quarantine of wysija_campaigns in wordpress wp-admin
Posted: 10 Jul 2014, 22:57
With every account that runs a wordpress blog on our server, I've been getting this, starting around July 2nd.
I thought it might be the wysija plugin that was recently reported to have a security bug, but all of the sites don't have the plugin this refers to.
Still, the IPs these come from are all from "suspect" countries, so it's not an accident.
Each cxs entry has a different IP listed as the submitter. So, this is an active threat.
cxs is doing its job in quarantining these files (or is this a phantom quarantine?) but thought I'd post this here because I wasn't sure what this was and saw no reference to anyone else seeing this.
Can I assume these were uploaded in the hopes that the wysija plugin was active on those blogs and so would be corrupted by the upload?
+++
Time : Sun Jul 6 12:24:09 2014 -0700
Web referer URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Local IP : xx.xx.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxxxxx (578)
Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-post.php
Web upload script URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Remote IP : 42.75.53.114
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST.1404674649_1]
----------- SCAN REPORT -----------
TimeStamp: Sun Jul 6 12:24:08 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST)
# (compressed file: wxgatret/byseed.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
# (compressed file: wxgatret/byseed.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
I thought it might be the wysija plugin that was recently reported to have a security bug, but all of the sites don't have the plugin this refers to.
Still, the IPs these come from are all from "suspect" countries, so it's not an accident.
Each cxs entry has a different IP listed as the submitter. So, this is an active threat.
cxs is doing its job in quarantining these files (or is this a phantom quarantine?) but thought I'd post this here because I wasn't sure what this was and saw no reference to anyone else seeing this.
Can I assume these were uploaded in the hopes that the wysija plugin was active on those blogs and so would be corrupted by the upload?
+++
Time : Sun Jul 6 12:24:09 2014 -0700
Web referer URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Local IP : xx.xx.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxxxxx (578)
Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-post.php
Web upload script URL : http://xxxxxxx.com/wp-admin/admin-post. ... ion=themes
Remote IP : 42.75.53.114
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST.1404674649_1]
----------- SCAN REPORT -----------
TimeStamp: Sun Jul 6 12:24:08 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST)
# (compressed file: wxgatret/byseed.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'
# (compressed file: wxgatret/byseed.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20140706-122407-U7miV0gSzdQAAFhsOd4AAAAJ-file-VhIqST'