell -i /
also other recommendation…
/home/user
must change user with the correct user account created in hestiacp
It’s a simple thing but maybe in the future someone who doesn’t know it, will do that command and get a “0 virus found” for the simple fact that there was nothing to scan and clainav doesn’t warn about that error.
That’s why I think it’s better to scan /home/ or just /
thank you very much everyone