ConfigServer Community Forum

Hi,
sorry for question i am not expert of csx.I have a lot of alert from csx from different account.
example:
Scanning web upload script file...
Time : Wed, 18 May 2022 12:48:55 +0200
Web referer URL : www.google.com
Local IP : 51.255.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxx(1017)
Web upload script path : /home/xxxx/public_html/wp-admin/admin-ajax.php
Web upload script URL : https://xxxx.it/wp-admin/admin-ajax.php
Remote IP : 217.xx.xx.xx
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20220518-124855-YoTPFzLid5hmo5CNLpRzTgAAAIE-file-LXcXV7.1652870935_1]

'/tmp/20220518-124855-YoTPFzLid5hmo5CNLpRzTgAAAIE-file-LXcXV7'
(compressed file: .sp3ctra_XO.php [depth: 1]) Known exploit = [Fingerprint Match] [PHP Upload Exploit [P2000]]

file is blocked and quarantine so i think i am safe. but how stop this? and where is the problem ? i can prevent it?
thanks for help

@leonep

What I first do is to check on the public folder were the file was blocked if there are any directories with CHMOD 777, as it is a door open for files to be uploaded to your server. If there are, then change all of them to 755. That is the first step to check.

thanks for help sergio
permissions looks safe 755 on directory

the alert comes some different account so i check 5 of them.
may be a distributed atteck or something like this to find a website vulnerable ...

thanks

As you are using wordpress on your site, you will get accustomed to see a lot of this type of attacks every day.

But even that CXS is protecting your site I recommend you to install Imunify AV, I use the payed version, but the free version that comes with cPanel can help as well.

In my case, I use Imunify AV+ to do a daily scan of all my accounts and if it finds something that CXS has not, I use the MD5SUM option of CXS to generate the code of the offending file and then I add it to the cxs.xtra file.