Support » Plugin: Anti-Malware Security and Brute-Force Firewall » “known threats” on access logs?

  • Resolved jvmedia

    (@jvmedia)


    Hi there,

    We had an odd thing happen on a site today while doing a scan. It started tagging on the access log files on the server as known threats. Opening the files, they’re just normal access logs. Any particular reason why these would get tagged on this site? The site checks out clean on other scans.

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Eli

    (@scheeeli)

    That’s a great question. my plugin scans the contents of any files in the scan path, looking for patterns that match Known Threats. I cannot say why your access_log files were flagged as a threat without see the contents for myself.

    If you want to send me one of these files I can give you a better answer. You can email those files directly to me:
    eli AT gotmls DOT net

    To be honest I am quite curious myself as to why those logs would have matching threat patterns in them so I look forward to your email.

    Plugin Author Eli

    (@scheeeli)

    Thanks for sending me that log file. I can see that the code that was found as malicious in your log files was “eval($_REQUEST[1])”, which is very certainly malicious code. Of course it is unlikely that this code in your log file could be a direct threat but it is an indication of a malicious attack on your site.

    It is also unusual that those access_log files would be in a directory that is inside your site_root, thus being in the scan results at all. However, seeing these malicious injection attempts in your logs does shed some light on the nature of the attacks. It would seem that they were intending to infect a Joomla site so I don’t think anything they attempted was successful.

    You might want to confirm that your log files are placed outside your site_root so that they are not publicly accessible though.

    Great, thanks, Eli! And yeah, we’re not a fan of this particular web host (it was the client’s choice), but we’ll inquire with them to see if they can move those log files.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘“known threats” on access logs?’ is closed to new replies.