How to ignore /tmp web upload script alerts

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

How to ignore /tmp web upload script alerts

Post by sneader »

We are seeing dozens of emails every day alerting us to files being uploaded to /tmp by web scripts, some of which do not even exist. I am guessing that the bad guys are POSTing blindly, and the files are uploaded to /tmp until they are finished uploading, then when the script doesn't exist or handle the upload, the "hack" is failed and the bad guys move on.

Meanwhile, we have this malware file that was left in /tmp and CXS Quarantines it. For example:

# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'

However, we do not need to see emails for this, as there is nothing that needs our attention.

I am unable to build a filter, even using powerful GMail filtering, to just move these emails directly to the trash.

Are there any other options?

Here's a sample of one of the email alerts, in case this helps:
Scanning web upload script file...
Time : Fri Jan 23 16:22:44 2015 -0600
Web referer URL :
Local IP : 1.1.1.1
Web upload script user : nobody (99)
Web upload script owner: someuser (752)
Web upload script path : /home/someuser/public_html/wp-admin/admin-ajax.php
Web upload script URL : http://example.com/wp-admin/admin-ajax.php
Remote IP : 22.22.22.22
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx.1422051764_1]


----------- SCAN REPORT -----------
TimeStamp: Fri Jan 23 16:22:44 2015
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchednWDZR --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx)

# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'
- Scott
KelvinSmith
Junior Member
Posts: 2
Joined: 30 Oct 2014, 11:48
Location: UK
Contact:

Re: How to ignore /tmp web upload script alerts

Post by KelvinSmith »

Please see the thread for details.
viewtopic.php?f=26&t=8205

https://www.webhosting.uk.com/
maknet
Junior Member
Posts: 17
Joined: 10 Sep 2015, 19:02

Re: How to ignore /tmp web upload script alerts

Post by maknet »

I was unable to find that link.
maknet
Junior Member
Posts: 17
Joined: 10 Sep 2015, 19:02

Re: How to ignore /tmp web upload script alerts

Post by maknet »

Nevermind, it's on the configserver.com forum. :)

I thought it was based on your sig in the footer..
Post Reply