Title: admin-ajax.php Last modified: August 31, 2016 --- # admin-ajax.php * [4cm](https://wordpress.org/support/users/4cm/) * (@4cm) * [10 years, 3 months ago](https://wordpress.org/support/topic/admin-ajaxphp-5/) * Im having problems all of a sudden * see report provided by my hosting providor * What do I need to do to fix these * ——– Original Message ——– Subject: cxs Scan on trinity.hostdnx.com (Hits:1) ( Viruses:1) (Fingerprints:0) Date: Tue, 2 Feb 2016 16:15:12 +0800 From: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) To: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) * Scanning web upload script file… Time : Tue, 2 Feb 2016 16:15:12 +0800 Web referer URL : Local IP : 169.45.177.139 Web upload script user : nobody (99) Web upload script owner: churchin (503) Web upload script path : /home/churchin/public_html/ Hope-to-the-Nations/wp-admin/admin-ajax.php Web upload script URL : [http://churchinperth.com/Hope-to-the-Nations/wp-admin/admin-ajax.php](http://churchinperth.com/Hope-to-the-Nations/wp-admin/admin-ajax.php) Remote IP : 138.122.92.23 Upload data md5sum : fb9f73471df3cd6d6cd3413bc207bbc6 Deleted : No Quarantined : Yes [/home/quarantine/cxscgi/20160202-161512-VrBlkKktsYsAAG0lP8gAAAAG- file-3nPHSh.1454400912_1] * ———– SCAN REPORT ———– * TimeStamp: Tue, 2 Feb 2016 16:15:12 +0800 * (/usr/sbin/cxs –nobayes –cgi –clamdsock /tmp/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore – mail root –options mMOLfSGchexdnwZDRu –qoptions Mv –quarantine /home/quarantine– quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –virusscan/ tmp/20160202-161512-VrBlkKktsYsAAG0lP8gAAAAG-file-3nPHSh) * ‘/tmp/20160202-161512-VrBlkKktsYsAAG0lP8gAAAAG-file-3nPHSh’ ClamAV detected virus = [PHP.Hide-2] * ———- Forwarded message ———- From: Brad Hinchliffe To: Gary Green 4cm Cc: Date: Tue, 02 Feb 2016 19:15:22 +0800 Subject: Fwd: cxs Scan on trinity.hostdnx.com (Hits:1) (Viruses:1) (Fingerprints:0) * ——– Original Message ——– Subject: cxs Scan on trinity.hostdnx.com (Hits:1) ( Viruses:1) (Fingerprints:0) Date: Tue, 2 Feb 2016 04:00:22 +0800 From: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) To: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) * Scanning web upload script file… Time : Tue, 2 Feb 2016 04:00:22 +0800 Web referer URL : Local IP : 169.45.177.139 Web upload script user : nobody (99) Web upload script owner: fourcmn (525) Web upload script path : /home/fourcmn/public_html/ 4cminews.com/wp-admin/admin-ajax.php Web upload script URL : [http://4cminews.com/wp-admin/admin-ajax.php](http://4cminews.com/wp-admin/admin-ajax.php) Remote IP : 46.118.155.216 Upload data md5sum : b46add7d8e35aabf0544f0c0799ceb15 Deleted : No Quarantined : Yes [/home/quarantine/cxscgi/20160202-040020-Vq@5VKktsYsAACbthWQAAAAE- file-jwt9Cz.1454356822_1] * ———– SCAN REPORT ———– * TimeStamp: Tue, 2 Feb 2016 04:00:22 +0800 * (/usr/sbin/cxs –nobayes –cgi –clamdsock /tmp/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore – mail root –options mMOLfSGchexdnwZDRu –qoptions Mv –quarantine /home/quarantine– quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –virusscan/ tmp/20160202-040020-Vq@5VKktsYsAACbthWQAAAAE-file-jwt9Cz) * ‘/tmp/20160202-040020-Vq@5VKktsYsAACbthWQAAAAE-file-jwt9Cz’ ClamAV detected virus = [PHP.Exploit.C99] * ———- Forwarded message ———- From: Brad Hinchliffe To: Gary Green 4cm Cc: Date: Tue, 02 Feb 2016 19:15:46 +0800 Subject: Fwd: cxs Scan on trinity.hostdnx.com (Hits:1) (Viruses:0) (Fingerprints:0) * ——– Original Message ——– Subject: cxs Scan on trinity.hostdnx.com (Hits:1) ( Viruses:0) (Fingerprints:0) Date: Tue, 2 Feb 2016 00:00:31 +0800 From: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) To: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) * ———– SCAN REPORT ———– * TimeStamp: Tue, 2 Feb 2016 00:00:02 +0800 * (/usr/sbin/cxs –allusers –nobayes –clamdsock /tmp/clamd –ctime 25 –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/ cxs/cxs.ignore –mail root –options OLfmMChexdDZRP –qoptions Mv –quiet –report/ root/scandaily.log –sizemax 500000 –ssl –nosummary –sversionscan –timemax 30 – virusscan –voptions fmMhexT –www) * (20) fourcmn, Scanning /home/fourcmn/public_html: * ‘/home/fourcmn/public_html/fourcm.com/wp-content/uploads/2014’ Skipped – too many resources: 12716 ( > filemax=10000) * ———- Forwarded message ———- From: Brad Hinchliffe To: Gary Green 4cm Cc: Date: Tue, 02 Feb 2016 19:16:10 +0800 Subject: Fwd: cxs Scan on trinity.hostdnx.com (Hits:2) (Viruses:0) (Fingerprints:1) * ——– Original Message ——– Subject: cxs Scan on trinity.hostdnx.com (Hits:2) ( Viruses:0) (Fingerprints:1) Date: Mon, 1 Feb 2016 20:20:01 +0800 From: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) To: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) * Scanning web upload script file… Time : Mon, 1 Feb 2016 20:20:01 +0800 Web referer URL : Local IP : 169.45.177.139 Web upload script user : nobody (99) Web upload script owner: fourcmn (525) Web upload script path : /home/fourcmn/public_html/ 4cminews.com/wp-admin/admin-ajax.php Web upload script URL : [http://4cminews.com/wp-admin/admin-ajax.php](http://4cminews.com/wp-admin/admin-ajax.php) Remote IP : 94.41.53.210 Upload data md5sum : a1aee5a38d6ebe26d4ffa247fe34d062 Deleted : No Quarantined : Yes [/home/quarantine/cxscgi/20160201-202000-Vq9NcKktsYsAAFxv7- 0AAAAD-file-nJcO89.1454329201_1] * ———– SCAN REPORT ———– * TimeStamp: Mon, 1 Feb 2016 20:20:01 +0800 * (/usr/sbin/cxs –nobayes –cgi –clamdsock /tmp/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore – mail root –options mMOLfSGchexdnwZDRu –qoptions Mv –quarantine /home/quarantine– quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –virusscan/ tmp/20160201-202000-Vq9NcKktsYsAAFxv7-0AAAAD-file-nJcO89) * ‘/tmp/20160201-202000-Vq9NcKktsYsAAFxv7-0AAAAD-file-nJcO89’ (compressed file: revslider/MHC.php [depth: 1]) Regular expression match = [decode regex: 1] (compressed file: revslider/MHC.php [depth: 1]) (decoded file [depth: 1]) Known exploit =[ Fingerprint Match] [Shell Exploit [P0310]] * ———- Forwarded message ———- From: Brad Hinchliffe To: Gary Green 4cm Cc: Date: Tue, 02 Feb 2016 19:16:33 +0800 Subject: Fwd: cxs Scan on trinity.hostdnx.com (Hits:1) (Viruses:1) (Fingerprints:0) * ——– Original Message ——– Subject: cxs Scan on trinity.hostdnx.com (Hits:1) ( Viruses:1) (Fingerprints:0) Date: Mon, 1 Feb 2016 13:57:51 +0800 From: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) To: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) * Scanning web upload script file… Time : Mon, 1 Feb 2016 13:57:51 +0800 Web referer URL : Local IP : 169.45.177.139 Web upload script user : nobody (99) Web upload script owner: fourcmn (525) Web upload script path : /home/fourcmn/public_html/ 4cminews.com/wp-admin/admin-ajax.php Web upload script URL : [http://4cminews.com/wp-admin/admin-ajax.php](http://4cminews.com/wp-admin/admin-ajax.php) Remote IP : 85.128.142.34 Upload data md5sum : 0ef4411264c63458a0e7c1d06e10cce1 Deleted : No Quarantined : Yes [/home/quarantine/cxscgi/20160201-135751-Vq7z36ktsYsAAC- 60ScAAAAH-file-GjaesE.1454306271_1] * ———– SCAN REPORT ———– * TimeStamp: Mon, 1 Feb 2016 13:57:51 +0800 * (/usr/sbin/cxs –nobayes –cgi –clamdsock /tmp/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore – mail root –options mMOLfSGchexdnwZDRu –qoptions Mv –quarantine /home/quarantine– quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –virusscan/ tmp/20160201-135751-Vq7z36ktsYsAAC-60ScAAAAH-file-GjaesE) * ‘/tmp/20160201-135751-Vq7z36ktsYsAAC-60ScAAAAH-file-GjaesE’ ClamAV detected virus = [PHP.Hide-2] * ———- Forwarded message ———- From: Brad Hinchliffe To: gary Green 4cm Cc: Date: Tue, 02 Feb 2016 19:17:00 +0800 Subject: Fwd: cxs Scan on trinity.hostdnx.com (Hits:3) (Viruses:0) (Fingerprints:2) * ——– Original Message ——– Subject: cxs Scan on trinity.hostdnx.com (Hits:3) ( Viruses:0) (Fingerprints:2) Date: Mon, 1 Feb 2016 08:33:40 +0800 From: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) To: [root@trinity.hostdnx.com](https://wordpress.org/support/topic/admin-ajaxphp-5/root@trinity.hostdnx.com?output_format=md) * Scanning web upload script file… Time : Mon, 1 Feb 2016 08:33:40 +0800 Web referer URL : Local IP : 169.45.177.139 Web upload script user : nobody (99) Web upload script owner: () Web upload script path : /home/fourcmn/public_html/4cminews. com/ Web upload script URL : [http://4cminews.com/?page_id=11900/wp-admin/admin-ajax.php](http://4cminews.com/?page_id=11900/wp-admin/admin-ajax.php) Remote IP : 178.250.29.50 Upload data md5sum : b1b3d1637a3481cd56b1e1be3e12c6a7 Deleted : No Quarantined : Yes [/home/quarantine/cxscgi/20160201-083340-Vq6n5KktsYsAAC7ka1cAAAAK- file-SsP8Jw.1454286820_1] * ———– SCAN REPORT ———– * TimeStamp: Mon, 1 Feb 2016 08:33:40 +0800 * (/usr/sbin/cxs –nobayes –cgi –clamdsock /tmp/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –html –ignore /etc/cxs/cxs.ignore – mail root –options mMOLfSGchexdnwZDRu –qoptions Mv –quarantine /home/quarantine– quiet –sizemax 500000 –smtp –ssl –summary –sversionscan –timemax 30 –virusscan/ tmp/20160201-083340-Vq6n5KktsYsAAC7ka1cAAAAK-file-SsP8Jw) * ‘/tmp/20160201-083340-Vq6n5KktsYsAAC7ka1cAAAAK-file-SsP8Jw’ (compressed file: revslider/mil.php [depth: 1]) Regular expression match = [decode regex: 1] (compressed file: revslider/mil.php [depth: 1]) (decoded file [depth: 1]) Known exploit =[ Fingerprint Match] [PHP Injection Exploit [P0366]] (compressed file: revslider/ pbot.php [depth: 1]) Known exploit = [Fingerprint Match] [PHP Exploit [P0174]] Viewing 1 replies (of 1 total) * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [10 years, 3 months ago](https://wordpress.org/support/topic/admin-ajaxphp-5/#post-7017981) * Your server has been infected with multiple viruses. Those found have been quarantined, but how they got there is still open. Work through the steps in [FAQ My site was hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked). Viewing 1 replies (of 1 total) The topic ‘admin-ajax.php’ is closed to new replies. * In: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/) * 1 reply * 2 participants * Last reply from: [bcworkz](https://wordpress.org/support/users/bcworkz/) * Last activity: [10 years, 3 months ago](https://wordpress.org/support/topic/admin-ajaxphp-5/#post-7017981) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics