ConfigServer Community Forum

Can you tell me how to automatically quarantine these types of files

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --clamdsock /tmp/clamd --deep --doptions Mv --exploitscan --filemax 0 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --timemax 30 --virusscan --voptions hx --Wloglevel 0 --Wmaxchild 3 --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --Wsymlink /etc/cxs/symlinkdisable.example.pl --Wsymlinkmax 5 --Wsymlinksec 300 --www)

cxswatch Scanning /home/slysaor/public_html/images/xxu.php:
# Suspicious image file (hidden script file):
'/home/user/public_html/images/xxu.php'

I have allot of files I'm seeing like this and they are all remote access scripts that gives full control to the site.

There a few different ways to do this:
- If all have the same file name you can add the following command to your cxs.xtra file:
file:xxu.php
- If you have a piece of code of script, you can use the following command on you cxs.xtra file:
regphp:[a piece of code written in regex notation]

Sergio

Sergio,

Thanks for the reply I added it as you suggested which seemed to work initially all those files were found however this morning they are all back and all cxs is doing is warning about suspicious files instead of quarantining the files which is very strange.

This is what I have in the xtra file

file:xxu.php
file:w8893628n.php
file:x.php
file:w8073339n.php
regphp:GIF89a u
regphp:GIF89a1

Thoughts?

Thanks in advance,
Joe

So I think what I'm missing is that I did not add --xtra /etc/cxs/cxs.xtra to the cxs watch file testing it now.

Thanks for this. I really can learn a lot here.