Monarx Security is a PHP malware protection service for helping web hosting providers secure customer’s websites and applications, particularly against web shell attacks. InMotion Hosting customers can monitor Monarx activity for free from the cPanel interface.
But what does the Monarx security service actually do? And what are web shells?
Monarx Security is only available for Shared Hosting plans at this time.
What is Monarx Security?
Monarx is a unique type of next-generation web firewall (NGFW). It is focused more on the behavior of PHP code, not just how it looks or it’s signature, both of which can be obfuscated (e.g. polymorphic viruses). This mitigates the possibility of files being falsely marked as malicious, which can lead to issues in clean websites, and decreases the amount of time required to detect zero-day vulnerabilities.
Here’s how the actual process works.
- The Monarx agent is installed on our shared hosting servers. The agent consists of two modules. Protect tracks and blocks execution of web shell payloads. Hunter runs weekly full scans and real-time scans for compromised source binaries and web shells.
- The Monarx agent downloads security rules related to web apps and content management systems (CMS).
- Any files flagged as malicious by the Monarx agent are automatically processed per security rules and sent to the Monarx Cloud for further analysis, offloading server resource demands.
- PHP-based web shells/backdoors are blocked from executing, a technique they dubbed “post exploit payload prevention.”
- Our system administrators are able to use the Monarx API for greater Security Information and Event Management (SIEM) across all shared hosting accounts to better detect code injection and similar attacks.
As you can see, this software-as-a-service (SaaS) does a lot in the background that isn’t common with other web application firewalls (WAF). The best part about it: you can check Monarx activity in cPanel but don’t have to configure anything. Just know that it’s there.
What is a Web Shell?
A web shell is simply a malicious software used to access a system remotely without authorization. Web shells are a major threat because they’re hard to detect while allowing hackers admin access to do whatever they please:
- Website defacement attacks
- Distributed denial of service (DDoS) attacks
- Privilege escalation to access restricted services
- Anything else an authorized root user can do
There are three types of web shells.
Bind shell: the victim’s system is infected to listen on a specific port (a standard backdoor).
Reverse shell (connect-back shell): the system is infected to actively seek a connection to the cyber attacker’s local machine or command and control (C2) system.
Double reverse shell: a reserve shell where the target machine uses separate ports for input and output.
The typical steps an attacker takes to accomplish this:
- Exploit a vulnerability to upload a web shell (payload) to a target machine.
- Move the web shell to a more accessible, public directory.
- Access the web shell to upload or modify files.
In summary, preventing web shell execution reduces the possibility of your website being manipulated for crypto mining, spamming, and other malicious purposes.
How to Access Monarx cPanel Plugin
There are no complicated steps required to monitor Monarx security events:
- Log into cPanel.
- Under “Security” select “Monarx Security.”
- Simply refresh (F5) the page if you see the following message: “Monarx is still attempting to provision your account. Please refresh the page. If the problem persists, check back later.”
The Monarx dashboard will state that “you’re protected” and “your site is free of malware!” (if not, contact Live Support). On the right side is a list of what types of malware Monarx fights automatically:
- Uploader access to your server
- Web shells which enables advanced persistent threat (APT)
- Phishing and cybersquatting sites injected into your server
- Mailer applications for spoofing your email accounts
- Adware scripts embedded into your site
- Other malware that can infect users that visit your site
Select the “Details” tab to view files on your cPanel server marked as suspicious.
- Date and time discovered
- Absolute file path
- Classification (malicious or compromised/infected)
- Status of the file (quarantined, blocked from executing, cleaned of malware, or logging for further action)
- Type
There is one interactive feature for end users at this time. If at any point you find that a compromised file was incorrectly marked as clean by Monarx, you can submit the file for further review. Simply log into cPanel Terminal, or SSH, and run the following command (replacing “filename” with the actual file):
monarx-sample-upload filename
Contact Live Support for further assistance.
Monarx software captures further info related to malware detected for future reference including:
- File SHA-256 checksum or stronger
- IP address and country of origin
- Affected web applications (e.g. CMS plugins and themes)
The “Help” section includes additional information on the Monarx cPanel interface and malware in general.
cPanel Security
Monarx isn’t a defense-in-depth security suite. You still should have a traditional firewall, WAF for your web applications, and antivirus (AV) software.
Our shared hosting plans still include Patchman for tracking changes in WordPress, Drupal, and Joomla. Most popular CMSs have security plugins you can install for free.
If you upgrade to a VPS or dedicated server, you’ll have to handle more of your security posture.
- Make sure an AV scanner (ClamAV or ImunifyAV) is installed and set to automatically scan at least weekly.
- Harden your traditional firewall. We recommend ConfigServer Security & Firewall (CSF) or Firewalld.
- Protect your server with a signature-based firewall such as ModSecurity or Fail2ban.
Let us know if you have any questions about Monarx security or web shell attacks.