CXS scan showing Trojan
Posted: 19 Sep 2017, 00:34
Hi,
Sorry new to CSX so be gentle :-)
I have the following report, is this a real or a false positive?
Thanks
/daveb
Scanning web upload script file...
Time : Tue, 19 Sep 2017 08:42:25 +1000
Web referer URL :
Local IP : 103.237.108.162
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/purecalm/public_html/wp-content
Web upload script URL : http://purecalma.com/wp-content/plugins ... /index.php
Remote IP : 35.184.110.7
Upload data md5sum : 9e487fa1371246713b726305844784b6
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp.1505774545_1]
NOTE: This alert may be a ModSecurity false-positive as /home/purecalm/public_html/wp-content does not exist
----------- SCAN REPORT -----------
TimeStamp: Tue, 19 Sep 2017 08:42:25 +1000
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --mail support@techremedy.com.au --options mMOLfSGchexdnwZDRru --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --ssl --summary --sversionscan --timemax 30 --nounofficial --virusscan /tmp/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp)
'/tmp/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp'
Regular expression match = [Obfuscation provided by FOPO]
Universal decode regex match = [universal decoder]
Decode regex match = [decode regex: 12]
(decoded file [advanced decoder: 13 (depth: 5)]) ClamAV detected virus = [Win.Trojan.Shell-49]
Sorry new to CSX so be gentle :-)
I have the following report, is this a real or a false positive?
Thanks
/daveb
Scanning web upload script file...
Time : Tue, 19 Sep 2017 08:42:25 +1000
Web referer URL :
Local IP : 103.237.108.162
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/purecalm/public_html/wp-content
Web upload script URL : http://purecalma.com/wp-content/plugins ... /index.php
Remote IP : 35.184.110.7
Upload data md5sum : 9e487fa1371246713b726305844784b6
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp.1505774545_1]
NOTE: This alert may be a ModSecurity false-positive as /home/purecalm/public_html/wp-content does not exist
----------- SCAN REPORT -----------
TimeStamp: Tue, 19 Sep 2017 08:42:25 +1000
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --mail support@techremedy.com.au --options mMOLfSGchexdnwZDRru --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --ssl --summary --sversionscan --timemax 30 --nounofficial --virusscan /tmp/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp)
'/tmp/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp'
Regular expression match = [Obfuscation provided by FOPO]
Universal decode regex match = [universal decoder]
Decode regex match = [decode regex: 12]
(decoded file [advanced decoder: 13 (depth: 5)]) ClamAV detected virus = [Win.Trojan.Shell-49]