help with Exploit

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
leonep
Junior Member
Posts: 13
Joined: 15 Dec 2014, 10:30

help with Exploit

Post by leonep »

Hi,
sorry for question i am not expert of csx.I have a lot of alert from csx from different account.
example:
Scanning web upload script file...
Time : Wed, 18 May 2022 12:48:55 +0200
Web referer URL : www.google.com
Local IP : 51.255.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxx(1017)
Web upload script path : /home/xxxx/public_html/wp-admin/admin-ajax.php
Web upload script URL : https://xxxx.it/wp-admin/admin-ajax.php
Remote IP : 217.xx.xx.xx
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20220518-124855-YoTPFzLid5hmo5CNLpRzTgAAAIE-file-LXcXV7.1652870935_1]

'/tmp/20220518-124855-YoTPFzLid5hmo5CNLpRzTgAAAIE-file-LXcXV7'
(compressed file: .sp3ctra_XO.php [depth: 1]) Known exploit = [Fingerprint Match] [PHP Upload Exploit [P2000]]

file is blocked and quarantine so i think i am safe. but how stop this? and where is the problem ? i can prevent it?
thanks for help
Sergio
Junior Member
Posts: 1594
Joined: 12 Dec 2006, 14:56

Re: help with Exploit

Post by Sergio »

@leonep

What I first do is to check on the public folder were the file was blocked if there are any directories with CHMOD 777, as it is a door open for files to be uploaded to your server. If there are, then change all of them to 755. That is the first step to check.
leonep
Junior Member
Posts: 13
Joined: 15 Dec 2014, 10:30

Re: help with Exploit

Post by leonep »

thanks for help sergio
permissions looks safe 755 on directory

the alert comes some different account so i check 5 of them.
may be a distributed atteck or something like this to find a website vulnerable ...

thanks
Sergio
Junior Member
Posts: 1594
Joined: 12 Dec 2006, 14:56

Re: help with Exploit

Post by Sergio »

As you are using wordpress on your site, you will get accustomed to see a lot of this type of attacks every day.

But even that CXS is protecting your site I recommend you to install Imunify AV, I use the payed version, but the free version that comes with cPanel can help as well.

In my case, I use Imunify AV+ to do a daily scan of all my accounts and if it finds something that CXS has not, I use the MD5SUM option of CXS to generate the code of the offending file and then I add it to the cxs.xtra file.
Post Reply