Some clients can't access their website.
Some get a 403 Permission Denied
You do not have permission for this request /wp-admin/post.php
when editing a page
I just got CXS and ran a full scan and got back hundreds of emails for vipercache directory
The next day scan finished and saw 403 errors and a client saying they can't get into their sites. I myself see it in my site.----------- SCAN REPORT -----------
TimeStamp: Mon, 27 Jun 2022 17:15:01 -0400
(/usr/sbin/cxs --allusers --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 0 --noforce --html --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnZDRru --noprobability --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 1000000 --smtp --ssl --summary --sversionscan --timemax 30 --nounofficial --virusscan --vmrssmax 2000000 --Wloglevel 0 --Wmaxchild 3 --Wnotify inotify --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --www --xtra /etc/cxs/cxs.xtra)
cxswatch Scanning /home/kingXXXXXX/public_html/wp-content/uploads/vipercache/www.kingscountyXXXXXXXXX.com_launch-of-nine-chinese-amateur-radio-satellites-postponed-24-hours:
'/home/kingXXXXXX/public_html/wp-content/uploads/vipercache/www.kingscountyXXXXXXXXXXXXX.com_launch-of-nine-chinese-amateur-radio-satellites-postponed-24-hours'
# Suspicious directory
----------- SCAN SUMMARY -----------
Scanned directories: 1
Scanned files: 2
Ignored items: 0
Suspicious matches: 1
Viruses found: 0
Fingerprint matches: 0
Data scanned: 0.07 MB
Scan peak memory: 148676 kB
Scan time/item: 0.030 sec
Scan time: 0.091 sec
Should I uninstall CXS?
I have since put vipercache directory in the ignore file and the emails have stoped.
How do I fix access to the server.
I don't think I was hacked. just a spammer from an outside source.
According to Spamhaus removals
Help client is upset.Thank you for contacting Spamhaus XBL Removals,
Please use https://translate.google.com/ for language, if needed.
A device (server, computer, mobile phone, etc), or an app on a device that is using 66.XX.XX.XXX is infected, insecure or compromised, and it is sending spam:
srcip: 66.XX.XX.XXX
Subject: Future Fusion Net Question
timestamp: 2022-06-16
Mitch