weird issue
Posted: 07 Feb 2014, 18:53
For the past hour I have been flooded with tens of such emails from cxs. In the email it refers to a non existing file on the server,(I believe a bot is searching for exploitable scripts on the domain.) as the upload path ( each different path on each email) and the file does not exist. however cxs states that the file has been quarantined. How is this possible if the hacker cannot upload any file?
Code: Select all
cxs Scan on my.server.url (Hits:2) (Viruses:0) (Fingerprints:1)
Scanning web upload script file...
Time : Fri Feb 7 20:14:11 2014 +0200
Web referer URL : http:// mydomain . com/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Local IP : xx.xxx.xx.xxx
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/xxxxxx/public_html/wp-content/themes/OptimizePress
Web upload script URL : http:// mydomain . com/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Remote IP : 95.106.18.242
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G.1391796851_1]
NOTE: This alert may be a ModSecurity false-positive as /home/xxxxxxx/public_html/wp-content/themes/OptimizePress does not exist
----------- SCAN REPORT -----------
TimeStamp: Fri Feb 7 20:14:10 2014
(/usr/sbin/cxs --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G)
# Regular expression match = [decode regex: 1]:
'/tmp/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G'
# (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20140207-201410-UvUickCDRo8AAA52A8EAAAAX-file-gqy29G'