weird issue

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
BluesBrother2
Junior Member
Posts: 2
Joined: 07 Feb 2014, 18:45

weird issue

Post by BluesBrother2 »

For the past hour I have been flooded with tens of such emails from cxs. In the email it refers to a non existing file on the server,(I believe a bot is searching for exploitable scripts on the domain.) as the upload path ( each different path on each email) and the file does not exist. however cxs states that the file has been quarantined. How is this possible if the hacker cannot upload any file?

Code: Select all

cxs Scan on my.server.url (Hits:2) (Viruses:0) (Fingerprints:1)
Scanning web upload script file...
Time                   : Fri Feb  7 20:14:11 2014 +0200
Web referer URL   : http:// mydomain . com/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Local IP               : xx.xxx.xx.xxx
Web upload script user : nobody (99)
Web upload script owner:  ()
Web upload script path : /home/xxxxxx/public_html/wp-content/themes/OptimizePress
Web upload script URL  : http:// mydomain . com/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Remote IP              : 95.106.18.242
Deleted                : No
Quarantined            : Yes [/home/quarantine/cxscgi/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G.1391796851_1]

NOTE: This alert may be a ModSecurity false-positive as /home/xxxxxxx/public_html/wp-content/themes/OptimizePress does not exist


----------- SCAN REPORT -----------
TimeStamp: Fri Feb  7 20:14:10 2014
(/usr/sbin/cxs --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G)

# Regular expression match = [decode regex: 1]:
'/tmp/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G'
# (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G'

ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: weird issue

Post by ForumAdmin »

It is normal. See this sticky thread for an explanation:
viewtopic.php?f=26&t=4224
BluesBrother2
Junior Member
Posts: 2
Joined: 07 Feb 2014, 18:45

Re: weird issue

Post by BluesBrother2 »

thank you for the assistance. I've seen that thread however the difference is that the file is quarantined on my issue whereas on the post you've sent it is not. this makes me think that the hacker managed to upload the file on the server somehow.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: weird issue

Post by ForumAdmin »

The issue is still exactly the same. The reason the file was uploaded is explained in that thread.
Post Reply