Server side alerts

Malware

Definition

Malware is short for "malicious software". In Nimbusec, malware usually refers to viruses, worms, trojan horses, Java script exploits and many other types of software that aim to compromise a website visitor's computer.

How is it detected

When Nimbusec visits a website, all data received is analysed with multiple commercial and open source anti virus engines. If any of those engines report suspicious data, Nimbusec raises an alert.

Alert levels

Act fast! Your website visitors are being attacked right now. This represents a major legal and reputational risk for you. Please consider to put your website into maintenance mode right away. Nevertheless, before attempting to clean up your site: Backup your entire webspace and database. Determine what part of your website was responsible for distributing malware. Often malware is distributed through advertisement banners, javascript attacks or compromised downloads. Nimbusec will tell the URL of detected malware. Use this as starting point for your analysis. If you cannot determine the problem yourself, ask an IT forensics expert for help. You can find additional information at (StopBadWare.org)https://www.stopbadware.org/my-site-has-badware

Webshell

Definition

A webshell is a script that can be uploaded to a web server to enable remote administration of the machine. Webshells are usually found by Nimbusec's Server Agent. This result is in many ways similiar to the Malware result type, except that it contains more information and it's paths are file paths. You can find more information about webshells at the (US CERT)https://www.us-cert.gov/ncas/alerts/TA15-314A

How is it detected

Alert levels

Webshells often stay inactive for weeks before they create damage. Even so, they are usually able to deface a website completely or abuse your webserver's ressources. Before attempting to clean up your site: Backup your entire webspace and database. Investigate the indicated file, related log-entries and remove malicious code. Start forensic analysis for vulnerabilities that allowed malware to be placed based on file meta-data and log entries. Often outdated web applications (e.g. CMS systems) are exploited for malware placement.

Configuration

TLS

Definition

We perform several checks on the TLS protocol and certificates to ensure the traffic to the website is really secure. Checks:

Details on specifics like ciphers can be found in our FAQ section here.

How is it detected

It is detected via the nimbusec Cloud Scan.

Alert levels

Update, renew your TLS certificate if it is about to expire or allows use of unsafe configuration. Update server configuration if possible to e.g. SSL/TLS Deployment Best Practices.

Application

Definition

This scan tries to detect installed applications, content management systems (CMS), webservers and used software. This information, a large knowledge base on software versions and Common Vulnerabilities and Exploits (CVE) databases is used to give information about possible vulnerable and exploitable software on a webserver through a website and if software, especially CMS is outdated and in need of an update.

How is it detected

Alert levels

In case of an outdated and vulnerable software, update it to the most recent version.

Sometimes an update cannot be performed. On first sight that is not a problem, just have a closer look at the specific website. Maybe the software vendor has patches for this specific version to fix some security flaws. At least monitoring can be upgraded to a faster interval, in case something happens, the first one to know is the website owner.

Downloadable Sources

Definition

Downloadable software is suspected to be accessible from the outside and may contain passwords or other confidential information that can be used to compromise the webserver or to make a public statement or to leak information. This can be for example:

How is it detected

It is detected via the Nimbusec Server Agent.

Alert levels

Find the file on the server and find out if it is accessible from external. If it is needed by the underlying software and contains critical data, you may can modify the access permissions (.htaccess, Linux permissions, ACL, ... ). If it is not needed there, move or delete it.

It may be an automated backup of something by a plugin or other software. Try to configure it to store the backup in a place that is not accessible by anyone.


Revision #1
Created 4 August 2021 09:10:51 by Patrick Wall
Updated 4 August 2021 11:53:41 by Patrick Wall