Cached Ransomware?

  • Resolved dleer58

    (@dleer58)


    7 years, 12 months ago

    I have “File Server Resource Manager” running on my web server with various rules to block certain file types. I have recently been getting alert emails stating the following:

    “User NT AUTHORITY\IUSR attempted to save D:\www\website\wp-content\cache\comet-cache\cache\http\web-url\tag\cryptolocker.html-58d8c1212adf3089930471-tmp to D:\ on the WEB-NAME server. This file is in the “Ransomware extensions” file group, which is not permitted on the server.”

    Ransomware extensions are listed here: https://fsrm.experiant.ca/
    I know that my web server is healthy and running as expected. So where does Comet Cache find that file?

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)

  • @dleer58 Comet Cache uses the -tmp extension when using cache locking to write files to the cache. If possible, I recommend excluding the cache directory from your system scanning to prevent false-positives like this one.

    Thread Starter dleer58

    (@dleer58)

    @raamdev

    In this case, the extension is html-58d8c1212adf3089930471-tmp. One telltale sign of a cryptolocker infection is the creation of “cryptolocker.*” files which is what FSRM is catching.

    Here are a couple entries from the php56_errors.log file:

    [28-Mar-2017 00:56:44 UTC] PHP Warning: file_put_contents(D:\www\website/wp-content/cache/comet-cache/cache/http/web-url/tag/cryptolocker.html-58d9b4cc44a39397924973-tmp): failed to open stream: Permission denied in D:\www\website\wp-content\plugins\comet-cache\src\includes\traits\Ac\ObUtils.php on line 430

    [28-Mar-2017 00:56:44 UTC] PHP Fatal error: Uncaught exception ‘Exception’ with message ‘Comet Cache: failed to write cache file for: /tag/cryptolocker/; possible permissions issue (or race condition), please check your cache directory: D:\www\website/wp-content/cache/comet-cache/cache.’ in D:\www\website\wp-content\plugins\comet-cache\src\includes\traits\Ac\ObUtils.php:435
    Stack trace:#0 [internal function]: WebSharks\CometCache\Classes\AdvancedCache->outputBufferCallbackHandler(‘<!DOCTYPE html>…’, 9)#1 D:\www\website\wp-includes\functions.php(371 in D:\www\website\wp-content\plugins\comet-cache\src\includes\traits\Ac\ObUtils.php on line 435

    Comet Cache caches existing files, writing temp files in the process. So, I’m still wondering where CC is finding the file that the temp file is created from…

    Thanks

    Thread Starter dleer58

    (@dleer58)

    Found it… Turns out that one of the site’s posts is about Cryptoclocker and has the tag Cryptolocker too, hence the temp file named cryptolocker.*

    @dleer58 Thanks for the update. ?? I’m glad to hear that you figured it out. That was going to be my next suggestion, that you might have a post with “cryptolocker” in it.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Cached Ransomware?’ is closed to new replies.