Hi,
We run CXS over all our fleet each week for a full scan, and one server sends dozens of messages towards the end of the scan which are all pretty much the same, only with the addition of an account of two extra having been scanned.
I did notice that this server runs the cxs update via a cron every morning which would make this occur right in the middle of the weekly full scan - could this be the cause? I have removed the cron task for now to see if so.
CXS Sending multiple reports on full scan
Re: CXS Sending multiple reports on full scan
OK, removing the update task in cron made no difference - I got 12 messages yesterday around the completion time of the full scan. Can someone from ConfigServer provide a course of action here, paid or otherwise?
Re: CXS Sending multiple reports on full scan
Hello,
What do the messages say? Can you give us here 1-2 messages to see?
What do the messages say? Can you give us here 1-2 messages to see?
Re: CXS Sending multiple reports on full scan
They are just multiple copies of the usual emailed reports...
e.g. subject "cxs Scan on redacted.co.uk (Hits:9348) (Viruses:1) (Fingerprints:1)"
----------- SCAN REPORT -----------
(/usr/sbin/cxs --options redacted --filemax redacted --ignore /etc/cxs/cxs.ignore --sizemax redacted --xtra /etc/cxs/cxs.xtra --summary --mail redacted@redacted.co.uk --logfile /var/log/cxs.log --quiet --timemax 2 --qoptions Mv --background --doptions Mv --virusscan --report /var/log/cxs.scan --allusers --throttle 10 --clamdsock /var/clamd --exploitscan)
(1198) redacted, Scanning /home/redacted:
# Scan Timeout (2 secs) while processing:
'/home/redacted/backup-7.11.2012_10-18-redacted.tar.gz'
# World writeable directory, changed to 755:
'/home/redacted/public_html/wp-content/plugins/si-contact-form/captcha/temp'
# Scan Timeout (2 secs) while processing:
'/home/redacted/public_html/wp-content/uploads/backupcreator/backupcreator.redacted-co-uk.20120711111248.zip'
----------- SCAN SUMMARY -----------
Scanned directories: 326
Scanned files: 2854
Ignored items: 11
Suspicious matches: 1
Viruses found: 0
Fingerprint matches: 0
Data scanned: 84.08 MB
Scan time/item: 0.018 sec
Scan Time: 56.743 sec
etc....
e.g. subject "cxs Scan on redacted.co.uk (Hits:9348) (Viruses:1) (Fingerprints:1)"
----------- SCAN REPORT -----------
(/usr/sbin/cxs --options redacted --filemax redacted --ignore /etc/cxs/cxs.ignore --sizemax redacted --xtra /etc/cxs/cxs.xtra --summary --mail redacted@redacted.co.uk --logfile /var/log/cxs.log --quiet --timemax 2 --qoptions Mv --background --doptions Mv --virusscan --report /var/log/cxs.scan --allusers --throttle 10 --clamdsock /var/clamd --exploitscan)
(1198) redacted, Scanning /home/redacted:
# Scan Timeout (2 secs) while processing:
'/home/redacted/backup-7.11.2012_10-18-redacted.tar.gz'
# World writeable directory, changed to 755:
'/home/redacted/public_html/wp-content/plugins/si-contact-form/captcha/temp'
# Scan Timeout (2 secs) while processing:
'/home/redacted/public_html/wp-content/uploads/backupcreator/backupcreator.redacted-co-uk.20120711111248.zip'
----------- SCAN SUMMARY -----------
Scanned directories: 326
Scanned files: 2854
Ignored items: 11
Suspicious matches: 1
Viruses found: 0
Fingerprint matches: 0
Data scanned: 84.08 MB
Scan time/item: 0.018 sec
Scan Time: 56.743 sec
etc....
Re: CXS Sending multiple reports on full scan
Hello,
You might want to show us some other examples rather than "Scan Timeout", since I don't see anything strange in these notifications. 9348 hits might be from world writable or suspicious directories, but I see only 1 noticeable hit (Virus/Fingerprint).
You might want to show us some other examples rather than "Scan Timeout", since I don't see anything strange in these notifications. 9348 hits might be from world writable or suspicious directories, but I see only 1 noticeable hit (Virus/Fingerprint).
Re: CXS Sending multiple reports on full scan
OK, I'll repeat my OP... We are receiving MULTIPLE SCAN SUMMARY EMAILS... CXS should send a single email at the end of the scan, but it is sending sometimes dozens.
This is becoming a major PITA and considering this is a paid product, I'm amazed nobody from ConfigServer has chimed in yet...
For example, in the log file that the scan generates, we get blocks like this - usually after the scan is 80% finished...
Feb 10 06:19:44 theserver cxs[462907]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[462908]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[367483]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[461297]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[367422]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[461459]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[461296]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[428524]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
You will notice that the same issue is reported multiple times... which matches up with the number of duplicate emails we are receiving.
We run the full scan with the following command line
/usr/sbin/cxs --report /var/log/cxs.scan --logfile /var/log/cxs.log --mail redacted@redacted --virusscan -I /etc/cxs/cxs.ignore --options mMOfSGChednWDR --xtra /etc/cxs/cxs.xtra -Z --sum --timemax 2 -F 10000 -C /var/clamd -T 10 -B --allusers
This is becoming a major PITA and considering this is a paid product, I'm amazed nobody from ConfigServer has chimed in yet...
For example, in the log file that the scan generates, we get blocks like this - usually after the scan is 80% finished...
Feb 10 06:19:44 theserver cxs[462907]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[462908]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[367483]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[461297]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[367422]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[461459]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[461296]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
Feb 10 06:19:44 theserver cxs[428524]: ['/home/theuser/public_html/images/xmlrpc.cl
ass.php'] - Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0217]]
You will notice that the same issue is reported multiple times... which matches up with the number of duplicate emails we are receiving.
We run the full scan with the following command line
/usr/sbin/cxs --report /var/log/cxs.scan --logfile /var/log/cxs.log --mail redacted@redacted --virusscan -I /etc/cxs/cxs.ignore --options mMOfSGChednWDR --xtra /etc/cxs/cxs.xtra -Z --sum --timemax 2 -F 10000 -C /var/clamd -T 10 -B --allusers
-
eternityweb
- Junior Member
- Posts: 3
- Joined: 15 Aug 2014, 02:27
Re: CXS Sending multiple reports on full scan
Hello,
We are experiencing the exact same thing where during the scan is still running and we get send a repeat email over 30 times so far in the past 2 hours of the exact same thing:
----------- SCAN REPORT -----------
TimeStamp: Thu Aug 14 05:01:07 2014
(/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 0 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan --Wloglevel 0 --Wmaxchild 3 --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --www)
cxswatch Scanning /home/cyntheas/public_html/core/cache/includes/elements/modplugin/5.include.cache.php:
# Regular expression match = [decode regex: 1]:
'/home/cyntheas/public_html/core/cache/includes/elements/modplugin/5.include.cache.php'
# (quarantined to /home/quarantine/cxsuser/cyntheas/5.include.cache.php.1408064415_1) (decoded file [depth: 1]) ClamAV detected virus = [PHP.Shell-38]:
'/home/cyntheas/public_html/core/cache/includes/elements/modplugin/5.include.cache.php'
----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.04 MB
Scan time/item: 0.103 sec
Scan time: 0.103 sec
We are experiencing the exact same thing where during the scan is still running and we get send a repeat email over 30 times so far in the past 2 hours of the exact same thing:
----------- SCAN REPORT -----------
TimeStamp: Thu Aug 14 05:01:07 2014
(/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 0 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan --Wloglevel 0 --Wmaxchild 3 --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --www)
cxswatch Scanning /home/cyntheas/public_html/core/cache/includes/elements/modplugin/5.include.cache.php:
# Regular expression match = [decode regex: 1]:
'/home/cyntheas/public_html/core/cache/includes/elements/modplugin/5.include.cache.php'
# (quarantined to /home/quarantine/cxsuser/cyntheas/5.include.cache.php.1408064415_1) (decoded file [depth: 1]) ClamAV detected virus = [PHP.Shell-38]:
'/home/cyntheas/public_html/core/cache/includes/elements/modplugin/5.include.cache.php'
----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.04 MB
Scan time/item: 0.103 sec
Scan time: 0.103 sec
-
eternityweb
- Junior Member
- Posts: 3
- Joined: 15 Aug 2014, 02:27
Re: CXS Sending multiple reports on full scan
Was there ever a fix found for this?
Re: CXS Sending multiple reports on full scan
Please submit a ticket on the helpdesk for any problems with cxs. This community forum is not intended for actual support for paid-for scripts, only for general questions.
https://support.waytotheweb.com/index.php
https://support.waytotheweb.com/index.php
-
eternityweb
- Junior Member
- Posts: 3
- Joined: 15 Aug 2014, 02:27
Re: CXS Sending multiple reports on full scan
My apologies. I thought the purpose of the community forum was for community support.