My modsecurity rule:
Code: Select all
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi_DOT_sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecTmpDir /tmp
Code: Select all
/usr/sbin/cxs --quiet --cgi --mail root --delete --logfile /var/log/cxs_upload.log --virusscan "$1"
Code: Select all
Aug 6 12:33:40 hostname cxs[705433]: IP:*.*.*.* User:nobody Web upload script:['/home/username/public_html/test.php'] - ClamAV detected virus = [PHP.Shell-86]
Code: Select all
Scanning web upload script file...
Time : Wed Aug 6 12:29:57 2014 +0200
Web referer URL : http://username.domain/test.php
Local IP : *.*.*.*
Web upload script user : nobody (99)
Web upload script owner: username (502)
Web upload script path : /home/username/public_html/test.php
Web upload script URL : http://username.domain/test.php
Remote IP : *.*.*.*
Deleted : Yes
Quarantined : No
----------- SCAN REPORT -----------
TimeStamp: Wed Aug 6 12:29:57 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --delete --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs_upload.log --mail root --options mMhDR --qoptions Mv --quiet --sizemax 500000 --summary --sversionscan --timemax 30 --virusscan --xtra /etc/cxs/cxs.xtra /tmp/20140806-122957-U@IDpcOiGFgACnQj9TYAAAA1-file-b49KQv)
# ClamAV detected virus = [PHP.Shell-86]:
'/tmp/20140806-122957-U@IDpcOiGFgACnQj9TYAAAA1-file-b49KQv'
I'm using cloudlinux + cPanel.