ConfigServer Community Forum

Is it possible to use cxs scanner without cpanel for other type of hosting servers?

Hello,

Please How to restore all quarantine files?

Thanks

Hello,

I am in badly need of getting two php files ignored from qurantain. i did the following steps. but still it qurantaines :(

1.
#touch /etc/cxs/cxs.ignore
#chmod 644 /etc/cxs/cxs.ignore

2.
#nano cxs.ignore

and added the two files to the bottom of the existing content

......
hdir:/etc
hdir:/mail
hdir:/tmp
hdir:/.cagefs
hdir:/.fantasticodata
hdir:/.rvsitebuilder
hdir:/.sqmaildata...

We are seeing dozens of emails every day alerting us to files being uploaded to /tmp by web scripts, some of which do not even exist. I am guessing that the bad guys are POSTing blindly, and the files are uploaded to /tmp until they are finished uploading, then when the script doesn't exist or handle the upload, the hack is failed and the bad guys move on.

Meanwhile, we have this malware file...

Hi there

May i know if there is a list or online database that provide more information on the type of exploit that is causing the files to be quaratined inside CXS ?

For example the exploit below P0966 is there more information to be found on the type of exploit it is, what it does etc ?

Reason: Known exploit = [PHP Wordpress Exploit ]

I realized that the function (W) world writable directory (777) and chmod to 755
stopped working. I discovered the problem after trying to fix permissions for an account, as I often do. To my surprise the files with 777 permissions were not detected nor mentioned in the log CSX.
I do not always when the problem started or what version. I'm currently using the version 5.30, and problem occurs on...

Thank you for your recent Tweet regarding cxs and ModSecurity v2.9.

I have tried to edit /usr/local/apache/conf/modsec2.user.conf

As detailed in your blog post:

However I see currently no mention of CXS in the configuration file:

and add the line above after the cxs ModSecurity rule and then restart httpd.

Have I missed an important change I should have made when installing CXS in the...

Hi there

The system’s command to check or to restart this service failed.

CENTOS 6.6 i686 virtuozzo – sydney WHM 11.48.4 (build 4)

i just installed the CXS, still cannot start the service , tried many ways

also found exim queue has lot of spam

Hello,

We have uncovered a suspicious file that i am overly surprised no scanner has picked up and its very concerning.

The filename is called 'indonesia.php'

I was sitting in one of our customer Wordpress installs and in some sub directories. The contents of the file is as follows.

Do not post exploits on these forums

We are in no way experts but that does seem to be malware.

Has anyone...

With a few hundred accounts on the server, the weekly scan report from CXS is gigantic and difficult to read. In fact, in GMail, only about 1/4 of the report is displayed (the rest is truncated)

Much of the report shows accounts that have had no suspicious files or any matches of any kinds. i.e. the accounts are perfectly fine.

Is there a way to have the weekly report only send me a list of...

At the top of our Scan Reports, it says (for example:
----------- SCAN REPORT -----------
TimeStamp: Wed Apr 1 03:38:56 2015
(/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody
(snip)

The TimeStamp above is from April 1st, but the scan was just completed this afternoon (April 6). I don't yet understand the date difference.

I see in the Change Log where the TimeStamp...

I have several dozen files on my server that are the source of a symlink attempted attack. CXS did not see these files. Would you like a copy if that's useful?

I guess i could send this to a sales email addy, but it's a quick question with one answer and I don't see any info on the site that elaborates on it.

The cpanel server service is $130 per month , correct?

With the popularity of WordFence I am seeing more and more of these. My ignore does not seem to work. What is the proper ignore rule for ignoring the wfcache folder globally?

cxswatch Scanning /home/username/public_html/wp-content/wfcache/www.domain.com_article
# Suspicious directory:
'/home/username/public_html/wp-content/wfcache/www.domain.com_article'

I got users with scripts that are chmoding themselves as 777.
Others uploading them this way.
Anyway for whatever reason, there are directories with 777 permissions.

I don't really care, cagefs does the work well. But what concerns me is cxswatch.
I may get ~500 mails per day per server that is 4000 mails in a day only
for warnings about world writable directories.

HOW I can stop cxswatch from...

I think I got it to lower load a bit but now I'm noticing something strange with CXS watch:

This is CXS watch configuration:

/usr/sbin/cxs --Wstart --allusers --www --smtp -I /etc/cxs/cxs.ignore --options M --qoptions Mv --quarantine /cxs/scan/ --Wmaxchild 3 --nofallback --Wloglevel 0 --Wsleep 15 --filemax 0 --sizemax 200000 --Wrateignore 600

I'm noticing it is showing Script Version Checks in...

Upgrading cxs...

Upgrading cxs from v5.10 to 5.11...
Retrieving new cxs installer...
...100%

Unpacking new cxs package...

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
sh: line 0: cd: /usr/src/cxs: No such file or directory
sh: install,sh: No such file or directory
Tidying up...
...All done.
?????

I am getting what I am pretty sure is a false alarm since I added this. I can find nothing on the new signature in P0767. Help?

#Prevents showing indexes when there is no index.html etc
Options -Indexes

ServerSignature Off

Header append X-Frame-Options SAMEORIGIN

Hello, As of 2 days ago, I start receiving warning messages that CXS wasn't running. When I go to manually start the server I get this response:

Starting cxs watch...

Starting cxswatch daemon:Quantifier follows nothing in regex; marked by \ \.)?\s*((gzinflate|gzuncompress|gzdecode|stripslashes|urldecode)\s*\(*\s*)?(\@?(unserialize|str_rot13|base64_decode|strrev|gzinflate|gzuncompxyP#;'wt...

Can I have cxs run a custom script before reporting or acting on a possible threat, so that the script itself can rule out false-positives or take action?

I've been getting a lot of useful hits on social.png files being uploaded via ftp. These are potentially dangerous, as they could be from the CryptoPHP malware. However, a simple check using the file command can tell me whether it's PHP script...