Release note for cPGuard version 3.69

Release note for cPGuard version 3.69

We have released cPGuard version 3.69 on January 26 2022 and the update is available on all servers automatically. We encourage our customers to make sure that they use the latest version always as we follow sequential updates and every update is applicable for the latest versions of the software.

What is up with version 3.69?

We release regular updates to our software, scanner rules, WAF rules, etc to make sure that everything is up to date to detect the latest threats. For a person who follows the release notes of cPGuard, the new version may not feel anything exciting!

But it took up almost 2 months to complete this build as it has a completely revamped scanner engine code. Our developers have re-written the whole code from scratch to make it more efficient and organized. As a project which is running for over 4 years and started as a specific control panel plugin, we believe this is the right time to start working on the project revamp to enter into new areas

The major changes

Our team is working on some cPGuard enhancements and internally calls it cPGuard V4. So version 3.69 is the first step towards V4 release and we will soon release the following updates in the upcoming versions.  In 3.69, the major changes include

  • Revamped scanner engine code
  • Eliminated the dependency with system ClamAV
  • Enhanced file checks and improved scanner speed
  • etc

What is next?

As I mentioned above, 3.69 is just the first step towards a milestone. Our team is working hard to increase the cPGuard productivity and reduce the admin overhead. We will have some major updates this year and we believe that it can help our customers to manage cPGuard and the servers easily. 

What are the recent changes in IPDB?

What are the recent changes in IPDB?

What is IPDB Firewall?

In cPGuard, we have multiple modules that work at different layers to stop various attacks. The IPDB firewall module is a system-level firewall that can block many of the attacks before it reaches your application servers.

The main components of the IPDB firewall are

1. The Cloud Advisor:– is a server cluster containing multiple servers dedicated to collecting, building and distributing a list of unsafe IPs. We have a huge list of bad IPs built on data collected from attacks we have blocked (WAF, Bruteforce, CSF and access logs), our partners like Malware.Expert and other 3rd party sources. Our algorithms, after whitelisting major providers like Cloudflare, Google etc to avoid false positives, dynamically score IPs based on various parameters to build a refined list containing only the latest and relevant threats

2. The Server Agent: cPGuard server application downloads the list of bad IPs from the cloud advisor and creates a blocklist using IPSET and IPTABLES to effectively block requests from these IPs. The block list is periodically reloaded to fetch the latest IPs and drop old IPs from the list

What are the recent updates in IPDB?

Over the past few versions after the initial release of IPDB, we have been continuously working on it to enhance the performance of IPDB module. With that said, we were able to bring in so many updations so block more attacks with fewer false positives. Few of the major changes include

  • Refined blacklist Logic:- We now have a better algorithm to mark an IP address as bad and put it into the global blacklist. That helps to eliminate a significant share of false positives from the total blacklist.
  • Enhanced whitelist:- Based on the feedback from our clients, we have added many more major players including search engines, CDN providers, monitoring agents, etc into the blacklist which helped to refine the central list.
  • Better CLI Tools:- For a Linux geek, it is always handy to work from CLI than doing any tasks from GUI. So we have added more CLI tools to handle IPDB using commands
  • Network whitelist:- Now you can whitelist a Network using a defined format. This will help to whitelist a range of your IP address and that makes the tool handier. You can add whitelist from cPGuard settings or via our command line utility
$ /etc/cpguard/scripts/cpgbin allowip <ip address/range>
 
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx/24 

 

  • New IPDB stats UI:- You can now view requests being blocked in realtime from the new IPDB section in cPGuard UI. We will be rolling out more reports and stats on IPDB in coming versions.

Wait…I have some complaints or suggestions

We would love to hear from you and our team can work based on your feedback. Kindly reach our support team with your feedback and we will process it accordingly.

How cPGuard protects your websites?

How cPGuard protects your websites?

This is one of the first questions that will raise when someone decides to try cPGuard on their servers. The answer is not simple and it needs to be explained from top to bottom as the protection is offered at multiple levels.

So let us check what all protection that cPGuard offers

  • Malicious file uploads/updates
  • Web attacks/exploits
  •  Incoming Spam Emails and IP/Domain  Reputation Checks
  • Extensive Reports

1. Malicious File uploads/updates

This is one of the common problems that every website owner is facing and affecting website reliability and integrity. This happens most commonly because of any exploits open in the website, compromised user account, or logins or possibly due to a compromised account hosted in the same shared environment. So to detect the malicious file contents, cPGuard has multiple layers of file scanning options to make sure that every file is passed through our scanner engine.

  • Layer 1 HTTP Upload Scanner:- This is the first level of file scanning if the file is uploaded/updated via Web. So whenever a file is uploaded using your website, it will pass through the scanner engine. We carefully manage this step to scan only relevant files and in case we detect any malicious pattern for which we do not have any definition, we will scan ti through our central system and take necessary actions.
  • Layer 2 Automatic Scanner:- This is the second level of scanning, which can catch any files updated/uploaded regardless of how it is done. We monitor the operation of the files to fetch the list of files to monitor and pass it through the scan engine. Since we monitor only website files and process them as batches, this consumes a very small amount of server resources and takes very little time to complete the scan compared to the competition.
  • Layer 3 Weekly automatic scan:- We run a weekly scanner to scan all files updated/uploaded in the last 7 days and scan them. This helps to ensure that all recent files are analyzed based on our constantly updated virus database and thus fetch new types of attacks even if they can bypass initially.
  • Layer 4 manual scan:- This is the last layer of scanner which needs manual intervention to start the scan against a defined target. This can help to find all new/old malicious files under the targeted path and help to create custom reports.

So the multi-layer file scanning that you can flexibly enable on your server ( you can customize each based on your preference from cPGuard Settings ) can scan all types of file changes on your server and take action on them. There is also a file auto-clean option using which you can attempt to clean files automatically and restore them to the original location, and it can prevent website outage due to core files infection.

 

2. Web attacks/exploits 

This is the WAF layer that actually helps to mitigate most of the attacks before it reaches your Web Applications. Our WAF is powered by Malware.Experts Commercial WAF rules and cPGuard ModSec rules. In this layer, it has multiple components to mitigate varieties of web attacks.

  • The WAF Integration:- It is the core WAF rules enabling that you can do from settings and it will load the core rules into your web server. This ruleset contains the mitigation rules for generic attacks, some latest CVEs reported, targeted CMS attacks ( WordPress, Joomla, etc ). We always recommend you to enable this and it can protect your websites from many web attacks.
  • Brute-force protection:- This module protects your websites from brute-force attacks against the defined URLs. This can effectively monitor the real IPs and block them if they cross the access threshold.
  • Scanner Rules under WAF :- When you enable this rules set, it will protect your websites from common abusive botnets. It can save server resources and unnecessary processing of the requests.
  • Webshell Rules under WAF :- These rules can stop processing any web shells if they are already uploaded ot your websites. This is a highly sensitive rules set and we do not recommend it unless you have complete control across all the websites on the server
  • Captcha Protection under WAF :- This module protects your websites from brute-force attacks against the defined URLs. This can greatly reduce your server load and protect your websites from abusive accesses.

The multiple protection layers in HTTP can protect your websites from most generic and common attacks and sources. We constantly monitor the Web abuses reported by WAF from our centralized system and making adjustments accordingly to increase the protection level.

3. Incoming Spam Emails and IP/Domain  Reputation Checks

cPGuard helps to reduce Incoming Spam Emails using the SRBL system which uses an intelligent algorithm to check all incoming email sources and find whether they are abusive or not and take actions accordingly. This can stop emails from now abusive IPs and thus reduce the incoming spam email count.

Additionally the systems helps to keep rack of the IPs/Domains on the server and check whether they are listed in major blacklists. It will alert you promptly when there is a blacklist detected and helps to take note of the total server reputation. You can even choose to suspend an account when a domain is blacklisted and it can save your IPs from being blocked in SEO and search engines.

4. Extensive Reports and Notifications

cPGuard produces a lot of reports and notifications which can give an overview of the total attacks against your server and security issues for particular accounts. There is more graphical representation of the web/virus attacks per day or certain period and the notifications are instant to alert you about recent attacks. You can flexibly turn on/off certain notifications and define the email addresses to which that you want to receive alerts.

The protection is not limited to above points….

Yes, the software offers more protection like automated Rootkit scanning, CSF integration, wp-cron.php job mangement, etc to ensure smooth managemrn tand security on your server. We constantly add more features, enhance the exisiting features and do everything that we can to deliver the best services to our customers.

If you really think that cPGuard can improve in any certain point by adding or enhancing any feature, please feel free to reach us and we will do every possible things to meet the requirements.

 

How nulled WordPress Plugins can damage your website

How nulled WordPress Plugins can damage your website

It is a well-known fact that WordPress is one of the web applications that get the majority of web attacks when installed on a domain. In addition to the conventional attack vectors, there are plenty of other attack methods that are being used to attack WordPress website and applications. So all WordPress website owners should protect their websites using an additional security layer to protect their website from common attacks like brute-force, SQL injection, Cross-site attacks, etc and other unconventional types of attacks.

Nulled Plugins and Themes

When we talk about other types of attacks, one of the most tricky types is the installation of “Nulled Plugins and Themes”. We recently had a customer, who came to us regarding clean up of his websites which had nulled plugins installed. The funny fact is that the client knew that they were nulled but decided to install them as they are free but never knew they will open up a backdoor to his websites.

So how it can damage your websites?

The severity of the damage that can be done is based on the source of these nulled plugin/theme. In the specific case that we are taking as an example here, the plugins where downloaded from thewordpressclub [.] org and the websites faced the following issues.

  1. Repeated JS injections into the database which resulted in redirects to malicious websites upon website visit.
  2. Added junk records to the wp_options table for the backdoor
  3. The admin user password kept resetting without the knowledge of website owner
  4. Unwanted posts created under the websites

and many more…..

 Interestingly, the terms and conditions at thewordpressclub [.] org has a section Remote Access stating that by downloading and installing installing these plugins/themes you are allowing TheWordpressClub to remotely control your website 

What kind of injection were added to the nulled plugins?

We have noted the following files added to the plugin packages, which contained the core code.

rms-script-ini.php
rms-script-mu-plugin.php

For example, following are some sample paths in actual plugin installations

wp-content/mu-plugins/rms_unique_wp_mu_pl_flnm.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/rms-script-mu-plugin.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/plugin-fw/templates/panel/rms-script-mu-plugin.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/plugin-fw/templates/panel/rms-script-ini.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/rms-script-ini.php
wp-content/plugins/WP Smush Pro 3.6.3/rms-script-mu-plugin.php
wp-content/plugins/WP Smush Pro 3.6.3/core/external/dash-notice/rms-script-mu-plugin.php
wp-content/plugins/WP Smush Pro 3.6.3/core/external/dash-notice/rms-script-ini.php
wp-content/plugins/WP Smush Pro 3.6.3/rms-script-ini.php

In addition to that, they have added the following lines to other files to use  the malicious function and active the remote handler.

require_once('rms-script-ini.php');
rms_remote_manager_init(__FILE__, 'rms-script-mu-plugin.php', false, false);

How to get rid of such issues?

The answer is pretty straightforward; do not install plugins/themes from non-trusted sources. If you want to install a plugin/theme, you should use WordPress official repository to search and install or use the official website of the provider to download the package. If you try to enjoy the premium features of any paid solution for free using such shortcuts, you will end up with serious trouble including your data loss.

Though cPGuard can detect and clean the majority of these malicious injections, we strongly recommended to stay away from such plugin providers and use only the genuine software

cPanel Version 88 and ClamAV

cPanel Version 88 and ClamAV

cPanel recently announced the latest version update v88 with a handful of features like MySQL 8 support. It is so nice to see the much-awaited MySQL 8 support in the test version, though they have updated their internal ClamAV package and it is started to conflict with ClamAV package that is installed into the Operation System.

This change is because they have started offering one one solution by default which needs ClamAV to function. We do not have more details but the update to v88 will be blocked if you have ClamAV is installed in your Operating System. This is going to affect so many scripts and software built on ClamAV integration and depending on the default ClamAV installation. Given below is the error that you may expect during v88 update.

Error: cpanel-clamav conflicts with clamav-0.102.2-4.el7.x86_64

Error: cpanel-clamav conflicts with clamav-lib-0.102.2-4.el7.x86_64

Error: cpanel-clamav conflicts with clamav-update-0.102.2-4.el7.x86_64

Error: cpanel-clamav conflicts with clamav-filesystem-0.102.2-4.el7.noarch

cPGuard is integrated to LibclamAV and thus need ClamAV packages to function. Since this change is inevitable, we are making updates in our code and from cPGuard version 3.20 we will use a different approach and comply with this change.

So if you have cPGuard version 3.20 installed on your server, you can safely uninstall ClamAV on your server and it will not affect cPGuard functioning as we will handle it internally during the health check. Please note that it will take a while to run the health check and fix it automatically,

If you need any clarification or if you have any questions, please contact support