Trace how malware was uploaded to server

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
imadsani
Junior Member
Posts: 2
Joined: 02 Aug 2013, 09:51

Trace how malware was uploaded to server

Post by imadsani »

Hello,

I've been struggling with this for a while now, I have wordpress sites where everything is up to date but attackers are still able to upload files to the server. One such person has been trying to upload a backdoor since 1am in the morning. I can see 5 files with the same name quarantined.

Is it possible to identify how these files were uploaded?

I'm starting to loose my mind here, I even put up cloudflare to see if that would help but the files are still being uploaded.

Any help would be greatly appreciated, thank you.
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Trace how malware was uploaded to server

Post by sahostking »

Do you use modsecurity?

If not consider installing OWASP rules or Comodo WAF ruleset both which are free.

Usually they upload via a outdated plugin or some flaw in one.

If not that then if you have no modsecurity then your server is vulnerable.

Best to have Firewall + Modsecurity + CXS + ClamAV with unofficial signatures added. Then you should be fine.

Note if using CSF then LF_CXS can be used to block IP for certain period of time. You could then search the access logs of the domain in question for that IP to see what plugin was used to upload the files.
Post Reply