Monarx and Patchman added to all Web Hosting Plans.
Here is a brief intro to the two new security plugins added to your cPanel Hosting Account.
Monarx
Monarx is a unique type of next-generation web firewall (NGFW). It is focused more on the behavior of PHP code, not just how it looks or it’s signature, both of which can be obfuscated (e.g. polymorphic viruses). This mitigates the possibility of files being falsely marked as malicious, which can lead to issues in clean websites, and decreases the amount of time required to detect zero-day vulnerabilities.
Here’s how the actual process works.
- The Monarx agent is installed on our shared hosting servers. The agent consists of two modules. Protect tracks and blocks execution of web shell payloads. Hunter runs weekly full scans and real-time scans for compromised source binaries and web shells.
- The Monarx agent downloads security rules related to web apps and content management systems (CMS).
- Any files flagged as malicious by the Monarx agent are automatically processed per security rules and sent to the Monarx Cloud for further analysis, offloading server resource demands.
- PHP-based web shells/backdoors are blocked from executing, a technique they dubbed “post exploit payload prevention.”
- Our system administrators are able to use the Monarx API for greater Security Information and Event Management (SIEM) across all shared hosting accounts to better detect code injection and similar attacks.
As you can see, Monarx does a lot in the background that isn’t common with other web application firewalls (WAF). The best part about it: you can check Monarx activity in cPanel but don’t have to configure anything. Just know that it’s there.
What is a Web Shell?
A web shell is simply a malicious software used to access a system remotely without authorization. Web shells are a major threat because they’re hard to detect while allowing hackers admin access to do whatever they please:
- Website defacement attacks
- Distributed denial of service (DDoS) attacks
- Privilege escalation to access restricted services
- Anything else an authorized root user can do
There are three types of web shells.
Bind shell: the victim’s system is infected to listen on a specific port (a standard backdoor).
Reverse shell (connect-back shell): the system is infected to actively seek a connection to the cyber attacker’s local machine or command and control (C2) system.
Double reverse shell: a reserve shell where the target machine uses separate ports for input and output.
The typical steps an attacker takes to accomplish this:
- Exploit a vulnerability to upload a web shell (payload) to a target machine.
- Move the web shell to a more accessible, public directory.
- Access the web shell to upload or modify files.
In summary, preventing web shell execution reduces the possibility of your website being manipulated for crypto mining, spamming, and other malicious purposes.
How to Access Monarx cPanel Plugin
There are no complicated steps required to monitor Monarx security events:
- Log into cPanel.
- Under “Security” select “Monarx Security.”
- Simply refresh (F5) the page if you see the following message: “Monarx is still attempting to provision your account. Please refresh the page. If the problem persists, check back later.”
The Monarx dashboard will state that “you’re protected” and “your site is free of malware!” (if not, contact Live Support). On the right side is a list of what types of malware Monarx fights automatically:
- Uploader access to your server
- Web shells which enables advanced persistent threat (APT)
- Phishing and cybersquatting sites injected into your server
- Mailer applications for spoofing your email accounts
- Adware scripts embedded into your site
- Other malware that can infect users that visit your site
Select the “Details” tab to view files on your cPanel server marked as suspicious.
- Date and time discovered
- Absolute file path
- Classification (malicious or compromised/infected)
- Status of the file (quarantined, blocked from executing, cleaned of malware, or logging for further action)
- Type
There is one interactive feature for end users at this time. If at any point you find that a compromised file was incorrectly marked as clean by Monarx, you can submit the file for further review. Simply log into cPanel Terminal, or SSH, and run the following command (replacing “filename” with the actual file):
Contact Me for further assistance.
Monarx software captures further info related to malware detected for future reference including:
- File SHA-256 checksum or stronger
- IP address and country of origin
- Affected web applications (e.g. CMS plugins and themes)
cPanel Security
Monarx isn’t a defense-in-depth security suite. You still should have a traditional firewall, WAF for your web applications, and antivirus (AV) software.
All Web Hosting plans also include Patchman for tracking changes in WordPress, Drupal, and Joomla. Most popular CMSs have security plugins you can install for free.
Patchman
Patchman is a malware and vulnerability detection and patching program. It is able to detect and safely fix vulnerabilities in many web applications. For example, this includes WordPress 3.x and later, Joomla! 1.5.x and later, and Drupal 5.x and later. This helps save time, and frustration by preventing hacks before they happen. Patchman even has the ability to undo the automatic changes it has made. Using it is free-of-charge on our business class and reseller class hosting plans.
How Do I See If Patchman Made Any Changes?
- Log into cPanel
- From the Advanced section, click on Patchman
- On the Patchman page, the detections for your account are in a table at the bottom of the page. Note that vulnerabilities listed as Resolved show that a file was patched.
How Do I Undo Changes Patchman Has Made?
- Log into cPanel
- From the Advanced section, click on Patchman
- In the detections table, click on Actions
- Click on Undo patch
- The Status column for the undone patch will now show as Reverted
