ANTIVIRUS Rules & Joomla


I did not see any rules for antivirus check for uploaded files, so i share mine.

  1. First you need to have mod_lua installed, so modsec2.conf where it is:
    #LoadFile /opt/lua/lib/
    Must be:
    LoadFile /opt/lua/lib/

  2. then i add this to the custom rules on whm cwaf:

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "[at]inspectFile /usr/local/maldetect/modsec.lua" \
  msg:'COMODO WAF: VIRUS or MALWARE content was found in uploaded file',\
SecRequestBodyAccess Off

  1. Then the LUA Script (you need to have clam antivirus, that is listed on cpanel plugins):

function main(filename)
  -- Made BY JonixKonios_V5
  -- Configure paths
  local clamscan  = "/usr/bin/clamdscan"

  -- The system command we want to call
  local cmd = clamscan .. " --stdout"

  -- Run the command and get the output
  local f = io.popen(cmd .. " " .. filename)
  local l = f:read("*a")
  m.log(9, l)

  -- Get the Hostname
  local fff = io.popen ("/bin/hostname")
  local hostname = fff:read("*a") or ""
  hostname = string.gsub(hostname, "\n$", "")
  -- Get Date and Time
  data ="%d.%m.%Y [at] %H:%M:%S")
  body = "----------- DATE/TIME -----------\n" .. data .. "\n\n----------- VIRUS FOUND -----------\n" .. l

  -- Check the output for the FOUND or ERROR strings which indicate
  -- an issue we want to block access on
  local isVuln = string.find(l, "FOUND")
  local isError = string.find(l, "ERROR")

  if isVuln ~= nil then
    -- Send Email
    os.execute(string.format("/bin/echo \"%s\" | /bin/mail -s \"%s - Virus Check FOUND\" email[at]",body,hostname))
    return 1
  elseif isError ~= nil then  
    os.execute(string.format("/bin/echo \"%s\" | /bin/mail -s \"%s - Virus Check FOUND\" servidores[at]",body,hostname))
    return 1
    return nil

This prevents very nasty uploads that any other rule can’t stop.

B) Joomla

Does this rules prevent the brute force attack on /administrator from joomla?

A virus upload tested by me:

900: COMODO WAF: VIRUS or MALWARE content was found in uploaded file
Request:	POST /_u2.php
Action Description:	

Hi xanubi

Thank you for such detailed description!

Users can add this to Custom rules. But Antivirus check can be costly :slight_smile:

Hello oleg.tsygany,

It depends a little. It has saved me over time lots and lots of times, from attacks that the WAF’s cannot detect.

About Joomla bruteforce protection. Yes, it prevents bruteforce, but you should enable it by yourself.

Thank you TDmitry, i already have it on, and already is blocking attemps on 4 hosting accounts, 2 seconds after enabled.