ConfigServer Community Forum

Hope someone can clarify something.

I understand about the false-positives (when the file doesn't exist), but I get a lot of e-mails having to do with viruses or fingerprints referring to files like:

http://domain.com/wp-admin/admin-ajax.php
or
http://www.domain.com/index.php?option= ... iew=upload

These files get quarantined, but does that mean these wordpress files are exploitable and hackers are actually uploading files?

Or does this mean that someone did an apache POST and the request could "potentially" have uploaded a file.. when in fact, it didn't because the wordpress file is patched?

Basically I'm trying to understand if i should be freaked out that hackers are uploading files and whether CXS is the only thing standing in their way.

Thanks.

The "hackers" are trying to upload the files
If you don't have the exploitable WordPress or other service running or is fully patched, under normal circumstances the upload will fail and not be saved to the server at all and the server responds to the hacker with an http error 404/403/ 500 or other failure message
However if you have CXS installed, that intercepts the upload before it even gets to WordPress or any other running service so accepts the upload and quarantines it.
This might sound a bit stupid and even risky and you would think that it is better to allow the server to reject. BUT new exploits come out every minute of every day and having CXS intercept every upload request before it even gets to any possible exploitable service or program on the server, even if that service or program does not exist on the server is much more preferable and safer.

Thanks a lot for the response, it's much appreciated.

So similar to the "false-positive, this file doesn't exist error", CXS intercepts the bad files before it even gets uploaded.

If CXS wasn't there, it's possible that the patched-file would also NOT accept the file?

So basically, my job is to make sure those particular files are patched.

Having looked at various options to reduce the amount of alerting, I think the best one is just to put the script filename in the cxs.ignore file.
In this case, it would be :
hfile:/public_html/wp-admin/admin-ajax.php
This assumes that you're happy that admin-ajax.php is properly patched and secure. Haven't seen anything to suggest it isn't. Of course, the next attempted attack will probably target a different file so to an extent it is whack-a-mole. What I'd like to see is an option in CXS to block the IP in CSF.

Grindlay wrote:What I'd like to see is an option in CXS to block the IP in CSF.

Agree.

That is what the LF_CXS option in csf.conf is for. cxs itself cannot do it as the ModSecurity process runs as the nobody (or default apache) user and not root.

Thanks Jonathan for confirming that.

I also have this problem. Thanks for answer

ForumAdmin wrote:That is what the LF_CXS option in csf.conf is for. cxs itself cannot do it as the ModSecurity process runs as the nobody (or default apache) user and not root.

So it is - missed that in the options. Not quite clear on the difference between LF_MODSEC and LF_CXS but have set LF_CXS to 1 and will monitor.

In this case, it would be :
hfile:/public_html/wp-admin/admin-ajax.php

adding hfile:/public_html/wp-admin/admin-ajax.php does not seem to work. I'm assuming it has something to do with ModSecurity. I have added this line and keep getting notices.

What is another way to ignore the /wp-admin/admin-ajax.php file? Maybe that works with ModSecurity?