ConfigServer Community Forum

Thank you for your recent Tweet regarding cxs and ModSecurity v2.9.

I have tried to edit /usr/local/apache/conf/modsec2.user.conf

As detailed in your blog post:

However I see currently no mention of CXS in the configuration file:

and add the line above after the cxs ModSecurity rule and then restart httpd.

Have I missed an important change I should have made when installing CXS in the...

Hi there

The system’s command to check or to restart this service failed.

CENTOS 6.6 i686 virtuozzo – sydney WHM 11.48.4 (build 4)

i just installed the CXS, still cannot start the service , tried many ways

also found exim queue has lot of spam

Hello,

We have uncovered a suspicious file that i am overly surprised no scanner has picked up and its very concerning.

The filename is called 'indonesia.php'

I was sitting in one of our customer Wordpress installs and in some sub directories. The contents of the file is as follows.

Do not post exploits on these forums

We are in no way experts but that does seem to be malware.

Has anyone...

With a few hundred accounts on the server, the weekly scan report from CXS is gigantic and difficult to read. In fact, in GMail, only about 1/4 of the report is displayed (the rest is truncated)

Much of the report shows accounts that have had no suspicious files or any matches of any kinds. i.e. the accounts are perfectly fine.

Is there a way to have the weekly report only send me a list of...

At the top of our Scan Reports, it says (for example:
----------- SCAN REPORT -----------
TimeStamp: Wed Apr 1 03:38:56 2015
(/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody
(snip)

The TimeStamp above is from April 1st, but the scan was just completed this afternoon (April 6). I don't yet understand the date difference.

I see in the Change Log where the TimeStamp...

I have several dozen files on my server that are the source of a symlink attempted attack. CXS did not see these files. Would you like a copy if that's useful?

I guess i could send this to a sales email addy, but it's a quick question with one answer and I don't see any info on the site that elaborates on it.

The cpanel server service is $130 per month , correct?

With the popularity of WordFence I am seeing more and more of these. My ignore does not seem to work. What is the proper ignore rule for ignoring the wfcache folder globally?

cxswatch Scanning /home/username/public_html/wp-content/wfcache/www.domain.com_article
# Suspicious directory:
'/home/username/public_html/wp-content/wfcache/www.domain.com_article'

I got users with scripts that are chmoding themselves as 777.
Others uploading them this way.
Anyway for whatever reason, there are directories with 777 permissions.

I don't really care, cagefs does the work well. But what concerns me is cxswatch.
I may get ~500 mails per day per server that is 4000 mails in a day only
for warnings about world writable directories.

HOW I can stop cxswatch from...

I think I got it to lower load a bit but now I'm noticing something strange with CXS watch:

This is CXS watch configuration:

/usr/sbin/cxs --Wstart --allusers --www --smtp -I /etc/cxs/cxs.ignore --options M --qoptions Mv --quarantine /cxs/scan/ --Wmaxchild 3 --nofallback --Wloglevel 0 --Wsleep 15 --filemax 0 --sizemax 200000 --Wrateignore 600

I'm noticing it is showing Script Version Checks in...

Upgrading cxs...

Upgrading cxs from v5.10 to 5.11...
Retrieving new cxs installer...
...100%

Unpacking new cxs package...

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
sh: line 0: cd: /usr/src/cxs: No such file or directory
sh: install,sh: No such file or directory
Tidying up...
...All done.
?????

I am getting what I am pretty sure is a false alarm since I added this. I can find nothing on the new signature in P0767. Help?

#Prevents showing indexes when there is no index.html etc
Options -Indexes

ServerSignature Off

Header append X-Frame-Options SAMEORIGIN

Hello, As of 2 days ago, I start receiving warning messages that CXS wasn't running. When I go to manually start the server I get this response:

Starting cxs watch...

Starting cxswatch daemon:Quantifier follows nothing in regex; marked by \ \.)?\s*((gzinflate|gzuncompress|gzdecode|stripslashes|urldecode)\s*\(*\s*)?(\@?(unserialize|str_rot13|base64_decode|strrev|gzinflate|gzuncompxyP#;'wt...

Can I have cxs run a custom script before reporting or acting on a possible threat, so that the script itself can rule out false-positives or take action?

I've been getting a lot of useful hits on social.png files being uploaded via ftp. These are potentially dangerous, as they could be from the CryptoPHP malware. However, a simple check using the file command can tell me whether it's PHP script...

Hi all,

We're receiving a lot of cxs Scan email alerts with the following kind of content:

Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path :...

Hello, CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale.

I have several servers blacklisted because of one or two costumers having their websites hacked.

Does cps have or will have in a short short period any kind of tool for detecting and preventing this infection?

thks

Hi peeps,

I'll start asking a bit of patience from you. I'm a newbie to CXS and
rather a freshman when it comes to servers...

After being stung by hackers, we had our hosting provider install CXS on our server.

I've configured as much as I could however I keep on getting this email

*******************
/etc/cron.daily/cxsdaily sh:

Quarantine directory does not exist:
*******************...

Hi every day I get this alert:
cxswatch Scanning /home/vinaio/public_html/media/dojo/20140917:
# World writeable directory:
'/home/vinaio/public_html/media/dojo/20140917'

As dojo is a legitimate folder, I added it to the /etc/cxs/cxs.ignore list (dir:/home/vinaio/public_html/media/dojo/20140912) and then added this option to cxswatch:-I /etc/cxs/cxs.ignore
But I still get the same daily alert....

Known exploit = [PHP Defacement Exploit ]:

how to know more about the exploit and what does this code 0752 mean,

Thanks for the suggestions.

hello and first of all congraz for your great software!

today i noticed something strange in a account. the cxs scan returned the following

Scanning /home/xxxxxxx:
# Known exploit = [PHP REQUEST Exploit ]:
'/home/xxxxxxx/public_html/libraries/joomla/application/web/info.php'
# Known exploit = [PHP REQUEST Exploit ]:
'/home/xxxxxxx/public_html/libraries/joomla/filter/alias.php'
# Skipped - too...