How to ignore /tmp web upload script alerts
Posted: 23 Jan 2015, 22:34
We are seeing dozens of emails every day alerting us to files being uploaded to /tmp by web scripts, some of which do not even exist. I am guessing that the bad guys are POSTing blindly, and the files are uploaded to /tmp until they are finished uploading, then when the script doesn't exist or handle the upload, the "hack" is failed and the bad guys move on.
Meanwhile, we have this malware file that was left in /tmp and CXS Quarantines it. For example:
# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'
However, we do not need to see emails for this, as there is nothing that needs our attention.
I am unable to build a filter, even using powerful GMail filtering, to just move these emails directly to the trash.
Are there any other options?
Here's a sample of one of the email alerts, in case this helps:
Meanwhile, we have this malware file that was left in /tmp and CXS Quarantines it. For example:
# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'
However, we do not need to see emails for this, as there is nothing that needs our attention.
I am unable to build a filter, even using powerful GMail filtering, to just move these emails directly to the trash.
Are there any other options?
Here's a sample of one of the email alerts, in case this helps:
- ScottScanning web upload script file...
Time : Fri Jan 23 16:22:44 2015 -0600
Web referer URL :
Local IP : 1.1.1.1
Web upload script user : nobody (99)
Web upload script owner: someuser (752)
Web upload script path : /home/someuser/public_html/wp-admin/admin-ajax.php
Web upload script URL : http://example.com/wp-admin/admin-ajax.php
Remote IP : 22.22.22.22
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx.1422051764_1]
----------- SCAN REPORT -----------
TimeStamp: Fri Jan 23 16:22:44 2015
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchednWDZR --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx)
# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'
