How to quarantine hidden scripts

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
jbourque
Junior Member
Posts: 28
Joined: 15 Aug 2008, 13:16

How to quarantine hidden scripts

Post by jbourque »

Can you tell me how to automatically quarantine these types of files

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --clamdsock /tmp/clamd --deep --doptions Mv --exploitscan --filemax 0 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --timemax 30 --virusscan --voptions hx --Wloglevel 0 --Wmaxchild 3 --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --Wsymlink /etc/cxs/symlinkdisable.example.pl --Wsymlinkmax 5 --Wsymlinksec 300 --www)

cxswatch Scanning /home/slysaor/public_html/images/xxu.php:
# Suspicious image file (hidden script file):
'/home/user/public_html/images/xxu.php'

I have allot of files I'm seeing like this and they are all remote access scripts that gives full control to the site.
Sergio
Junior Member
Posts: 1714
Joined: 12 Dec 2006, 14:56

Re: How to quarantine hidden scripts

Post by Sergio »

There a few different ways to do this:
- If all have the same file name you can add the following command to your cxs.xtra file:
file:xxu.php
- If you have a piece of code of script, you can use the following command on you cxs.xtra file:
regphp:[a piece of code written in regex notation]

Sergio
jbourque
Junior Member
Posts: 28
Joined: 15 Aug 2008, 13:16

Re: How to quarantine hidden scripts

Post by jbourque »

Sergio,

Thanks for the reply I added it as you suggested which seemed to work initially all those files were found however this morning they are all back and all cxs is doing is warning about suspicious files instead of quarantining the files which is very strange.

This is what I have in the xtra file

file:xxu.php
file:w8893628n.php
file:x.php
file:w8073339n.php
regphp:GIF89a u
regphp:GIF89a1

Thoughts?

Thanks in advance,
Joe
jbourque
Junior Member
Posts: 28
Joined: 15 Aug 2008, 13:16

Re: How to quarantine hidden scripts

Post by jbourque »

So I think what I'm missing is that I did not add --xtra /etc/cxs/cxs.xtra to the cxs watch file testing it now.
serseroo
Junior Member
Posts: 1
Joined: 08 May 2013, 07:07
Location: Australia
Contact:

Re: How to quarantine hidden scripts

Post by serseroo »

Thanks for this. I really can learn a lot here.
Post Reply