Search found 22 matches

by sahostking
22 Feb 2021, 18:25
Forum: General Discussion (cxs)
Topic: STICKY rules for CXS.XTRA regs.
Replies: 69
Views: 69381

Re: STICKY rules for CXS.XTRA regs.

Noticed tons of files with kindex.php and windex.php and wikindex.php plus many more. Created a list and here are the md5sum and regex. Add and try out if you like. # Added 22/02/2021 regall:quarantine:Pwnd By NekoBot! md5sum:quarantine:e421e55e907fcbafe575c918214140b8 md5sum:quarantine:4355572862fb...
by sahostking
31 Jan 2021, 15:39
Forum: General Discussion (cxs)
Topic: Ignore wp-content/cache/wp-rocket/domain suspicious directory
Replies: 3
Views: 3579

Re: Ignore wp-content/cache/wp-rocket/domain suspicious directory

I think you add

hdir:*/wp-content/cache/

to cxs.ignore

I stand to be corrected. Test it if you like and see?
by sahostking
31 Jan 2021, 15:36
Forum: General Discussion (cxs)
Topic: How to override IP Reputation blocked IP
Replies: 1
Views: 73

Re: How to override IP Reputation blocked IP

I think we experienced a similar issue before using the CC_IGNORE feature where we would like a country and customers IPs would still be blocked I think if they existed in those CXS lists.

I am not to sure if there is way but hopefully someone has an idea how to do so.
by sahostking
31 Jan 2021, 15:28
Forum: General Discussion (csf)
Topic: wp-login.php ban : NCSA extended/combined log
Replies: 3
Views: 142

Re: wp-login.php ban : NCSA extended/combined log

I use the following on our cpanel servers. Not sure if it is the same for you but it definitely helps us and stops tons a day: # XMLRPC if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) { return ("WP XMLPRC Attack",$1,"XMLRPC...
by sahostking
14 Jan 2021, 13:51
Forum: General Discussion (cxs)
Topic: STICKY rules for CXS.XTRA regs.
Replies: 69
Views: 69381

Re: STICKY rules for CXS.XTRA regs.

Here are some MD5sum fiels we added yesterday. Mostly uploaded mailer scripts trying to spam from server but a few were also wordpress hacking scripts. The filenames were wpz-load.php, mindex.php, ROOT.php, and many weird russian filenames I can't remember. md5sum:quarantine:0b138d902d6aea94ff386a70...
by sahostking
12 Jan 2021, 19:44
Forum: General Discussion (csf)
Topic: Custom REGEX rules for CSF.
Replies: 60
Views: 87805

Re: Custom REGEX rules for CSF.

Today we had two servers blacklisted due to spam originating from contact is pages on Joomla websites that are not using captchas. Now informing customers to do so sometimes takes time and they done even do it. So we decided to look into a way that will stop it from happening all servers without the...
by sahostking
05 Nov 2020, 05:02
Forum: General Discussion (csf)
Topic: (CSF) Check for IPs In RBLs ,not responding
Replies: 3
Views: 1835

Re: (CSF) Check for IPs In RBLs ,not responding

Did you guys figure it out yet? Think I have same problem.
by sahostking
11 May 2020, 06:15
Forum: General Discussion (cxs)
Topic: CXS Causing higher than usual server load
Replies: 1
Views: 3388

Re: CXS Causing higher than usual server load

I think CXSwatch is the culprit as it checks every file on the server when modified etc and new files.
So note also if your server has tons of files changing and its not an SSD or CPU is too weak and cannot keep up then load will go up.

Look at that aswell = just a tip.
by sahostking
11 May 2020, 06:13
Forum: General Discussion (cxs)
Topic: CXS and the cPanel Transfer Tool
Replies: 1
Views: 1914

Re: CXS and the cPanel Transfer Tool

Maybe check if you have cxs blocks enabled as it adds ip lists to CSF. In otherwords check /etc/cxs/cxs.blocklists and comment all the lists. Restart CSF and retry Alternatively check for your server IPs in the list https://download.configserver.com/reputation/all.txt Note you can only download that...
by sahostking
11 May 2020, 06:10
Forum: General Discussion (cxs)
Topic: IP Reputation Poopulation
Replies: 2
Views: 1617

Re: IP Reputation Poopulation

I've had the same issue but we notice enabling the individual lists like LF_SMTP seem to block very nicely
So we enabled the following:

CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS

Works quiet well for us atleast and load has gone down ALOT.