Changing CXS Options seem to have no effect

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Changing CXS Options seem to have no effect

Post by sneader »

I am using cxs v 4.14. I am editing the cxs Watch configuration via the WHM plug-in, under "Configure cxs Watch"

In that file, it shows my options as: --options mMOLfSGchednWDZR

After saving, I am clicking "Restart cxs Watch".

When I receive a cxs Scan alert email, it shows in the "SCAN REPORT" my options as: --options mMOLfSGchexdnwZDRu

As you can see, they do not match.

What am I doing wrong? Any tips appreciated!

- Scott
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Changing CXS Options seem to have no effect

Post by ForumAdmin »

I am unable to recreate a problem. Are you sure that the email you received was not from the ModSecurity cxs hook which uses /etc/cxs/cxscgi.sh rather than /etc/cxs/cxswatch.sh and so will need to be modified in a similar way?
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: Changing CXS Options seem to have no effect

Post by sneader »

I admit I am not familiar with the ModSecurity cxs hook, so I need to do some reading. My /etc/cxs/cxscgi.sh reads:

/usr/sbin/cxs --quiet --cgi --smtp -Q /home/quarantine --qoptions Mv --mail root "$1"
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: Changing CXS Options seem to have no effect

Post by sneader »

Looking in /var/log/cxswatch.log, I can see where I restarted cxs watch, and I can see it's using the correct options (W instead of w, and x removed):

Jan 21 09:31:09 hostname cxswatch[695673]: TERM
Jan 21 09:31:09 hostname cxswatch[695673]: daemon stopped
Jan 21 09:31:09 hostname cxswatch[425017]: Startup...
Jan 21 09:31:09 hostname cxswatch[425017]: (/usr/sbin/cxs --allusers --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --fallback --filemax 0 --ignore --mail root --options mMOLfSGchednWDZR --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan --Wloglevel 0 --Wmaxchild 3 --Wrateignore 1800 --Wrefresh 7 --Wsleep 3 --Wstart --www)
Jan 21 09:31:09 www14 cxswatch[425017]: Starting 3 children...
(snip)

Here is an alert email I received a couple hours later (you can see the scan options it used below)

Scanning web upload script file...
Time : Tue Jan 21 11:17:55 2014 -0600
Web referer URL : http://example.com/tiki-upload_file.php?galleryId=29
Local IP : 1.2.3.4
Web upload script user : nobody (99)
Web upload script owner: username (523)
Web upload script path : /home/username/public_html/dirname/tw120/tiki-upload_file.php
Web upload script URL : http://example.com/tiki-upload_file.php
Remote IP : 4.3.2.1
Deleted : No
Quarantined : No


----------- SCAN REPORT -----------
TimeStamp: Tue Jan 21 11:17:53 2014
(/usr/sbin/cxs --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --fallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140121-111658-Ut6rijIcCEwAB6KjmSEAAAAn-file-LCaWNm)

# MS Windows Binary/Executable [application/x-winexec]:
'/tmp/20140121-111658-Ut6rijIcCEwAB6KjmSEAAAAn-file-LCaWNm'
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Changing CXS Options seem to have no effect

Post by ForumAdmin »

Scanning web upload script file
...means it's the ModSecurity hook that picked it up, not cxs Watch, which is why you're seeing the discrepancy. If you add --options mMOLfSGchednWDZR to your cxscgi.sh script it should then act as you expect.
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: Changing CXS Options seem to have no effect

Post by sneader »

You are awesome, thanks!! It would have taken me a long time to sort this out!!

- Scott
Post Reply