ConfigServer Community Forum

Hi all,

We're receiving a lot of cxs Scan email alerts with the following kind of content:

Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path :...

Hello, CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale.

I have several servers blacklisted because of one or two costumers having their websites hacked.

Does cps have or will have in a short short period any kind of tool for detecting and preventing this infection?

thks

Hi peeps,

I'll start asking a bit of patience from you. I'm a newbie to CXS and
rather a freshman when it comes to servers...

After being stung by hackers, we had our hosting provider install CXS on our server.

I've configured as much as I could however I keep on getting this email

*******************
/etc/cron.daily/cxsdaily sh:

Quarantine directory does not exist:
*******************...

Hi every day I get this alert:
cxswatch Scanning /home/vinaio/public_html/media/dojo/20140917:
# World writeable directory:
'/home/vinaio/public_html/media/dojo/20140917'

As dojo is a legitimate folder, I added it to the /etc/cxs/cxs.ignore list (dir:/home/vinaio/public_html/media/dojo/20140912) and then added this option to cxswatch:-I /etc/cxs/cxs.ignore
But I still get the same daily alert....

Known exploit = [PHP Defacement Exploit ]:

how to know more about the exploit and what does this code 0752 mean,

Thanks for the suggestions.

hello and first of all congraz for your great software!

today i noticed something strange in a account. the cxs scan returned the following

Scanning /home/xxxxxxx:
# Known exploit = [PHP REQUEST Exploit ]:
'/home/xxxxxxx/public_html/libraries/joomla/application/web/info.php'
# Known exploit = [PHP REQUEST Exploit ]:
'/home/xxxxxxx/public_html/libraries/joomla/filter/alias.php'
# Skipped - too...

Dears
is it acceptable to submit melecious scripts which has been used in my server (already has cxs) but did not discovered?
this is to add it in your database for future release
if there is any way to submit them, please let me know
Regards

hi
i am using cPanel with php 5.2.17
and cxs is working propebly
but when we update cxs to latest version we see this error when we scan a user

Scan Error [Unmatched [ in regex; marked by <-- HERE in m/<\?php error_reporting\(0\); ini_set\('display_errors', 0\);\@ini_set\('max_execution_time', 0 [ <-- HERE / at /usr/sbin/cxs line 232

how can i solve this problem ?
thanks

Hi,

We run CXS over all our fleet each week for a full scan, and one server sends dozens of messages towards the end of the scan which are all pretty much the same, only with the addition of an account of two extra having been scanned.

I did notice that this server runs the cxs update via a cron every morning which would make this occur right in the middle of the weekly full scan - could this...

Hello.

My modsecurity rule:
SecRequestBodyAccess On
SecRule FILES_TMPNAMES @inspectFile /etc/cxs/cxscgi_DOT_sh \
log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'
SecTmpDir /tmp

/etc/cxs/cxscgi_DOT_sh:
/usr/sbin/cxs --quiet --cgi --mail root --delete --logfile /var/log/cxs_upload.log --virusscan $1

If I try to upload malicious code I get in /var/log/cxs_upload.log:
Aug 6...

I have installed cxs and added the lines :

SecRequestBodyAccess On
SecRule FILES_TMPNAMES “@inspectFile /etc/cxs/cxscgi_DOT_sh” \
“log,auditlog,deny,severity:2,id:’1010101′”

To the file /usr/local/apache/conf/modsec2.user.conf

Now every time I edit css template in joomla and press save I get :

Not Acceptable

An appropriate representation of the requested resource...

Hi,

I get the following exploit on a site:
# Known exploit = [PHP Exploit ]

How do I find out more about the exploit? I know that WordPress sites are affected by it and it's the first line of the file, but the various files look different.
What's the signature?
How can I grep for this particular exploit's footprint?
P0358 references the local bayes db I think, or is it a reference to an...

Hello,

How can i block file with this script:

Thank you

With every account that runs a wordpress blog on our server, I've been getting this, starting around July 2nd.

I thought it might be the wysija plugin that was recently reported to have a security bug, but all of the sites don't have the plugin this refers to.
Still, the IPs these come from are all from suspect countries, so it's not an accident.
Each cxs entry has a different IP listed as the...

I know all about the cxs.xtra file which adds signatures (sort of) to be detected by my installation of CXS, is there a place though to submit files to be added/analysed by ConfigServer to CXS.

I manage a bunch of servers and I come regularly accross files that are not detected by CXS and would love nothing more than to submit them so they are added to the scan engine.

Hi.

I'm desesperate.

I need exclude file from cxs but try several ways form and not work.

I like not alert for
/tmp/RokCommonXXXXXXXXXXServiceContainer.php

XXXX is ramdon characters

I put on /etc/cxs/cxs.ignore
pfile:\/tmp\/RokCommon*
pfile:/tmp/RokCommon*

Whtat it's wrong?

Hello,

In an old installation of cxs, the cxs daemon cannot longer start cxs (Watch Daemon - cxs Watch is not running), and the message I get is
ERROR: Attempt to restart unknown service cxswatch

I have uninstalled and re-installed cxs but problem still exists. Any ideas what might cause this issue please?

Thanks

Hi Everyone,
I am currently having issues with spammers gaining access to some of my websites. They are uploading spam scripts but cxs is not detecting them? How can I configure CXS to pick up these new spam scripts as it is causing major issues with regards to my servers getting blacklisted for spam!

Thanks

Rockyuk

We have cxs and configserver running on a server and received the following from abuseeat.org. I am running the latest versions. Any recommend way to track down this script? I have grepped all files in /var/log/ but have found no occurrence of the IP 87.255.51.229 listed. The system runs Apache in ruid2 so php processes are ran at the user level. Is there anything in the latest cxs to cover...

Hi

I am BRAND new to cxs. I just installed it and am doing a scan. I found that a clients .htaccess was flagged and quarantined, which is breaking parts of their website. the .htaccess is huge and appears to contain many valid statements... my question is how can i determine if a quarantined item is malicious or a false positive. one particular example shows me this:

Reason: Known exploit =...