ClamAV found exploit in cpanel/cpaddons/../Wordpress

cglmicro

Member
Oct 14, 2013
11
1
53
cPanel Access Level
Root Administrator
Hi guys.

Since August 31st, every daily ClamAV scan found this:
Code:
/home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: Html.Exploit.CVE_2014_1804 FOUND
/home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: moved to '/virus_vault//diff.005'
The file is recreated at the next update, and found again the next day.

Any idea ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
The file is recreated at the next update, and found again the next day.
Hello :)

Could you verify that you are referring to the cPanel update? Please post the md5sum of this file:

Code:
md5sum /path/to/file
Thank you.
 

cglmicro

Member
Oct 14, 2013
11
1
53
cPanel Access Level
Root Administrator
Hello :)

Could you verify that you are referring to the cPanel update? Please post the md5sum of this file:

Code:
md5sum /path/to/file
Thank you.
With pleasure, here it is:
Code:
[email protected] [~]# md5sum /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff
8f69732e1186668cd9e4e28000f802d0  /home/virtfs/cglmicro/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello :)

This matches the file on a test system:

Code:
[email protected] [/usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8]# md5sum diff
8f69732e1186668cd9e4e28000f802d0  diff
Thus, it looks like a false positive.

Thank you.