cxs Scan with a lot of differents web upload script
Posted: 24 Oct 2014, 15:42
Hi all,
We're receiving a lot of cxs Scan email alerts with the following kind of content:
Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/someuser/public_html/wp-admin
Web upload script URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Remote IP : 212.252.56.64
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC.1414158892_1]
NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
----------- SCAN REPORT -----------
TimeStamp: Fri Oct 24 10:54:51 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --cleanlog --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC)
# (compressed file: lniiwzrh/incammino.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
# (compressed file: lniiwzrh/incammino.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
The email's are almost the same alert (web upload), but the "Web upload script URL" is different between the atemptives. Some examples (there is way to much more every other hour):
Web upload script URL : somewebsite. com. br/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Every email says the file has been put in quarantine, and in fact, there is a PHP file with some exploit to Shell/Deface. But the most weird thing is, none of the websites has the plugins or themes of the "Web upload script URL" installed, or even has the CMS installed. One case was of a domain without any CMS installed (it has only some files, no CMS or a actual webpage/index) and still we had this alert:
Web upload script URL : otherwebsite. com. br/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php
So, how the files has been uploaded? And what can be happening? Is this a problem with cxs/modsecurity or other kind?
We're receiving a lot of cxs Scan email alerts with the following kind of content:
Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/someuser/public_html/wp-admin
Web upload script URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Remote IP : 212.252.56.64
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC.1414158892_1]
NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
----------- SCAN REPORT -----------
TimeStamp: Fri Oct 24 10:54:51 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --cleanlog --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC)
# (compressed file: lniiwzrh/incammino.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
# (compressed file: lniiwzrh/incammino.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
The email's are almost the same alert (web upload), but the "Web upload script URL" is different between the atemptives. Some examples (there is way to much more every other hour):
Web upload script URL : somewebsite. com. br/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Every email says the file has been put in quarantine, and in fact, there is a PHP file with some exploit to Shell/Deface. But the most weird thing is, none of the websites has the plugins or themes of the "Web upload script URL" installed, or even has the CMS installed. One case was of a domain without any CMS installed (it has only some files, no CMS or a actual webpage/index) and still we had this alert:
Web upload script URL : otherwebsite. com. br/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php
So, how the files has been uploaded? And what can be happening? Is this a problem with cxs/modsecurity or other kind?
