cxs Scan with a lot of differents web upload script

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
evenme
Junior Member
Posts: 1
Joined: 24 Oct 2014, 15:30

cxs Scan with a lot of differents web upload script

Post by evenme »

Hi all,

We're receiving a lot of cxs Scan email alerts with the following kind of content:

Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/someuser/public_html/wp-admin
Web upload script URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Remote IP : 212.252.56.64
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC.1414158892_1]

NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist


----------- SCAN REPORT -----------
TimeStamp: Fri Oct 24 10:54:51 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /tmp/clamd --cleanlog --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC)

# (compressed file: lniiwzrh/incammino.php [depth: 1]) Regular expression match = [decode regex: 1]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'
# (compressed file: lniiwzrh/incammino.php [depth: 1]) (decoded file [depth: 28]) Known exploit = [Fingerprint Match] [PHP Defacer Exploit [P0141]]:
'/tmp/20141024-105451-VEpaK7sSBR0AAGANWaUAAADU-file-E15WpC'

The email's are almost the same alert (web upload), but the "Web upload script URL" is different between the atemptives. Some examples (there is way to much more every other hour):

Web upload script URL : somewebsite. com. br/wp-content/themes/OptimizePress/lib/admin/media-upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
Web upload script URL : somewebsite. com. br/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php

Every email says the file has been put in quarantine, and in fact, there is a PHP file with some exploit to Shell/Deface. But the most weird thing is, none of the websites has the plugins or themes of the "Web upload script URL" installed, or even has the CMS installed. One case was of a domain without any CMS installed (it has only some files, no CMS or a actual webpage/index) and still we had this alert:

Web upload script URL : otherwebsite. com. br/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php

So, how the files has been uploaded? And what can be happening? Is this a problem with cxs/modsecurity or other kind?
Metro2
Junior Member
Posts: 78
Joined: 10 Dec 2006, 10:10

Re: cxs Scan with a lot of differents web upload script

Post by Metro2 »

Same kind of thing just started happening on my servers recently right after having the ConfigServer CP+MS package re-installed on them a couple weeks ago... getting tons of these even on sites that don't have scripts installed where CXS is detecting the "Web upload script file..."

The strange thing is that I've purchased and run the CP+MS package on all of my servers for many years now going all the way back to 2005 and this has never happened before.

I found this thread because I'm digging around the web everywhere for clues about this and disappointed to see that this has been sitting here since October without any. Definitely have some anxiety generating over this..
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: cxs Scan with a lot of differents web upload script

Post by Sarah »

The alert quoted included this statement:

Code: Select all

NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
Please see this post for further information:
viewtopic.php?f=26&t=4224

Regards,
Sarah
Metro2
Junior Member
Posts: 78
Joined: 10 Dec 2006, 10:10

Re: cxs Scan with a lot of differents web upload script

Post by Metro2 »

Sarah wrote:The alert quoted included this statement:

Code: Select all

NOTE: This alert may be a ModSecurity false-positive as /home/someuser/public_html/wp-admin does not exist
Please see this post for further information:
viewtopic.php?f=26&t=4224

Regards,
Sarah
Thank you Sarah.

Couple strange things though:

First - as you know, I've always had Jonathan install the whole CP+MS package all these years and I don't really touch anything / modify much when he's done, but after a re-install on 3 servers just a couple weeks ago that already had the whole package these alerts just started. The alerts weren't happening before and yet it's the same 3 servers that he had originally installed the full package on previously. I can't begin to guess what would be different except the recent release of cPanel 11.46 to the "Release" tier which I guess has somehow made the difference?

Second - not all of the alerts contain the "NOTE: This alert may be a ModSecurity false-positive as" message, AND not all of the "Web upload script owner" sections are empty (on some of them it shows the account's username).

It's all enough to make a guy worry a bit :o
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: cxs Scan with a lot of differents web upload script

Post by Sarah »

Please submit a ticket on the helpdesk, with several examples of these alert emails, if you have specific concerns.
Post Reply