Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
From:
Fixed a SECURITY BUG in Quarantine file restore which could result in root privilege escalation. The destination restore file must not now exist before restoring will work. Our thanks to Jeff Petersen for reporting this issue
All cxs users should upgrade to this release immediately
From:
Further SECURITY improvements to Quarantine functionality
After some extensive testing we've discovered a feature in ModSecurity where a cxs scan can report a seemingly non-existent script on a server which is being exploited.
The symptoms:
Web upload script user: nobody (99)
Web upload script owner: ()
Web upload script: /home/user/public_html/store/admin
Remote IP: 1.2.3.4
Deleted: No
Quarantined: No
To enable file upload scanning for web scripts, ModSecurity needs to have the option SecRequestBodyAccess enabled (as explained in the install document).
This option configures whether request bodies will be buffered and processed by ModSecurity.
You will need to ensure that other any ModSecurity rules that you have have been correctly written to deal with POST_PAYLOADS. If they have not, then...
When you run cxs you will invariably encounter false-positives that trigger one or more of the scanning options.
We do not recommend that you simply stop using the option that triggers, rather it would be better to simply ignore the false-positive files using an ignore file as per the documentation.
The best way to generate the ignore file is to create it first, e.g.:
touch...
Hello!
I'm having some problems with a invasion on a few WHM accounts, CXS is able to locate just a small portion of them and put them on quarantine.
We're also scanning with Imunify and removing the files and injections manually.
There is someway for me to make CXS more effective? I've been just running a few custom commands on the accounts and cleaning based on the report.
just wondering if there is an upgrade or a plan to upgrade for the new Modsec v3 system?
currently i get errors if the vendor addon is enabled...
Error: API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 35 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Rules...
I saw your post regarding blocking suspicious PHP files, but I have questions regarding this...
I receive batch of emails like this from time to time:
Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:03 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: mywebsite (1008) Web upload script...
I'm regularly getting an email form cxs Scan saying it is scanning a file but then Clamd gives an error saying there's a File path check failure: No such file or directory. ERROR
CXS is reporting some false positives on some directory names and cached files. These are re-created every 15minutes when the cache is and I'd like to ignore all the files and directories within certain folders of every users directory. I suspect I will need a regex way of doing this, but not sure how this works with CXS as I can't find any good examples.
The docs are not very clear about this. Does it add one IP for each list it founds or for all lists?
There is a big difference because one IP can be in multiple lists. My question is if CSF considers the unique IP before it adds to the block list or just reads all the block lists and adds duplicates.
I have a spammer accessing my server via an outside source. But that's really not the problem at the moment.
Some clients can't access their website.
Some get a 403 Permission Denied
You do not have permission for this request /wp-admin/post.php
when editing a page
I just got CXS and ran a full scan and got back hundreds of emails for vipercache directory
----------- SCAN REPORT -----------...
Hi,
sorry for question i am not expert of csx.I have a lot of alert from csx from different account.
example:
Scanning web upload script file...
Time : Wed, 18 May 2022 12:48:55 +0200
Web referer URL : www.google.com
Local IP : 51.255.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxx(1017)
Web upload script path : /home/xxxx/public_html/wp-admin/admin-ajax.php
Web upload...
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum