ClamAV found exploit in cpanel/cpaddons/../Wordpress

[cglmicro]

Hi guys.

Since August 31st, every daily ClamAV scan found this:

/home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: Html.Exploit.CVE_2014_1804 FOUND
/home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: moved to '/virus_vault//diff.005'

The file is recreated at the next update, and found again the next day.

Any idea ?

 

[cPanelMichael]

The file is recreated at the next update, and found again the next day.

Hello

Could you verify that you are referring to the cPanel update? Please post the md5sum of this file:

md5sum /path/to/file

Thank you.

 

[cglmicro]

Hello

Could you verify that you are referring to the cPanel update? Please post the md5sum of this file:

md5sum /path/to/file

Thank you.

With pleasure, here it is:

[email protected] [~]# md5sum /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff
8f69732e1186668cd9e4e28000f802d0  /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff

 

[cPanelMichael]

Hello

This matches the file on a test system:

[email protected] [/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8]# md5sum diff
8f69732e1186668cd9e4e28000f802d0  diff

Thus, it looks like a false positive.

Thank you.