ConfigServer Community Forum

Hi, I have installed the script in my WHM Linux Server.

How do I scan malware and virus inside a specific /home/user using WHM interface? I can´t find it

Thanks,
Francisco

Hi, I'm not sure what the CXS_ALL firewall rule (filter) is doing but it appears for blocked IP's in CSF/LFD and when I attempt to unblock, it unblocks the IP in LFD but the CXS_ALL filter remains.

The only way to override the rule is to white-list the IP.

1) What is this filter?
2) Is there any easy way unblock IP's in this list?

Thanks,

Ian

Hello,

I need a weekly scan with notification to my email, but not email notifications for cPanel users. For this I am using this cron and this template:

cat /etc/cron.weekly/cxs_complete_weekly

/usr/sbin/cxs --nosversionscan --bayes --breport high --options -wW \
--Wmaxchild 3 --Wloglevel 0 --Wsleep 3 --filemax 0 --Wrateignore 300 \
-Q /home/quarantine -I /etc/cxs/cxs.ignore --xtra...

Hello,
In the previous versions there is the option to automatically change the permissions 777 to 755, could you put that option back?

Hello,

In my daily scan I use the following crontab:

/usr/sbin/cxs -mail ###@#####.## --exp --novir -o mMOSGchdnD -Z --sum -T 5 -all --ignore /etc/cxs/cxs.ignore

for some reason in more than a dozen servers I received today about 50-200 hits per server with the following reason:

# Regular expression match = :
'/home/USERNAME/public_html/cp2/libraries/pear/archive_tar/Archive_Tar.php'

I...

Hello,

Each time I disable the Email configuration via your WHM command wizard UI (for watch and daily/weekly cron), the setting is saved but upon returning to the wizard the option is checked again which would result in the option being enabled when reconfiguring the command.

Generated command/config showing email is disabled:

Wizard, after returning to it when previously disabling the email...

Hello,

I wanted to know if there is a way to not send CXS's results via mail. Even when I don't use --mail reports are sent anyways.

I am scanning lots of accounts and I don't need to receive an email for each one of them. I only need those report stored in a file, so I can read it when if I need to.

Thanks.-

As of today I am getting hundreds of Hit emails out of the blue regarding the Wordpress plugin file:

'/wp-content/uploads/sucuri/sucuri-settings.php'

(quarantined to /home/quarantine/cxsuser/ /sucuri-settings.php.1521654621_1) Known exploit =

The quarantined file contains the following file contents:

{ sucuriscan_lastlogin_redirection : enabled , sucuriscan_revproxy : disabled }

Perhaps...

So my issue is the following:

In CXS 8 the very first option is:

What to scan:
If scanning a user, only scan within in the web root (e.g. ~user/public_html/)

Now, WHM Teak Settings has:

Restrict document roots to public_html which we have set to Disabled on all 25 production servers.

Which means that Addon Domains are created in /home/user/wordpress2 instead of...

I get an alert on every file that is uploaded - T option is not enabled/checked on either FTP or Regular scan.

Example
Scanning /home/XXXXX/public_html/hosting/modules/support/Zendesk/class.jwt.php:

(/usr/sbin/cxs --baction high --bayes --breport medium --clamdsock /var/clamd --nodbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --mail root...

Awesome sounding new features!

Hi
1-I purchased cxs scanner and every time i do manual scan to all of my whm account after the scan does finish i see that some of my whm account was deleted without my permission.what shoud i do to prevent delet my whm account?
next question is that i have phishing in my server but cxs doesn't detect and remove theme and i receive abuse from datacenter every day
thanks

Getting lots of what appear to be false positives on the WordPress file:
default-widgets.php
since the WordPress 4.9.1 update.

as:
ClamAV detected virus =

Anyone else noticing this as well?

Thanks all!

Hello guys,

I have a server where CXS is installed, but when I try to run a manual scan it doesn't actually scan any files. It goes through all folders and that's it.

Here's what's happening:

# /usr/sbin/cxs --baction high --bayes --breport medium --clamdsock /var/clamd --deep --defapache nobody --report /var/log/cxs.scan --logfile /var/log/cxs.log --doptions Mv --exploitscan --fallback...

I get inundated with hacker activity, mainly exploiting Wordpress to install files which CSXS deletes or quarantines but nothing stops the same hackers on the same IP addresses from attacking multiple WP installs.

I don't know of a way to deal with the issue other than to manually block all of the IP addresses. Maybe blocking the IP addresses does no good as it seems I am chasing my tail. No...

Hi!

I find cxs very usefful on our Cpanel servers, and wish to use it on non-cpanel servers, to ensure their security.
I see that Cpanel is required, but i dont know if is viable use it (on limited way, or just only a few features) on non-cpanel server, or its not possible (and never be because...) use cxs on non Cpanel server.

Only i need is scan for files and daemon. Not need of interface or...

Hi there,

we're getting a lot of alerts for exploit P1410 but the affected files seem to be a simple archive script included in a lot of apps like coppermine, joomla extensions, CMS Made Simple and so on. The apparently bad file is even included in official sources of the named products. I don't know if maybe some malware used partially the same code as the legitimate script and now all are...

I am getting hundreds of alerts, like this:

'/home/USERNAME/public_html/wp-content/plugins/jetpack/modules/widgets/google-translate.php'
Script version check

It can't be that every user on all servers has a bad version of this module, included with Jetpack. Could this be a false positive?

- Scott