ClamAV found exploit in cpanel/cpaddons/../Wordpress

cglmicro

• September 05, 2015 18:50

Hi guys. Since August 31st, every daily ClamAV scan found this:
/home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: Html.Exploit.CVE_2014_1804 FOUND /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: moved to '/virus_vault//diff.005'
The file is recreated at the next update, and found again the next day. Any idea ?

• 

  cPanelMichael

  • September 07, 2015 21:04

  The file is recreated at the next update, and found again the next day.

  
  Hello :) Could you verify that you are referring to the cPanel update? Please post the md5sum of this file:
  md5sum /path/to/file
  Thank you.

  0
• 

  cglmicro

  • September 10, 2015 19:50

  Hello :) Could you verify that you are referring to the cPanel update? Please post the md5sum of this file:
  md5sum /path/to/file
  Thank you.

  
  With pleasure, here it is:
  root@smart [~]# md5sum /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff 8f69732e1186668cd9e4e28000f802d0 /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff
  

  0
• 

  cPanelMichael

  • September 10, 2015 20:16

  Hello :) This matches the file on a test system:
  root@vps [/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8]# md5sum diff 8f69732e1186668cd9e4e28000f802d0 diff
  Thus, it looks like a false positive. Thank you.

  0

Please sign in to leave a comment.