Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
From:
Fixed a SECURITY BUG in Quarantine file restore which could result in root privilege escalation. The destination restore file must not now exist before restoring will work. Our thanks to Jeff Petersen for reporting this issue
All cxs users should upgrade to this release immediately
From:
Further SECURITY improvements to Quarantine functionality
After some extensive testing we've discovered a feature in ModSecurity where a cxs scan can report a seemingly non-existent script on a server which is being exploited.
The symptoms:
Web upload script user: nobody (99)
Web upload script owner: ()
Web upload script: /home/user/public_html/store/admin
Remote IP: 1.2.3.4
Deleted: No
Quarantined: No
To enable file upload scanning for web scripts, ModSecurity needs to have the option SecRequestBodyAccess enabled (as explained in the install document).
This option configures whether request bodies will be buffered and processed by ModSecurity.
You will need to ensure that other any ModSecurity rules that you have have been correctly written to deal with POST_PAYLOADS. If they have not, then...
When you run cxs you will invariably encounter false-positives that trigger one or more of the scanning options.
We do not recommend that you simply stop using the option that triggers, rather it would be better to simply ignore the false-positive files using an ignore file as per the documentation.
The best way to generate the ignore file is to create it first, e.g.:
touch...
I've been struggling with this for a while now, I have wordpress sites where everything is up to date but attackers are still able to upload files to the server. One such person has been trying to upload a backdoor since 1am in the morning. I can see 5 files with the same name quarantined.
Is it possible to identify how these files were uploaded?
We have lot of wp-content/cache/wp-rocket/www.mydomain.tld advises, that are normal beacuse we install wp-rocket on our hostings.
Problem is that i want to ignore the Suspicious directory email, but, if exploit appears on wp-content/cache/wp-rocket/www.mydomain.tld/exploit.php, it should be detect also.
I have a client that suddenly could no longer send mail via SMTP through our server. I traced this to their IP being in the LF_SMTPAUTH.txt blocklist (in the CXS IP Reputation feature), which we have enabled.
I confirmed that the user had never had an SMTP failure with our server (further confirmed by trying to remove the IP via the cxs --Rremove command, which failed because our server was not...
Hi,
i have a exploit i cannot remove. i hace updated website and change all password. i also try to ban ips but csx continue to report it to me. fortunately it block and send it to quarantine. i want to remove it definily if possible.tjis is a wp website
Scan Status Fingerprint
Scan Time Tue Jan 19 10:01:00 2021
Scan Type Web
Original File...
New here, I apologize if this has been asked before. Tried searching the CXS subforum but couldn't find a similar thread.
I'm new to CXS, just got it ~2 weeks ago. I seem to be experiencing an odd one. CXS doesn't seem to pick up malware files after the server has rebooted, it only starts detecting them when I click restart CXS Watch from the ConfigServer eXploit Scanner section.
You must install ClamAV (Clamavconnector on cPanel) or ensure clamd is running to use this product correctly
If the clamd socket is not automatically detected, and to clear this message, you must set clamdsock=/path/to/socket in /etc/cxs/cxs.defaults to the live socket location
Scanning web upload script file...
Time : Mon, 16 Sep 2019 15:23:48 -0500
Web referer URL :
Local IP : 162.241.XXX.XXX
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/FOLDERNAME/public_html/wp-content
Web upload script URL :
Remote IP : 202.104.9.163
Deleted : No
Quarantined : Yes
How on earth can autodiscover.cgi upload a web file?
Scanning web upload script file...
Time : Fri, 11 Sep 2020 19:30:11 +0100
Web referer URL :
Local IP : 127.0.0.1
Web upload script user : nobody (99)
Web upload script owner: root (0)
Web upload script path : /usr/local/cpanel/cgi-sys/autodiscover.cgi
Web upload script URL :
Remote IP :...
Hi there. This is my first post in this community.
I just got the very good cleanup service from Jacob performed on my server, and now I am getting 50+ emails per day about:
subject: cxs Scan on xxxx.mydomain..com (Hits:1) (Viruses:0) (Fingerprints:1)
I would like to either get a daily digest, or just suppress them. Is there any quick adjustment in the settings I can do?
I transferred a suspicious file via FTP and I get this email error:
# Clamd Error for : Undefined path for Socket::pack_sockaddr_un at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/5.30.0/x86_64-linux-64int/Socket.pm line 873.
Anyone had this issue ?
Server OS: CentOS 7
WHM Cpanel latest version v90.0.5
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum