cfml

Hi all, anyone know of active hacks or breaches in latest version of MASA CMS? We are seeing intermittent mitigations by our virus scanner for PHP/Webshell.ODS originating in the Lucee 6 Tomcat temp directory, as an upload. None of our other sites on that server have an upload functionality, only MASA CMS has it. The mitigated file does not occur in any of the webcontexts on the server, but in the lucee-server temp folder itself. Maybe it's a false positive, but feel free to chime in. Googling didn't really yield a result.

Answering my own question here, as I have had a fruitful learning session with <@U06V253M4> and <@U0AEFTKRV> over at the <#C06TA0A9W|> channel. The behaviour we're seeing is probably from a hacker using Curl or likewise tooling to post data to our webserver hoping the data will be picked up by a process in Lucee 6. As long as it resides in the temp-folder of the lucee-server and is not moved elsewhere to any webroot, the behaviour is annoying at best. As long as our virus scanner is removing the files actively we're safe for now. We'll look into blocking the offending poster if we can get a hold of an IP of some sorts. For now we'll keep an eye on it and look for countermeasures.