Page 1 of 1

How to ignore /tmp web upload script alerts

Posted: 23 Jan 2015, 22:34
by sneader
We are seeing dozens of emails every day alerting us to files being uploaded to /tmp by web scripts, some of which do not even exist. I am guessing that the bad guys are POSTing blindly, and the files are uploaded to /tmp until they are finished uploading, then when the script doesn't exist or handle the upload, the "hack" is failed and the bad guys move on.

Meanwhile, we have this malware file that was left in /tmp and CXS Quarantines it. For example:

# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'

However, we do not need to see emails for this, as there is nothing that needs our attention.

I am unable to build a filter, even using powerful GMail filtering, to just move these emails directly to the trash.

Are there any other options?

Here's a sample of one of the email alerts, in case this helps:
Scanning web upload script file...
Time : Fri Jan 23 16:22:44 2015 -0600
Web referer URL :
Local IP : 1.1.1.1
Web upload script user : nobody (99)
Web upload script owner: someuser (752)
Web upload script path : /home/someuser/public_html/wp-admin/admin-ajax.php
Web upload script URL : http://example.com/wp-admin/admin-ajax.php
Remote IP : 22.22.22.22
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx.1422051764_1]


----------- SCAN REPORT -----------
TimeStamp: Fri Jan 23 16:22:44 2015
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchednWDZR --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx)

# ClamAV detected virus = [PHP.Shell-84]:
'/tmp/20150123-162243-VMLJszIcCEwADjD4ZZoAAAAB-file-dO21Zx'
- Scott

Re: How to ignore /tmp web upload script alerts

Posted: 28 Jan 2015, 05:45
by KelvinSmith
Please see the thread for details.
viewtopic.php?f=26&t=8205

https://www.webhosting.uk.com/

Re: How to ignore /tmp web upload script alerts

Posted: 15 Sep 2015, 14:44
by maknet
I was unable to find that link.

Re: How to ignore /tmp web upload script alerts

Posted: 17 Sep 2015, 04:17
by maknet
Nevermind, it's on the configserver.com forum. :)

I thought it was based on your sig in the footer..