-
Posts
-
I’ve ConfigServer eXploit Scanner – cxs v13.03 running on my cPanel server and yesterday it picked up on this suspicious file that looks to have been uploaded to the tmp folder via a possible exploit on the multi currency plugin. I thought I’d pass this on in case it was a genuine exploit, although I could be wrong:
Scanning web upload script file... Time : Tue, 14 Sep 2021 19:19:01 +0000 Web referer URL : Local IP : 178.79.174.109 Web upload script user : nobody (99) Web upload script owner: () Web upload script path : /home/hallofnamesorg/public_html/ Web upload script URL : http://www.hallofnames.org.uk/?fbclid=IwAR26K03oi405YsDk3LcnViJNbi20OqHT5QmMYSrHF4rP9pASIaNyWUoJ3KA_aem_AfxHaJ-DSU4RY-JgpmSDCDJBCTq5dEII1OLrbeg0nUyU3Ay4FJoT3uIxkNrrNmaRSZK9Ul-wOYLIRdr4EiD5Bgl33e8-tas8HSZtWXnFe5mcz6wzpvGM0D4YVkV-D3qCwyE&wmc-currency=USD/wp-admin/admin-post.php?page=wysija_campaigns&action=themes Remote IP : 3.133.130.105 Deleted : No Quarantined : Yes [/home/quarantine/cxscgi/20210914-191901-YUD1pdxXI8UtBMc2lNU5QAAAAMc-file-qUXOhj.1631647141_1] ----------- SCAN REPORT ----------- TimeStamp: Tue, 14 Sep 2021 19:19:01 +0000 (/usr/sbin/cxs --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfuSGchexdnwZRrD --noprobability --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 1000000 --smtp --ssl --summary --sversionscan --timemax 30 --nounofficial --virusscan --vmrssmax 2000000 --xtra /etc/cxs/cxs.xtra /tmp/20210914-191901-YUD1pdxXI8UtBMc2lNU5QAAAAMc-file-qUXOhj) '/tmp/20210914-191901-YUD1pdxXI8UtBMc2lNU5QAAAAMc-file-qUXOhj' (compressed file: vuln.php [depth: 1]) Known exploit = [Fingerprint Match] [PHP Upload Exploit [P0834]]
You must be logged in to see replies to this topic. Click here to login or register