Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Scanning web upload script file...
Time : Mon, 16 Sep 2019 15:23:48 -0500
Web referer URL :
Local IP : 162.241.XXX.XXX
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/FOLDERNAME/public_html/wp-content
Web upload script URL : http://WEBSITENAME/wp-content/themes/village/blueprint/gallery/ajaxupload/server/php.php
Remote IP : 202.104.9.163
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20190916-152347-XX-vU4N7HH4hibQ5LzkRxwAAAUI-file-7uQGzx.1568665428_1]
NOTE: [/home/FOLDERNAME/public_html/wp-content] does not exist on this server. However, ModSecurity is still triggering cxs to scan the attempted uploading of potentially malicious data
I did check the File Manager and there is NO /public_html?wp-content folder. So someone attempted to access a non-existent folder. Is there a way I can stop sending of any warnings for '/wp-content/', '/wp-includes/' and '/wp-admin/' folders as well as any files in the root with 'wp*.php' wildcard? I run a Joomla shop and NONE of the websites on my server has 'any' WordPress installs,
See the option "--cutcgimail" in the cxs documentation. In the cxscgi Configuration Wizard it is listed as "Reduce the number of emails from ModSecurity hits".
Seeing that these requests often come from exploit scanners, is there a way to instantly delete the uploaded file & add the offending Remote IP address to the blocklist?
Instead of wasting precious server resources, analyzing a file that has no business on the server and won't be processed further anyway?
This has become a big hassle on our server thanks to the wp-file-manager exploit going around now. Nevermind that it doesn't exist on our server we are getting hundreds of hits to it each day. CXS quarantines the offensive non-uploaded file into /home/whatever-username/.quarantine/ and then cPanel's new virus scanning then hits on it listing it as a problem. I wish there was a way to just delete the results of these hits instead of quarantineing them. Also I don't know why the quarantine is under the user's folder instead of the /home/quarantine/ folder that is specified.