Can you tell me how to automatically quarantine these types of files
----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --clamdsock /tmp/clamd --deep --doptions Mv --exploitscan --filemax 0 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --timemax 30 --virusscan --voptions hx --Wloglevel 0 --Wmaxchild 3 --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --Wsymlink /etc/cxs/symlinkdisable.example.pl --Wsymlinkmax 5 --Wsymlinksec 300 --www)
cxswatch Scanning /home/slysaor/public_html/images/xxu.php:
# Suspicious image file (hidden script file):
'/home/user/public_html/images/xxu.php'
I have allot of files I'm seeing like this and they are all remote access scripts that gives full control to the site.
How to quarantine hidden scripts
Re: How to quarantine hidden scripts
There a few different ways to do this:
- If all have the same file name you can add the following command to your cxs.xtra file:
file:xxu.php
- If you have a piece of code of script, you can use the following command on you cxs.xtra file:
regphp:[a piece of code written in regex notation]
Sergio
- If all have the same file name you can add the following command to your cxs.xtra file:
file:xxu.php
- If you have a piece of code of script, you can use the following command on you cxs.xtra file:
regphp:[a piece of code written in regex notation]
Sergio
Re: How to quarantine hidden scripts
Sergio,
Thanks for the reply I added it as you suggested which seemed to work initially all those files were found however this morning they are all back and all cxs is doing is warning about suspicious files instead of quarantining the files which is very strange.
This is what I have in the xtra file
file:xxu.php
file:w8893628n.php
file:x.php
file:w8073339n.php
regphp:GIF89a u
regphp:GIF89a1
Thoughts?
Thanks in advance,
Joe
Thanks for the reply I added it as you suggested which seemed to work initially all those files were found however this morning they are all back and all cxs is doing is warning about suspicious files instead of quarantining the files which is very strange.
This is what I have in the xtra file
file:xxu.php
file:w8893628n.php
file:x.php
file:w8073339n.php
regphp:GIF89a u
regphp:GIF89a1
Thoughts?
Thanks in advance,
Joe
Re: How to quarantine hidden scripts
So I think what I'm missing is that I did not add --xtra /etc/cxs/cxs.xtra to the cxs watch file testing it now.
Re: How to quarantine hidden scripts
Thanks for this. I really can learn a lot here.