<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">It's not harmful that
they're there, but you could simply exclude the /tmp/nginx_client folder
from maldet, <br>
<span>
</span><br>
It's due to the option client_body_in_file_only being set to on in your
nginx.conf (Sounds like you're using <a class="moz-txt-link-freetext" href="http://www.nginxcp.com/">http://www.nginxcp.com/</a> for cpanel)<br>
<blockquote style="border: 0px none;"
cite="mid:d0a76f7f1575a81bffca54df888e10e1.NginxMailingListEnglish@forum.nginx.org"
type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:nginx-forum@nginx.us"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">guillefar</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">27 Jun 2015 15:45</span></font></div>
</div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><pre wrap="">The software maldet, discovered some malware in the the /tmp/nginx_client
directory, like this:
</pre><blockquote type="cite"><pre wrap="">{HEX}php.cmdshell.unclassed.357 : /tmp/nginx_client/0050030641
{HEX}php.cmdshell.unclassed.357 : /tmp/nginx_client/0060442670
</pre></blockquote><pre wrap=""><!---->
I did some research, and found out that indeed, there were some malicious
code in them.
I did a extensive search in the sites, and nothing malicious was found,
including the code that appeared in the tmp files.
Around the time the files were created, there were similar requests, to non
existent Worpress plugins, and to a file of the Worpres backend.
Digging up a little, I found this:
blog.inurl.com.br/2015/03/wordpress-revslider-exploit-0day-inurl.html
Basically an exploit for a Wordpress plugin vulnerability, (it doesn't
affect my sites, though), that do similar requests to the ones I found.
One of those, is a post request that includes an attacker's php, file that
thanks to this vulnerability will be uploaded to the site and it can be run
by the attacker.
So what it seems to be happenning is that nxing is caching post requests
with malicious code, that later is found by the antimalware software.
Could this be the case? I read and seems that Nginx does't cache post
request by default, so it seems odd.
Is there a way to know if that tmp files are caching internal or external
content?
I will be thankful for any info about it.
Nginx is working as reverse proxy only.
This is a bit of another file that was marked as malware:
</pre><blockquote type="cite"><pre wrap="">--13530703071348311
Content-Disposition: form-data; name="uploader_url<a class="moz-txt-link-rfc2396E" href="http:/MISITE/wp-content/plugins/wp-symposium/server/php/--13530703071348311Content-Disposition:form-data;name=">"
http:/MISITE/wp-content/plugins/wp-symposium/server/php/
--13530703071348311
Content-Disposition: form-data; name="</a>uploader_uid"
</pre></blockquote><pre wrap=""><!---->
</pre><blockquote type="cite"><pre wrap="">1
--13530703071348311
Content-Disposition: form-data; name="uploader_dir"
./NgzaJG
--13530703071348311
Content-Disposition: form-data; name="files[]"; filename="SFAlTDrV.php"
Content-Type: application/octet-stream
</pre></blockquote><pre wrap=""><!---->
Posted at Nginx Forum: <a class="moz-txt-link-freetext" href="http://forum.nginx.org/read.php?2,259948,259948#msg-259948">http://forum.nginx.org/read.php?2,259948,259948#msg-259948</a>
_______________________________________________
nginx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nginx@nginx.org">nginx@nginx.org</a>
<a class="moz-txt-link-freetext" href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a>
</pre></div>
</blockquote>
<br>
</body></html>