The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious file name alerts from CSF

Discussion in 'Security' started by Victor Perez, Feb 1, 2016.

  1. Victor Perez

    Victor Perez Registered

    Joined:
    Feb 1, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Tamaulipas
    cPanel Access Level:
    Root Administrator
    Hi my friends

    Help me please. I have a problem whith notifications of CSF

    The alerts are:

    Code:
    ------------------------------------------------------------------
    Time:  Mon Feb  1 00:50:22 2016 -0600
    File:  /tmp/*).length > 1 ) {
    w = wpgallery.getWin();
    
    $(#save-all,
    Reason: Suspicious file name
    Owner:  pablodel:pablodel (766:779)
    Action: No action taken
    ------------------------------------------------------------------
    Time:  Mon Feb  1 00:50:17 2016 -0600
    File:  /tmp/.hentry ).appendTo( $( .portfolio-projects ) );
    } );
    
    } )( jQuery );
    
    Reason: Suspicious file name
    Owner:  pablodel:pablodel (766:779)
    Action: No action taken
    ------------------------------------------------------------------
    Time:  Mon Feb  1 00:50:16 2016 -0600
    File:  /tmp/h3).text();
    et_tb_interval = setInterval( function() {
    jQuery(#TB_iframeContent).contents().find(.savesend
    Reason: Suspicious file name
    Owner:  pablodel:pablodel (766:779)
    Action: No action taken
    ------------------------------------------------------------------
    Time:  Mon Feb  1 00:50:15 2016 -0600
    File:  /tmp/li, setActiveItem("UL"));
    }
    
    if (itemName == "numlist") {
    selection.selectorChanged(ol
    Reason: Suspicious file name
    Owner:  pablodel:pablodel (766:779)
    Action: No action taken
    ------------------------------------------------------------------
    
    Any ideas?

    Thank you very much
     
    #1 Victor Perez, Feb 1, 2016
    Last edited by a moderator: Feb 1, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I've moved this thread to our "Security" forum. Please keep in mind this message stems from CSF/LFD as opposed to cPanel. You may want to review the file contents, or consult with a qualified security expert to determine if the file is malicious.

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Those look like pieces of script rather than file names, and I'm hazarding a guess are related to WordPress.
    Other than that I have nothing to contribute.
     
    Victor Perez likes this.
  4. Victor Perez

    Victor Perez Registered

    Joined:
    Feb 1, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Tamaulipas
    cPanel Access Level:
    Root Administrator
    Thank you my friend.
     
  5. Kamenjan

    Kamenjan Registered

    Joined:
    Feb 16, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Slovenia
    cPanel Access Level:
    Website Owner
    Hey Victor,

    I have the same problem. My host provider sent me a notification that files with code snippets as names were created inside their (hosts) /tmp/ folder by our application.

    /tmp/*).length > 1 ) { w = wpgallery.getWin(); $(#save-all this was the name of the file.

    I was able to find this piece of code inside ./public_html/wp/wp-admin/js/gallery.js on line 75. But I do not know where to look next. How were you able to solve this? Could you spare any advice?
     
  6. Neil Gee

    Neil Gee Registered

    Joined:
    Mar 4, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    ex-NW London, now-NE Sydney
    cPanel Access Level:
    Root Administrator
    I just started getting this too.... email alerts from lfd on suspicious files in /tmp

    Code:
    File:  /tmp/li, setActiveItem("UL"));
    
    }
    
    
    if (itemName == "numlist") {
    
    selection.selectorChanged(ol
    
    Reason: Suspicious file name
    
    and
    
    File:  /tmp/*).length > 1 ) {
    
    w = wpgallery.getWin();
    
    
    $(#save-all,
    
    Reason: Suspicious file name
    
    I've just removed them at this point - they don't contain any malware code
     
    #6 Neil Gee, Mar 4, 2016
    Last edited by a moderator: Mar 4, 2016
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This suggests the information stems from the Gallery plugin for WordPress. I suggest contacting the developers of the plugin to determine the reason for the reported behavior.

    Thank you.
     
Loading...

Share This Page