Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

I found the 'c99madshell' trojan in Catalina\localhost?

Tony_Tovar_-_work
Tony_Tovar_-_work September 29, 2015

Our antivirus scanner just found a trojan in a 'multPartReq1234.tmp' file in the \work\Catalina\localhost\_\ folder.  The file is dated Nov 2014 and the infection is identified as "PHP/WebShell.NBS (trojan)"

Is this a live file?  or is it a sign that someone tried (and hopefully failed) to upload an infected attachment?

Answer
Watch
Like Be the first to like this
486 views

1 answer

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 29, 2015

It is very likely to be an uploaded file.  You'd need to check the virus scanner logs to know if it blocked upload (JIRA doesn't have a scanner in it)

View More Comments
Tony_Tovar_-_work
Tony_Tovar_-_work September 29, 2015

Unfortunately our old anti-virus had a file-type exclusion for "tmp" files so it never got scanned until now; we have a new antivirus and it does full-system scans as it is rolled-out. There were no other 'infected' files detected so I am hopeful that the default permissions in JIRA (Apache?) blocked it's activation. Really, I am looking for specific advice about the purpose of this folder (and these 'tmp' files) and if there's anything else I need to check. For instance, which log file should I check? I'm pretty sure we still have the logs from a year ago.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 29, 2015

Well, it won't have executed anything on the server - JIRA simply stores uploads and sends them back to the users if they try to read/download them. There's no permissions involved there, it's just a static binary object. The purpose of the folder is "anything Tomcat wants to store temporarily, usually because it's too big for memory, or simply not needed in memory at all". The second applies to upload/download. If your old scanner wasn't set up to scan tmp files, then there's no need to worry about logs - it will have ignored it anyway.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events