CXS scan showing Trojan

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
daveboulter
Junior Member
Posts: 3
Joined: 10 Nov 2014, 01:37

CXS scan showing Trojan

Post by daveboulter »

Hi,

Sorry new to CSX so be gentle :-)

I have the following report, is this a real or a false positive?

Thanks
/daveb

Scanning web upload script file...
Time : Tue, 19 Sep 2017 08:42:25 +1000
Web referer URL :
Local IP : 103.237.108.162
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/purecalm/public_html/wp-content
Web upload script URL : http://purecalma.com/wp-content/plugins ... /index.php
Remote IP : 35.184.110.7
Upload data md5sum : 9e487fa1371246713b726305844784b6
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp.1505774545_1]

NOTE: This alert may be a ModSecurity false-positive as /home/purecalm/public_html/wp-content does not exist

----------- SCAN REPORT -----------
TimeStamp: Tue, 19 Sep 2017 08:42:25 +1000
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --mail support@techremedy.com.au --options mMOLfSGchexdnwZDRru --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --ssl --summary --sversionscan --timemax 30 --nounofficial --virusscan /tmp/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp)

'/tmp/20170919-084223-WcBLz2ftbKIAACCW-yMAAAAM-file-PODwcp'
Regular expression match = [Obfuscation provided by FOPO]
Universal decode regex match = [universal decoder]
Decode regex match = [decode regex: 12]
(decoded file [advanced decoder: 13 (depth: 5)]) ClamAV detected virus = [Win.Trojan.Shell-49]
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: CXS scan showing Trojan

Post by Sarah »

Please read this forum post for an explanation as to why this may be a "false positive":

viewtopic.php?f=26&t=4224
daveboulter
Junior Member
Posts: 3
Joined: 10 Nov 2014, 01:37

Re: CXS scan showing Trojan

Post by daveboulter »

Thanks Sarah
Post Reply