quarantine of wysija_campaigns in wordpress wp-admin

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
WindyT
Junior Member
Posts: 6
Joined: 05 Oct 2007, 22:36

quarantine of wysija_campaigns in wordpress wp-admin

Post by WindyT »

With every account that runs a wordpress blog on our server, I've been getting this, starting around July 2nd.

I thought it might be the wysija plugin that was recently reported to have a security bug, but all of the sites don't have the plugin this refers to.
Still, the IPs these come from are all from "suspect" countries, so it's not an accident.
Each cxs entry has a different IP listed as the submitter. So, this is an active threat.

cxs is doing its job in quarantining these files (or is this a phantom quarantine?) but thought I'd post this here because I wasn't sure what this was and saw no reference to anyone else seeing this.

Can I assume these were uploaded in the hopes that the wysija plugin was active on those blogs and so would be corrupted by the upload?

+++
Time : Sun Jul 6 12:24:09 2014 -0700
Web referer URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Local IP : xx.xx.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxxxxx (578)
Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-post.php
Web upload script URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Remote IP : 42.75.53.114
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST.1404674649_1]


----------- SCAN REPORT -----------
TimeStamp: Sun Jul 6 12:24:08 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST)

# (compressed file: wxgatret/byseed.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
# (compressed file: wxgatret/byseed.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: quarantine of wysija_campaigns in wordpress wp-admin

Post by sneader »

We're seeing the same thing, although it's quieted down the last few days.

If you look closely at the notification, you will see the file in question is in /tmp. I think what happens is that the bad guy attempts to post something to WordPress and before WordPress even sees it, Apache writes the file to /tmp and then CSF quarantines it.

- Scott
Post Reply