Page 1 of 1

Scanning on a non-existent file

Posted: 16 Sep 2019, 22:03
by LukeDouglas
I got an email with this message:

Code: Select all

Scanning web upload script file...
Time                   : Mon, 16 Sep 2019 15:23:48 -0500
Web referer URL        : 
Local IP               : 162.241.XXX.XXX
Web upload script user : nobody (99)
Web upload script owner:  ()
Web upload script path : /home/FOLDERNAME/public_html/wp-content
Web upload script URL  : http://WEBSITENAME/wp-content/themes/village/blueprint/gallery/ajaxupload/server/php.php
Remote IP              : 202.104.9.163
Deleted                : No
Quarantined            : Yes [/home/quarantine/cxscgi/20190916-152347-XX-vU4N7HH4hibQ5LzkRxwAAAUI-file-7uQGzx.1568665428_1]

NOTE: [/home/FOLDERNAME/public_html/wp-content] does not exist on this server. However, ModSecurity is still triggering cxs to scan the attempted uploading of potentially malicious data
I did check the File Manager and there is NO /public_html?wp-content folder. So someone attempted to access a non-existent folder. Is there a way I can stop sending of any warnings for '/wp-content/', '/wp-includes/' and '/wp-admin/' folders as well as any files in the root with 'wp*.php' wildcard? I run a Joomla shop and NONE of the websites on my server has 'any' WordPress installs,

Re: Scanning on a non-existent file

Posted: 05 Sep 2020, 11:25
by codebee
Have the same question - How do we disable these email alters for file paths that don't actually exist?

Re: Scanning on a non-existent file

Posted: 05 Sep 2020, 11:52
by Sarah
See the option "--cutcgimail" in the cxs documentation. In the cxscgi Configuration Wizard it is listed as "Reduce the number of emails from ModSecurity hits".

Re: Scanning on a non-existent file

Posted: 05 Sep 2020, 13:56
by codebee
Sarah wrote: 05 Sep 2020, 11:52--cutcgimail
Hey Sarah, thanks for the super fast response! Managed to find that option in the settings so will give it a try thank you.

Re: Scanning on a non-existent file

Posted: 10 Sep 2020, 14:53
by bouvrie
Seeing that these requests often come from exploit scanners, is there a way to instantly delete the uploaded file & add the offending Remote IP address to the blocklist?

Instead of wasting precious server resources, analyzing a file that has no business on the server and won't be processed further anyway?

Re: Scanning on a non-existent file

Posted: 14 Sep 2020, 17:12
by pyrographics
This has become a big hassle on our server thanks to the wp-file-manager exploit going around now. Nevermind that it doesn't exist on our server we are getting hundreds of hits to it each day. CXS quarantines the offensive non-uploaded file into /home/whatever-username/.quarantine/ and then cPanel's new virus scanning then hits on it listing it as a problem. I wish there was a way to just delete the results of these hits instead of quarantineing them. Also I don't know why the quarantine is under the user's folder instead of the /home/quarantine/ folder that is specified.

Re: Scanning on a non-existent file

Posted: 26 Oct 2020, 15:09
by JasGot
This is a nuisance for us too. 14 e-mails per hou about a file that doesn't exist.

/home/{account]/public_html/image.php

How can it detect a virus if there is no file?