Malware in /tmp/nginx_client

Lucas Rolff lucas at slcoding.com
Sat Jun 27 14:35:20 UTC 2015


It's not harmful that they're there, but you could simply exclude the 
/tmp/nginx_client folder from maldet,

It's due to the option client_body_in_file_only being set to on in your 
nginx.conf (Sounds like you're using http://www.nginxcp.com/ for cpanel)
> guillefar <mailto:nginx-forum at nginx.us>
> 27 Jun 2015 15:45
> The software maldet, discovered some malware in the the /tmp/nginx_client
> directory, like this:
>
>> {HEX}php.cmdshell.unclassed.357 : /tmp/nginx_client/0050030641
>> {HEX}php.cmdshell.unclassed.357 : /tmp/nginx_client/0060442670
>
> I did some research, and found out that indeed, there were some malicious
> code in them.
>
> I did a extensive search in the sites, and nothing malicious was found,
> including the code that appeared in the tmp files.
>
> Around the time the files were created, there were similar requests, to non
> existent Worpress plugins, and to a file of the Worpres backend.
>
> Digging up a little, I found this:
> blog.inurl.com.br/2015/03/wordpress-revslider-exploit-0day-inurl.html
>
> Basically an exploit for a Wordpress plugin vulnerability, (it doesn't
> affect my sites, though), that do similar requests to the ones I found.
>
> One of those, is a post request that includes an attacker's php, file that
> thanks to this vulnerability will be uploaded to the site and it can be run
> by the attacker.
>
> So what it seems to be happenning is that nxing is caching post requests
> with malicious code, that later is found by the antimalware software.
>
> Could this be the case? I read and seems that Nginx does't cache post
> request by default, so it seems odd.
>
> Is there a way to know if that tmp files are caching internal or external
> content?
>
> I will be thankful for any info about it.
>
> Nginx is working as reverse proxy only.
>
>
> This is a bit of another file that was marked as malware:
>
>> --13530703071348311
>> Content-Disposition: form-data; name="uploader_url"
>>
>> http:/MISITE/wp-content/plugins/wp-symposium/server/php/
>> --13530703071348311
>> Content-Disposition: form-data; name="uploader_uid"
>
>> 1
>> --13530703071348311
>> Content-Disposition: form-data; name="uploader_dir"
>>
>> ./NgzaJG
>> --13530703071348311
>> Content-Disposition: form-data; name="files[]"; filename="SFAlTDrV.php"
>> Content-Type: application/octet-stream
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,259948,259948#msg-259948
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150627/cb9c108c/attachment.html>


More information about the nginx mailing list