Search found 56 matches

by sneader
28 Sep 2015, 13:20
Forum: General Discussion (csf)
Topic: Best way to whitelist cpdavd?
Replies: 5
Views: 5397

Best way to whitelist cpdavd?

I currently have the default cpdavd whitelist rule in place, but it's not working: exe:/usr/local/cpanel/cpdavd Here is the alert I am receiving: Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line (often faked in exploits): cpdavd - authenticated as someuser Can someone suggest th...
by sneader
13 May 2015, 15:03
Forum: Suggestions (csf)
Topic: Better way to handle LFD Email Alerts
Replies: 1
Views: 6422

Better way to handle LFD Email Alerts

Starting yesterday, all of our cPanel servers are getting hit with a massive amount of SMTP Authentication failures, from distributed IP addresses. Yesterday alone, we are seeing over 8000 different unique IPs involved in these distributed attacks. The flood of LFD emails caused us some email issues...
by sneader
12 Apr 2015, 22:50
Forum: General Discussion (cxs)
Topic: Make Weekly scan only report on problems (shorter report)?
Replies: 4
Views: 4818

Re: Make Weekly scan only report on problems (shorter report)?

Super! I will give it a try. THANK YOU very much!!

- Scott
by sneader
12 Apr 2015, 18:34
Forum: General Discussion (cxs)
Topic: Make Weekly scan only report on problems (shorter report)?
Replies: 4
Views: 4818

Re: Make Weekly scan only report on problems (shorter report)?

Thanks for the quick help!! Here is our current weekly cron: /usr/sbin/cxs --report /root/scan.log --www --mail root --virusscan --voptions fmMhexT --quarantine /home/quarantine --qoptions Mv --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRP --all The docs state for --[no]summary: If you want to...
by sneader
12 Apr 2015, 18:11
Forum: General Discussion (cxs)
Topic: Make Weekly scan only report on problems (shorter report)?
Replies: 4
Views: 4818

Make Weekly scan only report on problems (shorter report)?

With a few hundred accounts on the server, the weekly scan report from CXS is gigantic and difficult to read. In fact, in GMail, only about 1/4 of the report is displayed (the rest is truncated) Much of the report shows accounts that have had no suspicious files or any matches of any kinds. i.e. the...
by sneader
10 Apr 2015, 17:53
Forum: General Discussion (cxs)
Topic: What does TimeStamp mean on the scan reports?
Replies: 7
Views: 6377

Re: What does TimeStamp mean on the scan reports?

Super! Thank you!! So, now, what will the TimeStamp indicate? The time that CXS actually scanned that particular file?

- Scott
by sneader
10 Apr 2015, 10:48
Forum: General Discussion (cxs)
Topic: What does TimeStamp mean on the scan reports?
Replies: 7
Views: 6377

Re: What does TimeStamp mean on the scan reports?

... is it possible that the Timestamp is when CXS Watch was started?
by sneader
10 Apr 2015, 10:48
Forum: General Discussion (cxs)
Topic: What does TimeStamp mean on the scan reports?
Replies: 7
Views: 6377

Re: What does TimeStamp mean on the scan reports?

Thanks for the quick reply. I seem to be missing a setting on the board to alert me by email when topics have activity. Anyway, back to the problem: Any ideas why these alerts would be sent 5-6 days after the "command was initiated"? I'm looking at the headers of the alerts, and it's not a...
by sneader
06 Apr 2015, 18:25
Forum: General Discussion (cxs)
Topic: What does TimeStamp mean on the scan reports?
Replies: 7
Views: 6377

What does TimeStamp mean on the scan reports?

At the top of our Scan Reports, it says (for example: ----------- SCAN REPORT ----------- TimeStamp: Wed Apr 1 03:38:56 2015 (/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody (snip) The TimeStamp above is from April 1st, but the scan was just completed this afternoon (Apr...
by sneader
23 Jan 2015, 22:34
Forum: General Discussion (cxs)
Topic: How to ignore /tmp web upload script alerts
Replies: 3
Views: 7033

How to ignore /tmp web upload script alerts

We are seeing dozens of emails every day alerting us to files being uploaded to /tmp by web scripts, some of which do not even exist. I am guessing that the bad guys are POSTing blindly, and the files are uploaded to /tmp until they are finished uploading, then when the script doesn't exist or handl...