As the zscaler team recently reported, there are frequent malware, phishing and virus finds in the .well-known directories on web servers.
These directories are used, for example, to confirm domain ownership when a certificate is issued. The widely used "Let's Encrypt" service also stores a temporary file in this directory. Other files, such as .php or .exe or .zip files normally have nothing lost in these directories. When analyzing hacked websites, hidden directories, especially of course common ones like .well-known, are often overlooked because they do not appear in the directory listing depending on the command (cf. ls vs. ls -a).
The new version 1.27.0 of ISPProtect scans for files with potentially suspicious extensions in these directories and reports them as {ISPP}suspect.in.wellknown in the malware report.
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.