• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Why Reinfections Happen with a WAF

Why Reinfections Happen with a WAF

November 11, 2019Luke Leal

14
SHARES
FacebookTwitterSubscribe

A web application firewall (WAF) is a great way to detect and filter incoming malicious requests before they can exploit website vulnerabilities and security flaws. While a WAF helps protect against threats over HTTP/HTTPS, the website can still be hacked from the inside.

Cross-site Contamination

One common way that websites get reinfected is through cross-site contamination, which can occur even when a website is behind a firewall.

Cross-site contamination happens when one website is infected and the malware copies itself into other directories, infecting all sites on the same server. This can happen when there are multiple websites hosted under the ownership of one user (e.g cPanel user). Unless every website is secure behind a WAF, it only takes one unprotected site to cause a massive hack.

Website owners can experience cross-site contamination when they harden and secure their primary website behind a WAF, but don’t apply the same security for “less important” websites in subdirectories (e.g ~/public_html/otherdomain.tld).

If one website becomes infected with malware, the infection can bypass the primary website’s WAF since it doesn’t require HTTP access to the primary website — it can use FTP. Malware that already exists in the file system can not be mitigated by a WAF.

If possible, we recommend placing each website under its own cPanel user to prevent cross-site contamination.

Weak Passwords and Dictionary Attacks

Another reason reinfections occur (despite using a WAF) is because of passwords. Attackers target non-HTTP/S services like FTP or SSH and try brute force / dictionary attacks to compromise users with weak passwords.

In this short video, we show how a malicious user can hack a password in few minutes:

Shouldn’t a WAF stop dictionary attacks in the first place? They do — but via HTTP. Malicious users also target services (e.g FTP) that are independent of the server’s HTTP/S service. Their attacks target the server’s hostname or IP address instead of the website address, which is protected by the WAF.

Dictionary attack
A sample of a dictionary attack targeting the root user on the SSH service taken from /var/log/secure log file

Our WAF is designed to protect the website application. Most web hosts secure their own servers, but they delegate the responsibility of securing website content to the website owner. All the web host promises to fulfill is a specified uptime rate (e.g 99.9%).

How to Prevent Website Reinfections

Due to the potential risk of website reinfections — even under the protection of a firewall — it’s important to audit the services used by your web server(e.g SSH, FTP)  and begin hardening their security. Hardening recommendations include changing minor settings like the default SSH port to something other than 22, or more drastic changes like disabling the FTP service altogether.

To make these type of changes, you’ll probably require root access which is limited to VPS or dedicated hosting plans, but regardless of your hosting plan you should be able to audit your existing FTP and SSH user(s) and remove any that are not needed.

Using an independently hosted WAF is a great option for most website owners wanting to secure their website application against malicious traffic. But a direct vulnerability exploit or attack against your website application is not the only way that attackers can infect your website with malware. Make sure you have strong passwords everywhere and don’t forget to protect all websites on your server. You can chat with us if you have any questions.

14
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Best Practices, Passwords

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.