[NOT I-MSCP RELATED] Malicious Apache Module Injects Iframes

  • Be aware administrators:
    http://blog.unmaskparasites.co…e-module-injects-iframes/


    This fault is not caused by i-MSCP, but it's just a warning to check your systems for "possible" breaches.


    ****


    Edit: A few things you can do, to prevent people from easily finding your Apache version is to modify your security configuration for apache.
    nano/vi /etc/apache2/conf.d/security


    Change:
    ServerTokens Prod
    ServerSignature Off
    and
    TraceEnable Off


    & Restart Apache. /etc/init.d/apache2 restart


    This will make it harder to find and exploit your installation if Debian/Ubuntu is affected by this.

  • Here another approach to confuse the people about the webserver you are running:


    Code
    1. aptitude install libapache-mod-securitya2enmod mod-security


    Then open the file /etc/apache2/conf.d/security and change the ServerSignature


    Code
    1. ServerSignature Onto SecServerSignature Microsoft-IIS/8.0


    After SecServerSignature you could enter whatever you want.


    Finally reload apache


    Code
    1. service apache reload


    Install Firefox extension Domain Details and check on the Add-on Bar:



    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.54 | Nginx 1.23.0 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.11.5 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.6 | Roundcube 1.5.3 | CrowdSec 1.4.0

  • Microsoft-IIS/8.0... all people will think I'm a noob. That's too embarrassing hahah

  • Then use this ;)


    Code
    1. SecServerSignature nginx/1.5.2

    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.54 | Nginx 1.23.0 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.11.5 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.6 | Roundcube 1.5.3 | CrowdSec 1.4.0