CXS doesn't prevent exploit uploading

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
kix
Junior Member
Posts: 1
Joined: 06 Aug 2014, 11:42

CXS doesn't prevent exploit uploading

Post by kix »

Hello.

My modsecurity rule:

Code: Select all

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi_DOT_sh" \
    "log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecTmpDir /tmp
/etc/cxs/cxscgi_DOT_sh:

Code: Select all

/usr/sbin/cxs --quiet --cgi --mail root --delete --logfile /var/log/cxs_upload.log --virusscan "$1"
If I try to upload malicious code I get in /var/log/cxs_upload.log:

Code: Select all

Aug  6 12:33:40 hostname cxs[705433]: IP:*.*.*.* User:nobody Web upload script:['/home/username/public_html/test.php'] - ClamAV detected virus = [PHP.Shell-86]
E-mail:

Code: Select all

Scanning web upload script file...
Time                   : Wed Aug  6 12:29:57 2014 +0200
Web referer URL        : http://username.domain/test.php
Local IP               : *.*.*.*
Web upload script user : nobody (99)
Web upload script owner: username (502)
Web upload script path : /home/username/public_html/test.php
Web upload script URL  : http://username.domain/test.php
Remote IP              : *.*.*.*
Deleted                : Yes
Quarantined            : No


----------- SCAN REPORT -----------
TimeStamp: Wed Aug  6 12:29:57 2014
(/usr/sbin/cxs --nobayes --cgi --clamdsock /var/clamd --defapache nobody --delete --doptions Mv --exploitscan --nofallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs_upload.log --mail root --options mMhDR --qoptions Mv --quiet --sizemax 500000 --summary --sversionscan --timemax 30 --virusscan --xtra /etc/cxs/cxs.xtra /tmp/20140806-122957-U@IDpcOiGFgACnQj9TYAAAA1-file-b49KQv)

# ClamAV detected virus = [PHP.Shell-86]:
'/tmp/20140806-122957-U@IDpcOiGFgACnQj9TYAAAA1-file-b49KQv'
But file is sucessfully uploaded to user directory. Any sugestions?

I'm using cloudlinux + cPanel.
Sarah
Moderator
Posts: 934
Joined: 09 Dec 2006, 22:49

Re: CXS doesn't prevent exploit uploading

Post by Sarah »

Please submit a ticket on the helpdesk for any problems with cxs. This community forum is not intended for actual support for paid-for scripts, only for general questions.

https://support.waytotheweb.com/index.php
azednet
Junior Member
Posts: 9
Joined: 31 Jan 2014, 18:23

Re: CXS doesn't prevent exploit uploading

Post by azednet »

Execute this line in ssh:

service pure-uploadscript restart
Post Reply