Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
From:
Fixed a SECURITY BUG in Quarantine file restore which could result in root privilege escalation. The destination restore file must not now exist before restoring will work. Our thanks to Jeff Petersen for reporting this issue
All cxs users should upgrade to this release immediately
From:
Further SECURITY improvements to Quarantine functionality
After some extensive testing we've discovered a feature in ModSecurity where a cxs scan can report a seemingly non-existent script on a server which is being exploited.
The symptoms:
Web upload script user: nobody (99)
Web upload script owner: ()
Web upload script: /home/user/public_html/store/admin
Remote IP: 1.2.3.4
Deleted: No
Quarantined: No
To enable file upload scanning for web scripts, ModSecurity needs to have the option SecRequestBodyAccess enabled (as explained in the install document).
This option configures whether request bodies will be buffered and processed by ModSecurity.
You will need to ensure that other any ModSecurity rules that you have have been correctly written to deal with POST_PAYLOADS. If they have not, then...
When you run cxs you will invariably encounter false-positives that trigger one or more of the scanning options.
We do not recommend that you simply stop using the option that triggers, rather it would be better to simply ignore the false-positive files using an ignore file as per the documentation.
The best way to generate the ignore file is to create it first, e.g.:
touch...
Hi,
sorry for question i am not expert of csx.I have a lot of alert from csx from different account.
example:
Scanning web upload script file...
Time : Wed, 18 May 2022 12:48:55 +0200
Web referer URL : www.google.com
Local IP : 51.255.xx.xx
Web upload script user : nobody (99)
Web upload script owner: xxxx(1017)
Web upload script path : /home/xxxx/public_html/wp-admin/admin-ajax.php
Web upload...
1) How do I check that CXS does not delete or blocks infected files from websites found in the daily/weekly scan? I want to be alerted by email but no that the files are deleted or quarantied
2) Can I perform a manually scan when I want for ALL the sites? The same questions biy apply the scan for ONE domain?
hello I'm new to the forum.
I would like to add the fingerprint md5 to the files reported in the emails. I don't understand which file I need to modify and which option should be added.
I would like to do this to be able to easily add the md5 files to the cxs whitelist.
thanks
I recently switched to Imunify360 on my server in favour of Clamd. I removed Clamav as 2 virus scanners is not necessary. Now CXS can not perform a virus scan since Clamav is removed.
Not a big problem of course as virus scanning has been taking over by Imunify360 but would be great if CXS could hook into the new scanner.
Hello guys, I have been having problems with the clamd that is taking the processing from my host so that everything is inoperative, and I see that CXS when it runs the daily Clamd script it crashes everything, someone here has already been through this and managed to solve this problem ? I tried to configure up to the CPU limit in Clamd's own settings and today I had another crash. I do not know...
I've set weekly scan on my cPanel server with CXS. At this time, the log is stored at /var/log/cxsreports/cxs.scan . As I see, this file is erased after each new scan.
Is there a way to set a new logfile per scan (such as /var/log/cxsresports/cxs-20210517.scan ) ?
I have the following question on how the IP Reputation files all.txt, etc get populated.
If an IP address triggers a BLOCK on one of my servers, does this automatically get reported to CXS? The reason I am asking, if a user enters their password wrong and gets blocked on our server, does CSF report that to the IP Reputation respiratory?
If it does report it, then if I unblock the IP address...
I've been struggling with this for a while now, I have wordpress sites where everything is up to date but attackers are still able to upload files to the server. One such person has been trying to upload a backdoor since 1am in the morning. I can see 5 files with the same name quarantined.
Is it possible to identify how these files were uploaded?
We have lot of wp-content/cache/wp-rocket/www.mydomain.tld advises, that are normal beacuse we install wp-rocket on our hostings.
Problem is that i want to ignore the Suspicious directory email, but, if exploit appears on wp-content/cache/wp-rocket/www.mydomain.tld/exploit.php, it should be detect also.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum