As the zscaler team recently reported, there are frequent malware, phishing and virus finds in the .well-known directories on web servers.

These directories are used, for example, to confirm domain ownership when a certificate is issued. The widely used "Let's Encrypt" service also stores a temporary file in this directory. Other files, such as .php or .exe or .zip files normally have nothing lost in these directories. When analyzing hacked websites, hidden directories, especially of course common ones like .well-known, are often overlooked because they do not appear in the directory listing depending on the command (cf. ls vs. ls -a).

The new version 1.27.0 of ISPProtect scans for files with potentially suspicious extensions in these directories and reports them as {ISPP} in the malware report.

New version scans for files in .well-known directories