• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Identify Who Posted Malware

#1
My hosting provider has setup maldet and I just got a report regarding some problem files detected.

Note the first one is located at:
/home/public_html/forum/internal_data/image_cache/0/784-ea41368e816eb90373a83b7e0d526182.data

as per the code below.

How can I tell which post this image is associated with and who posted it?

Code:
malware detect scan report:
SCAN ID: 091015-0329.31336
TIME: Sep 10 03:53:19 -0500
PATH: /home*/*/public_html
RANGE: 2 days
TOTAL FILES: 6665
TOTAL HITS: 3
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 091015-0329.31336
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.
358 : /home/public_html/forum/internal_data/image_cache/0/784-ea41368e816eb90373a83b7e0d526182.data
{HEX}php.cmdshell.unclassed.358 : /tmp/nginx_client/0019734821
{HEX}php.cmdshell.unclassed.358 : /tmp/nginx_client/0019734820
 

Mike

XenForo developer
Staff member
#2
Note this wasn't an uploaded file; it was an image linked for a post.

You should be able to go to this page:

<url>/admin.php?logs/image-proxy-details&image_id=784

If you have referrer tracking enabled, it will tell you where the image was used and you should be able to identify the user from there.