Today we are proud to announce our next major release 1.25.0 of ISPProtect Malware Scanner. ISPProtect is a Malware Scan Software for web servers developed by ISPConfig.
We introduced a new scan level 1.1 to the scan that searches for PHP code hidden inside of image file names. It is a wide-spread tactic of attackers to hide malicious PHP code inside of image files that either contain dummy image data or no image data at all.
This short eval (evil!) code snippet would raise attention fast when found in a PHP file. But what if it is stored as statistics.gif and then there is this in the main php file:
Those lines of code are often overread when searching for obvious infections.
Furthermore we improved some heuristic rules for malware scans, including our “Level-4-Scan” that is executed by using the –db-scan switch. E.g. it recognizes some hints of the currently wide-spread infection of WordPress instances by “Trollherten” through a security issue in the WP GDPR Compliance plugin (you sould update to latest version asap, by the way).
There is a new type of malware that raised our attention that hides it’s malicious behaviour by shifting characters. Here is some simplified dummy code:
This is nothing else but
or even simpler
ISPProtect users will get the new version automatically. The ispp_scan command will ask you if it shall update itself to the new version on the next run of the scanner. If you use ISPProtect as cronjob with the –update option, then the update will be installed automatically. To use the new database scan in cronjobs, add the option –db-scan to the cronjob line.
To try ISPProtect on a new server, follow these instructions:
Download ISPProtect to the /tmp folder of your server and start the scan by running the ispp_scan command, enter the word „trial“ when the scanner asks for the license key. There is no registration required.
tar xzf ispp_scan.tar.gz
More about ISPProtect and details on licensing options can be found at ispprotect.com.
Your ISPConfig team