Web upload script (i don't understand)

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
maknet
Junior Member
Posts: 17
Joined: 10 Sep 2015, 19:02

Web upload script (i don't understand)

Post by maknet »

Hope someone can clarify something.

I understand about the false-positives (when the file doesn't exist), but I get a lot of e-mails having to do with viruses or fingerprints referring to files like:

http://domain.com/wp-admin/admin-ajax.php
or
http://www.domain.com/index.php?option= ... iew=upload

These files get quarantined, but does that mean these wordpress files are exploitable and hackers are actually uploading files?

Or does this mean that someone did an apache POST and the request could "potentially" have uploaded a file.. when in fact, it didn't because the wordpress file is patched?

Basically I'm trying to understand if i should be freaked out that hackers are uploading files and whether CXS is the only thing standing in their way. :)

Thanks.

dvk01
Junior Member
Posts: 80
Joined: 20 Feb 2010, 18:10

Re: Web upload script (i don't understand)

Post by dvk01 »

The "hackers" are trying to upload the files
If you don't have the exploitable WordPress or other service running or is fully patched, under normal circumstances the upload will fail and not be saved to the server at all and the server responds to the hacker with an http error 404/403/ 500 or other failure message
However if you have CXS installed, that intercepts the upload before it even gets to WordPress or any other running service so accepts the upload and quarantines it.
This might sound a bit stupid and even risky and you would think that it is better to allow the server to reject. BUT new exploits come out every minute of every day and having CXS intercept every upload request before it even gets to any possible exploitable service or program on the server, even if that service or program does not exist on the server is much more preferable and safer.

maknet
Junior Member
Posts: 17
Joined: 10 Sep 2015, 19:02

Re: Web upload script (i don't understand)

Post by maknet »

Thanks a lot for the response, it's much appreciated.

So similar to the "false-positive, this file doesn't exist error", CXS intercepts the bad files before it even gets uploaded.

If CXS wasn't there, it's possible that the patched-file would also NOT accept the file?

So basically, my job is to make sure those particular files are patched.

Grindlay
Junior Member
Posts: 9
Joined: 23 Jun 2008, 19:22
Location: Edinburgh, UK
Contact:

Re: Web upload script (i don't understand)

Post by Grindlay »

Having looked at various options to reduce the amount of alerting, I think the best one is just to put the script filename in the cxs.ignore file.
In this case, it would be :
hfile:/public_html/wp-admin/admin-ajax.php
This assumes that you're happy that admin-ajax.php is properly patched and secure. Haven't seen anything to suggest it isn't. Of course, the next attempted attack will probably target a different file so to an extent it is whack-a-mole. What I'd like to see is an option in CXS to block the IP in CSF.

sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20

Re: Web upload script (i don't understand)

Post by sawbuck »

Grindlay wrote:What I'd like to see is an option in CXS to block the IP in CSF.
Agree.

ForumAdmin
Moderator
Posts: 1460
Joined: 01 Oct 2008, 09:24

Re: Web upload script (i don't understand)

Post by ForumAdmin »

That is what the LF_CXS option in csf.conf is for. cxs itself cannot do it as the ModSecurity process runs as the nobody (or default apache) user and not root.

sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20

Re: Web upload script (i don't understand)

Post by sawbuck »

Thanks Jonathan for confirming that.

kidoo11
Junior Member
Posts: 1
Joined: 07 Jul 2016, 16:19

Re: Web upload script (i don't understand)

Post by kidoo11 »

I also have this problem. Thanks for answer

Grindlay
Junior Member
Posts: 9
Joined: 23 Jun 2008, 19:22
Location: Edinburgh, UK
Contact:

Re: Web upload script (i don't understand)

Post by Grindlay »

ForumAdmin wrote:That is what the LF_CXS option in csf.conf is for. cxs itself cannot do it as the ModSecurity process runs as the nobody (or default apache) user and not root.
So it is - missed that in the options. Not quite clear on the difference between LF_MODSEC and LF_CXS but have set LF_CXS to 1 and will monitor.

ant
Junior Member
Posts: 1
Joined: 06 Nov 2017, 20:57

Re: Web upload script (i don't understand)

Post by ant »

In this case, it would be :
hfile:/public_html/wp-admin/admin-ajax.php
adding hfile:/public_html/wp-admin/admin-ajax.php does not seem to work. I'm assuming it has something to do with ModSecurity. I have added this line and keep getting notices.

What is another way to ignore the /wp-admin/admin-ajax.php file? Maybe that works with ModSecurity?

Post Reply