Seeming false positive - not sure
Posted: 20 Apr 2015, 13:51
Hi,
I'm hoping someone can help me determine what is being reported here... I have a default configuration of CXS, that was installed by configserver as part of the cPanel Server Service.
I get lots of reports like these, dozens a day on different domains. I also get others that are clearly labelled false positives, as the files do not exist. These, I can't tell what's going on.
I have verified that there is no directory or file called 'revslider' on the server, and also that the files 'error.php' and 'pure.php' do not exist.
Are these also then false positives that I can ignore? Are these attempts by someone to upload revslider via wp-admin? I have verified that it is not the site owner attempting this.
I appreciate any wisdom :-)
I'm hoping someone can help me determine what is being reported here... I have a default configuration of CXS, that was installed by configserver as part of the cPanel Server Service.
Code: Select all
Scanning web upload script file...
Time : Mon Apr 20 06:13:19 2015 -0400
Web referer URL :
Local IP : 111.222.333.444
Web upload script user : nobody (99)
Web upload script owner: legitusername (600)
Web upload script path : /home/legitusername/public_html/wp-admin/admin-ajax.php
Web upload script URL : http://legitusername.com/wp-admin/admin-ajax.php
Remote IP : 222.333.444.555
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20150420-061319-VTTRP66ONZgAAGutsrIAAAAx-file-JPdaov.1429524799_1]
----------- SCAN REPORT -----------
TimeStamp: Mon Apr 20 06:13:19 2015
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --html --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20150420-061319-VTTRP66ONZgAAGutsrIAAAAx-file-JPdaov)
'/tmp/20150420-061319-VTTRP66ONZgAAGutsrIAAAAx-file-JPdaov'
(compressed file: revslider/error.php [depth: 1]) Regular expression match = [decode regex: 7]
(compressed file: revslider/error.php [depth: 1]) (decoded file [advanced decoder: 9]) ClamAV detected virus = [PHP.Shell-38]
(compressed file: revslider/pure.php [depth: 1]) Regular expression match = [decode regex: 7]
(compressed file: revslider/pure.php [depth: 1]) (decoded file [advanced decoder: 9]) ClamAV detected virus = [PHP.Shell-38]
I have verified that there is no directory or file called 'revslider' on the server, and also that the files 'error.php' and 'pure.php' do not exist.
Are these also then false positives that I can ignore? Are these attempts by someone to upload revslider via wp-admin? I have verified that it is not the site owner attempting this.
I appreciate any wisdom :-)