False alarm - exploited .htaccess P0767

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
davert
Junior Member
Posts: 6
Joined: 13 Jan 2015, 19:45

False alarm - exploited .htaccess P0767

Post by davert »

I am getting what I am pretty sure is a false alarm since I added this. I can find nothing on the "new signature" in P0767. Help?

#Prevents showing indexes when there is no index.html etc
Options -Indexes

ServerSignature Off

<filesMatch "\.(php)$">
Header append X-Frame-Options SAMEORIGIN
</filesMatch>
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: False alarm - exploited .htaccess P0767

Post by ForumAdmin »

That should not match the fingerprint. Can you please submit the file using:

cxs --wttw --comment "False Positive" --force /path/to/file and we will check it.
davert
Junior Member
Posts: 6
Joined: 13 Jan 2015, 19:45

Re: False alarm - exploited .htaccess P0767

Post by davert »

Thanks. There's more to the file so maybe something else set it off but given the timing of the signature list update, I think it's what I did…
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: False alarm - exploited .htaccess P0767

Post by ForumAdmin »

It's the image leeching stuff at the top of the file that is triggering it. We'll investigate the fingerprint, but for now you can whitelist the file in a cxs.ignore if you have one.
davert
Junior Member
Posts: 6
Joined: 13 Jan 2015, 19:45

Re: False alarm - exploited .htaccess P0767

Post by davert »

Thanks. I was going to ask you about that -- I have another file that I am trying to whitelist and it's not accepting it. Can't figure out if it's permissions or the format…

file:/home/user/public_html/directory/cl86f.dat
Also tried file:cl86f.dat

the cxs.ignore file doesn't have example syntax.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: False alarm - exploited .htaccess P0767

Post by ForumAdmin »

1. Ensure that you have --ignore /etc/cxs/cxs.ignore on your cxs command line or listed correctly in /etc/cxs/cxs.defaults

2. A sample file with examples should be in /etc/cxs/cxs.ignore.example

3. If using cxs Watch, try restarting it

The format you used as:
file:/home/user/public_html/directory/cl86f.dat

We've now redeveloped the regex. If you do the following it should no longer detect it:

Code: Select all

rm -f /etc/cxs/new.fp
cxs -U
davert
Junior Member
Posts: 6
Joined: 13 Jan 2015, 19:45

Re: False alarm - exploited .htaccess P0767

Post by davert »

Thank you! I will make sure the ignore file is listed. There aren't actually any examples in the ignore.example file (which is what I'm using)… but you think that format should work? I'll try restarting Watch. Thanks again for the unexpectedly good support.
davert
Junior Member
Posts: 6
Joined: 13 Jan 2015, 19:45

Re: False alarm - exploited .htaccess P0767

Post by davert »

Yup, that did it! Thanks again!
Post Reply