Pyxsoft antimalware Plugin for cPanel/WHM protects your server from attacker scripts such as c99shell, r57shell, ANIShell, and hundreds more. It is a real-time Anti Malware for cPanel/WHM. Attackers can take control of your servers or can damage your customer’s data by uploading one of these scripts.
Pyxsoft antimalware plugin works to protects your server in two ways:
- Protecting from the six server’s entrance
- SQL Injection
- Legitimate Access (SSH, cPanel etc)
- Web Forms
- Brute Force Attacks
- Installed Trojans or shells
- With additional methods:
Scanning all changes every night :
On every night the Pyxsoft antimalware plugin will scan all the files changed during last day and the results are mailed to root administrator. The scan is small and will detect all the new malware installed in the server.
Blocking generic bad-requests :
Pyxsoft antimalware plugin employs many Mod security rules that reject PHP injection, SQL injection and many known script vulnerabilities such as Timthumb exploit, Joomla password change exploit, OsCommerce upload exploit, and much more. It will keep the customers safe even if their scripts are unsafe and out of date. Also always remember that the Pyxsoft antimalware plugin will help you managing your servers, it not replaces the administrator.
There are also certain cases where Pyxsoft antimalware plugin will not provide protection. These are as follows:
- If attacker steals or guess your SSH password.
- If you don’t delete the malware found in the regular scan.
- If your server is already hacked with a rootkit.
- Malware uploaded via cPanel file manager will be detected at the night scan.
Scanning your whole server :
- Initially the Pyxsoft antimalware plugin will scan the entire server to find out the installed malware. The definitions include ClamAV database and 6.000 additional malware signatures including perl files, PHP shells, PHP uploaders, PHP downloaders, IRC bots and Mass Mailers.
- You will get the detailed list of the infected files once the scanning of the server is finished. Scanning is called with the nice Linux commands. Scanning the whole server will not increase the server load in more than 1 or 1.5 units.
Inspecting uploads :
Most important feature is that the customers never upload PHP scripts using HTML formats. Pyxsoft antimalware plugin will scan all HTTP and FTP files in real time. All perl and PHP scripts will be rejected in HTTP uploads. If you keep Pyxsoft antimalware plugin to inspect all HTTP uploads while starting a new server, the chance of hacking can be reduced.
Attackers tries all new discovered script vulnerabilities. Many times, attackers have user and password for Wordpress, Joomla or OsCommerce sites and can use them to upload malware scripts. Even in those cases, they will not be able to upload their scripts.
For the proper working Pyxsoft antimalware plugin, the following needs :
- WHM/cPanel version 11.30 or superior
- Apache Web Server
- Mod Security 2.5 or superior installed
- Internal WHM Ioncube loader enabled
- ClamAV Antivirus installed
(Pyxsoft antimalware plugin doesn’t work with Lighttpd, Litespeed or Nginx web servers.)
The plugin will work in trial mode for 7 days even if you don’t have license.
Installing & configuring the Pyxsoft antimalware plugin
For installing the Pyxsof antimalware plugin, execute the following commands in a SSH console:
root@server [~]# cd ~
root@server [~]# wget http://www.pyxsoft.com/software/antimalware/anti_malware.tar.gz
root@server [~]# tar -xzf anti_malware.tar.gz
root@server [~]# cd anti_malware
root@server [~]# sh install.sh
If the installation is completed successfully, enter WHM and go to Pyxsoft Antimalware.
Installing Mod Security
The following steps are to be performed to install mod security, and care should be taken when recompiling the system. (Do it at your own risk.)
- Log into your WHM panel
- Click on EasyApache option
- Click on “Previously Saved Config” and “Start cusomizing based on profile” button.
- Select Apache 2.2 (or Apache 2 if you use PHP 4) and go to Next Step
- Select your preferred PHP Version. PHP 5 is recommended. Go to Next Step.
- Select minor version or use the selected one. Go to Next Step.
- Check the Mod Security option. Leave the other options as suggested.
- Click “Save and Build”. Click on “Yes” when asked you to recompile Apache and PHP
- Wait until the process is finished.
Follow the steps to enable the internal ioncube loaders in order to execute Pyxsoft antimalware plugin.
- Log into your WHM panel
- Go to Tweak Settings > PHP
- Select “ioncube” in cPanel PHP loader. If you had selected source guardian, it means that you probably have another extension in conflict with Anti Malware Plugin.
- Save changes.
Installing ClamAV is easier while compared to the installation of mod security. Steps are as follows:
- Log into your WHM panel
- Click on Manage Plugins option.
- At the right side of the screen, locate ClamAV and check “Install and keep updated”
- Press Save
Cpanel will take about 20 minutes to install ClamAV in your server and the operation should not be interrupted in between.
Uninstalling the Pyxsoft antimalware plugin
For uninstalling the Pyxsof antimalware plugin, execute the following commands in a SSH console:
root@server [~]# cd /usr/share/ilabs_antimalware/includes
root@server [~]# sh uninstall.sh
You should verify that your apache (httpd) and ftp (pure-ftpd) services are running after uninstalling the Pyxsoft antimalware plugin.
Screenshots of Pyxsoft antimalware plugin in WHM
General Settings : Here we can set the common settings for the plugin
HTTP Inspector : We can set the HTTP inspector configuration, Wordpress protection etc from here.
FTP Inspector : FTP inspector configuration (Enable FTP upload inspector, Quarantine virus, Quarantine malware, etc)
Auto Quarantine : Here we enable / disable the auto quarantine
License : Can view the licence details of the plugin
Malware Scanner : Scan one account, Scan all accounts in server, Review scan report, Manage quarantine
Security Tools : Brute Force Protection, HTTP firewall, Mod Security Protection
If you require help, contact SupportPRO Server Admin