ConfigServer Community Forum

I am using cxs v 4.14. I am editing the cxs Watch configuration via the WHM plug-in, under "Configure cxs Watch"

In that file, it shows my options as: --options mMOLfSGchednWDZR

After saving, I am clicking "Restart cxs Watch".

When I receive a cxs Scan alert email, it shows in the "SCAN REPORT" my options as: --options mMOLfSGchexdnwZDRu

As you can see, they do not match.

What am I doing wrong? Any tips appreciated!

- Scott

I am unable to recreate a problem. Are you sure that the email you received was not from the ModSecurity cxs hook which uses /etc/cxs/cxscgi.sh rather than /etc/cxs/cxswatch.sh and so will need to be modified in a similar way?

I admit I am not familiar with the ModSecurity cxs hook, so I need to do some reading. My /etc/cxs/cxscgi.sh reads:

/usr/sbin/cxs --quiet --cgi --smtp -Q /home/quarantine --qoptions Mv --mail root "$1"

Looking in /var/log/cxswatch.log, I can see where I restarted cxs watch, and I can see it's using the correct options (W instead of w, and x removed):

Jan 21 09:31:09 hostname cxswatch[695673]: TERM
Jan 21 09:31:09 hostname cxswatch[695673]: daemon stopped
Jan 21 09:31:09 hostname cxswatch[425017]: Startup...
Jan 21 09:31:09 hostname cxswatch[425017]: (/usr/sbin/cxs --allusers --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --fallback --filemax 0 --ignore --mail root --options mMOLfSGchednWDZR --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan --Wloglevel 0 --Wmaxchild 3 --Wrateignore 1800 --Wrefresh 7 --Wsleep 3 --Wstart --www)
Jan 21 09:31:09 www14 cxswatch[425017]: Starting 3 children...
(snip)

Here is an alert email I received a couple hours later (you can see the scan options it used below)

Scanning web upload script file...
Time : Tue Jan 21 11:17:55 2014 -0600
Web referer URL : http://example.com/tiki-upload_file.php?galleryId=29
Local IP : 1.2.3.4
Web upload script user : nobody (99)
Web upload script owner: username (523)
Web upload script path : /home/username/public_html/dirname/tw120/tiki-upload_file.php
Web upload script URL : http://example.com/tiki-upload_file.php
Remote IP : 4.3.2.1
Deleted : No
Quarantined : No


----------- SCAN REPORT -----------
TimeStamp: Tue Jan 21 11:17:53 2014
(/usr/sbin/cxs --cgi --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --fallback --filemax 10000 --ignore /etc/cxs/cxs.ignore --mail root --options mMOLfSGchexdnwZDRu --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 500000 --smtp --summary --sversionscan --timemax 30 --virusscan /tmp/20140121-111658-Ut6rijIcCEwAB6KjmSEAAAAn-file-LCaWNm)

# MS Windows Binary/Executable [application/x-winexec]:
'/tmp/20140121-111658-Ut6rijIcCEwAB6KjmSEAAAAn-file-LCaWNm'

Scanning web upload script file

...means it's the ModSecurity hook that picked it up, not cxs Watch, which is why you're seeing the discrepancy. If you add --options mMOLfSGchednWDZR to your cxscgi.sh script it should then act as you expect.

You are awesome, thanks!! It would have taken me a long time to sort this out!!

- Scott