With every account that runs a wordpress blog on our server, I've been getting this, starting around July 2nd.
I thought it might be the wysija plugin that was recently reported to have a security bug, but all of the sites don't have the plugin this refers to.
Still, the IPs these come from are all from "suspect" countries, so it's not an accident.
Each cxs entry has a different IP listed as the submitter. So, this is an active threat.
cxs is doing its job in quarantining these files (or is this a phantom quarantine?) but thought I'd post this here because I wasn't sure what this was and saw no reference to anyone else seeing this.
Can I assume these were uploaded in the hopes that the wysija plugin was active on those blogs and so would be corrupted by the upload?
+++
Time : Sun Jul 6 12:24:09 2014 -0700
Web referer URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Local IP : xx.xx.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxxxxx (578)
Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-post.php
Web upload script URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Remote IP : 42.75.53.114
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST.1404674649_1]
----------- SCAN REPORT -----------
TimeStamp: Sun Jul 6 12:24:08 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST)
# (compressed file: wxgatret/byseed.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
# (compressed file: wxgatret/byseed.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
quarantine of wysija_campaigns in wordpress wp-admin
Re: quarantine of wysija_campaigns in wordpress wp-admin
We're seeing the same thing, although it's quieted down the last few days.
If you look closely at the notification, you will see the file in question is in /tmp. I think what happens is that the bad guy attempts to post something to WordPress and before WordPress even sees it, Apache writes the file to /tmp and then CSF quarantines it.
- Scott
If you look closely at the notification, you will see the file in question is in /tmp. I think what happens is that the bad guy attempts to post something to WordPress and before WordPress even sees it, Apache writes the file to /tmp and then CSF quarantines it.
- Scott