Sign in to follow this  
frankvh

CPanel virus scanner

Recommended Posts

This question may be a little disjointed, so please bear with me, because I'm not 100% sure what I'm talking about... :D

I've been thinking of installing Joomla and so I was reading the Joomla forums, specifically their security forum. There are a lot of posts there along the lines of, "My site's been hacked, please help!". Reading those posts, it seems that "evil hacker code" is being added to their PHP and/or HTML files, along with iframes.

Several folks talked about their experiences with detecting & repairing such attacks. Several talked about running a virus scanner from cPanel on their website, which helped identify the modified files. Like in this post:

http://forum.joomla.org/viewtopic.php?f=432&t=408928

Does the HH cPanel have this kind of ability?

Thanks.

Share this post


Link to post
Share on other sites

We do not give users the ability to scan their files as we've had a ton of abuse of this feature in the past. It uses a lot of CPU and when someone tries to scan an account with thousands of files it can really slow down a server.

These hacks being described are very easy to see as they'll have replaced all files. We also have R1Soft to go and overwrite all those files and you can do that. So we see no reason to have this virus scanner system enabled.

Share this post


Link to post
Share on other sites

Hmm, that makes sense. I know that when I run the AVG scanner on my PC, it certainly bogs it down, so I can only imagine if you had multiple people doing something similar on one of your servers simultaneously.

Share this post


Link to post
Share on other sites
Hmm, that makes sense. I know that when I run the AVG scanner on my PC, it certainly bogs it down, so I can only imagine if you had multiple people doing something similar on one of your servers simultaneously.

Yeah and I cannot see the gain on a computer you're looking for viruses that are within memory. On a hosting account all you'd even want to scan for is maybe the js exploit. It's not like an uploaded html file poses any risk to the server.

That's my thoughts on it though and which is why we do not offer it anymore. With R1Soft it makes it even easier who cares about what files it's in just use last days backup and set it to overwrite all files in the public_html folder :) Lets just hope you never have to use that feature though. If you do then it probably means your computer has a virus :(

Share this post


Link to post
Share on other sites

That was the other thing I noticed. On those forums, it seemed the majority of affected people had a trojan on their PC which was stealing their FTP info. Then another (compromised) machine, or even their own compromised PC, would use this FTP logon to grab their source files, edit them, and put the edited files back on the server.

So then the people would see their server files, their website, was corrupted, so they'd do a restore from a backup & change their FTP password. And the very next day their site would be corrupted again! Some of them got very very frustrated. Who can blame them.

Finally they'd work out they had this trojan on their PC. They'd get rid of the trojan, change their FTP password again, restore their site from a backup again, and life would return to normal.

Sounds unpleasant to me - be a good thing to avoid. :)

Share this post


Link to post
Share on other sites

We've had quite a few customers as well as reseller customers as well as vps's customers all be hit by viruses that compromise FTP passwords. The most difficult thing we've had to do was convince them that this was the entry point. We restore the account from backup change their password then a day later it's compromised again.

The most interesting one was a reseller's customer who kept getting hit. We finally convinced the reseller to not give the user their password and what do you know the site is not compromised again within 24 hours!

These sorts of mass replace files was really more common with the server being compromised so I can understand users saying ooh it's the server. But now it's pretty apparent with all the posts all over the internet it's in fact viruses stealing passwords and not servers that are compromised changing all files on a machine.

Share this post


Link to post
Share on other sites

I've been surprised how many businesses that deal with customer-supplied files on a daily basis, won't pay the money to run a professional AV software on their network, once the trial subscription runs out they just hope nothing happens. Lots of small printers, frex -- which imo is really dumb, because when you have customers emailing you files from everywhere you don't know where they've been, so to speak :rolleyes: Not everyone is on a Mac - and even Macs get viruses, even if it isn't very many. So, a gamble with your security, every day.

But I didn't know that these kinds of viruses could also infect your website from your own local computer, too. This is something Maybe I will be able to convince my boss that we should spring for a subscription to Norton this way...nah, he'd rather use duck tape to fix the machines, what am I thinking???

Share this post


Link to post
Share on other sites

The bug of interest here is Gumblar. If you haven't already read this, it's pretty interesting:

http://news.cnet.com/8301-1009_3-10251779-83.html

It's quite the multi-talented thing.

Regarding your comment, if a customer gave you files on a USB key, and you gave them back their USB key with a virus on it, would you lose that customer? Would that (ex)customer also tell others? Seems to me that would be reason enough to pay for a subscription to sophos or avg.

Share this post


Link to post
Share on other sites

"Regarding your comment, if a customer gave you files on a USB key, and you gave them back their USB key with a virus on it, would you lose that customer? Would that (ex)customer also tell others? Seems to me that would be reason enough to pay for a subscription to sophos or avg."

I agree, Frank - but between the customers who ALSO don't believe in av software as a needless expense, the ones who think that every standard OS error message box is sign of a virus (!), and the general poor state of security awareness and general knowledge in the small printshop world (people who tend to believe that "reforma the hard drive!" or "run DiskFix!" are the only solutions to every problem, and then they reinstall the same buggy conflict ridden software that caused the problem, rinse/repeat) and the fact that everything's rush/rush/rush - no time to wait even for a disk scan in this business! - I suspect that there are quite a few viruses being swapped around printing, and just nobody realizes it.

Also, fortunately, there are at least afaik not many viruses that infect the most commonly used programs like Quark or Pagemaker/Indesign - there have been scares about viruses in images, but in all my years of being careful running AV myself personally as a graphics /prepress tech, I've never seen one - however, Word macro viruses are an entirely other story... sigh....

PS: getting back to your original topic, before you install Joomla, I recommend you first download & go through the manual - I was involved briefly in a Joomla site and it's a really complicated interface/structure, imo, though YMMV & I'm a very basic HTML/CSS sort.

Share this post


Link to post
Share on other sites

That's good advice, and it's the same reason I was reading the docs & forums on the Joomla site. In the end I decided Joomla was too complex for what I wanted to do & for my skill level. Eventually I chose CMS Made Simple, ported my site over to it, and I'm actually quite happy. It was a pretty good experience.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this