Hi all,
We're receiving a lot of cxs Scan email alerts with the following kind of content:
Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/someuser/public_html/wp-admin
Web upload script URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Remote IP : 212.252.56.64
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC.1414158892_1]
NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
----------- SCAN REPORT -----------
TimeStamp: Fri Oct 24 10:54:51 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --cleanlog --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC)
# (compressed file: lniiwzrh/incammino.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
# (compressed file: lniiwzrh/incammino.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
The email's are almost the same alert (web upload), but the "Web upload script URL" is different between the atemptives. Some examples (there is way to much more every other hour):
Web upload script URL : somewebsite. com. br/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Every email says the file has been put in quarantine, and in fact, there is a PHP file with some exploit to Shell/Deface. But the most weird thing is, none of the websites has the plugins or themes of the "Web upload script URL" installed, or even has the CMS installed. One case was of a domain without any CMS installed (it has only some files, no CMS or a actual webpage/index) and still we had this alert:
Web upload script URL : otherwebsite. com. br/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php
So, how the files has been uploaded? And what can be happening? Is this a problem with cxs/modsecurity or other kind?
cxs Scan with a lot of differents web upload script
Re: cxs Scan with a lot of differents web upload script
Same kind of thing just started happening on my servers recently right after having the ConfigServer CP+MS package re-installed on them a couple weeks ago... getting tons of these even on sites that don't have scripts installed where CXS is detecting the "Web upload script file..."
The strange thing is that I've purchased and run the CP+MS package on all of my servers for many years now going all the way back to 2005 and this has never happened before.
I found this thread because I'm digging around the web everywhere for clues about this and disappointed to see that this has been sitting here since October without any. Definitely have some anxiety generating over this..
The strange thing is that I've purchased and run the CP+MS package on all of my servers for many years now going all the way back to 2005 and this has never happened before.
I found this thread because I'm digging around the web everywhere for clues about this and disappointed to see that this has been sitting here since October without any. Definitely have some anxiety generating over this..
Re: cxs Scan with a lot of differents web upload script
The alert quoted included this statement:
Please see this post for further information:
viewtopic.php?f=26&t=4224
Regards,
Sarah
Code: Select all
NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
viewtopic.php?f=26&t=4224
Regards,
Sarah
Re: cxs Scan with a lot of differents web upload script
Thank you Sarah.Sarah wrote:The alert quoted included this statement:
Please see this post for further information:Code: Select all
NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
viewtopic.php?f=26&t=4224
Regards,
Sarah
Couple strange things though:
First - as you know, I've always had Jonathan install the whole CP+MS package all these years and I don't really touch anything / modify much when he's done, but after a re-install on 3 servers just a couple weeks ago that already had the whole package these alerts just started. The alerts weren't happening before and yet it's the same 3 servers that he had originally installed the full package on previously. I can't begin to guess what would be different except the recent release of cPanel 11.46 to the "Release" tier which I guess has somehow made the difference?
Second - not all of the alerts contain the "NOTE: This alert may be a ModSecurity false-positive as" message, AND not all of the "Web upload script owner" sections are empty (on some of them it shows the account's username).
It's all enough to make a guy worry a bit
Re: cxs Scan with a lot of differents web upload script
Please submit a ticket on the helpdesk, with several examples of these alert emails, if you have specific concerns.