Page 1 of 1

Seeming false positive - not sure

Posted: 20 Apr 2015, 13:51
by verdonv
Hi,

I'm hoping someone can help me determine what is being reported here... I have a default configuration of CXS, that was installed by configserver as part of the cPanel Server Service.

Code: Select all

Scanning web upload script file...
Time                   : Mon Apr 20 06:13:19 2015 -0400
Web referer URL        : 
Local IP               : 111.222.333.444
Web upload script user : nobody (99)
Web upload script owner: legitusername (600)
Web upload script path : /home/legitusername/public_html/wp-admin/admin-ajax.php
Web upload script URL  : http://legitusername.com/wp-admin/admin-ajax.php
Remote IP              : 222.333.444.555
Deleted                : No
Quarantined            : Yes [/home/quarantine/cxscgi/20150420-061319-VTTRP66ONZgAAGutsrIAAAAx-file-JPdaov.1429524799_1]

----------- SCAN REPORT -----------

TimeStamp: Mon Apr 20 06:13:19 2015

(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --html --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20150420-061319-VTTRP66ONZgAAGutsrIAAAAx-file-JPdaov)



'/tmp/20150420-061319-VTTRP66ONZgAAGutsrIAAAAx-file-JPdaov'
(compressed file: revslider/error.php [depth: 1]) Regular expression match = [decode regex: 7]
(compressed file: revslider/error.php [depth: 1]) (decoded file [advanced decoder: 9]) ClamAV detected virus = [PHP.Shell-38]
(compressed file: revslider/pure.php [depth: 1]) Regular expression match = [decode regex: 7]
(compressed file: revslider/pure.php [depth: 1]) (decoded file [advanced decoder: 9]) ClamAV detected virus = [PHP.Shell-38]

I get lots of reports like these, dozens a day on different domains. I also get others that are clearly labelled false positives, as the files do not exist. These, I can't tell what's going on.

I have verified that there is no directory or file called 'revslider' on the server, and also that the files 'error.php' and 'pure.php' do not exist.

Are these also then false positives that I can ignore? Are these attempts by someone to upload revslider via wp-admin? I have verified that it is not the site owner attempting this.

I appreciate any wisdom :-)

Re: Seeming false positive - not sure

Posted: 25 Oct 2016, 12:41
by aegis
Bumping an old thread here but we've had an uptick in this recently. Presumably they're trying to upload a replacement file to exploit the hole in Revolution Slider that was discovered and patched some time ago.

It's somewhat concerning that through Wordpress's admin-ajax.php they can get a file through to /tmp if that's my reading of this cxs alert. Is that right?

Re: Seeming false positive - not sure

Posted: 26 Oct 2016, 06:55
by dvk01
read viewtopic.php?t=4224
basically CXS intercepts all file uploads before the server decides if it is a legitimate request or the folder actually exists and blocks/deletes/quarantines all non legit requests.
Yes you do get emails about them, which can be worrying at first, but be reassured that CXS is protecting you on an extra layer before apache gets hold of the attempt and gives a 404 not found

Without CXS anybody attempting to upload to a non existent folder or using a non existent uploader would get a 404
with CXS the upload is intercepted and quarantined and a 403 forbidden is given instead