admin-ajax.php being called for malicious file

  • deepblueandme

    (@deepblueandme)


    9 years, 4 months ago

    My server admin is warning me about admin-ajax and here is the warning from server side

    ::::::::::::::::::::::::::::::::::::::
    Scanning web upload script file…
    Time : Sat Dec 27 09:09:46 2014 -0500
    Web referer URL :
    Local IP : ************
    Web upload script user : nobody (99)
    Web upload script owner: mysite (519)
    Web upload script path : /home/mysite/public_html/wp-admin/admin-ajax.php
    Web upload script URL : http://mysite.com/wp-admin/admin-ajax.php
    Remote IP : ***********
    Deleted : No
    Quarantined : No

    ———– SCAN REPORT ———–
    TimeStamp: Sat Dec 27 09:09:45 2014
    (/usr/sbin/cxs –nobayes –cgi –clamdsock /var/clamd –cleanlog –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –logfile /var/log/cxs.log –mail root –options mMOLfSGchexdnwZDRu –qoptions Mv –quarantine /home/quarantine –quiet –sizemax 500000 –smtp –summary –sversionscan –timemax 30 –virusscan /tmp//20141227-090945-VJ69qc5IxwcAAEtXf74AAAAR-file-rfOkEf)

    # (compressed file: revslider/update.php [depth: 1]) Regular expression match = [decode regex: 1]:
    ‘/tmp/20141227-090945-VJ69qc5IxwcAAEtXf74AAAAR-file-rfOkEf’
    :::::::::::::::::::::::::::::::::::::::::::::::

    I do not have revslider plugin on my server, what is going on?
    Do I need to DO anything or this is just false positive??????

    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • leejosepho

    (@leejosepho)

    9 years, 4 months ago

    I recently saw a revslider/update attempt or something similar, and neither do I have (nor have I ever had) revslider. So, I assume that was a malicious attempt at some kind of injection. Either as a stand-alone or in its WordPress plugin version, maybe take a look at NinjaFirewall.

    Thread Starter deepblueandme

    (@deepblueandme)

    9 years, 3 months ago

    There no problem.. CSF is catching the problem, but why is this happening, the script itself not defending itself?????

    leejosepho

    (@leejosepho)

    9 years, 3 months ago

    CSF is catching the problem, but why is this happening, the script itself not defending itself?

    What is CSF? But in any case, I would guess your WordPress has no way to suspect a ‘revslider/update.php’ attempt is being used for a malicious purpose.

    Thread Starter deepblueandme

    (@deepblueandme)

    9 years, 3 months ago

    What is CSF? But in any case, I would guess your WordPress has no way to suspect a ‘revslider/update.php’ attempt is being used for a malicious purpose.

    I do not have revslider/update.php on my site?????

    verdonv

    (@verdonv)

    9 years ago

    I am a server admin and I get dozens of these a day. As far as I can tell, revslider is not on any site on my server, and not a part of any theme on the server. I think they are false positives, or attempts to see if the scripts are there.

    I do get other false positives from CXS, but they are clearly labelled as such. They are often targeting wp-symosium and have wp-symposium in the URL. I suspect CXS is not picking these up as false positives because they are vectoring in through admin-ajax.php which does exist.

    I’m still looking for a definitive answer to this though.

    BTW… CSF is Config Server Firewall, a popular free firewall. However, these reports are being generated by CXS (Configserver Exploit Scanner), a paid product from the same developer. They are both superb products.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘admin-ajax.php being called for malicious file’ is closed to new replies.