ConfigServer Community Forum

I think I got it to lower load a bit but now I'm noticing something strange with CXS watch:

This is CXS watch configuration:

/usr/sbin/cxs --Wstart --allusers --www --smtp -I /etc/cxs/cxs.ignore --options M --qoptions Mv --quarantine /cxs/scan/ --Wmaxchild 3 --nofallback --Wloglevel 0 --Wsleep 15 --filemax 0 --sizemax 200000 --Wrateignore 600

I'm noticing it is showing Script Version Checks in...

Upgrading cxs...

Upgrading cxs from v5.10 to 5.11...
Retrieving new cxs installer...
...100%

Unpacking new cxs package...

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
sh: line 0: cd: /usr/src/cxs: No such file or directory
sh: install,sh: No such file or directory
Tidying up...
...All done.
?????

I am getting what I am pretty sure is a false alarm since I added this. I can find nothing on the new signature in P0767. Help?

#Prevents showing indexes when there is no index.html etc
Options -Indexes

ServerSignature Off

Header append X-Frame-Options SAMEORIGIN

Hello, As of 2 days ago, I start receiving warning messages that CXS wasn't running. When I go to manually start the server I get this response:

Starting cxs watch...

Starting cxswatch daemon:Quantifier follows nothing in regex; marked by \ \.)?\s*((gzinflate|gzuncompress|gzdecode|stripslashes|urldecode)\s*\(*\s*)?(\@?(unserialize|str_rot13|base64_decode|strrev|gzinflate|gzuncompxyP#;'wt...

Can I have cxs run a custom script before reporting or acting on a possible threat, so that the script itself can rule out false-positives or take action?

I've been getting a lot of useful hits on social.png files being uploaded via ftp. These are potentially dangerous, as they could be from the CryptoPHP malware. However, a simple check using the file command can tell me whether it's PHP script...

Hi all,

We're receiving a lot of cxs Scan email alerts with the following kind of content:

Scanning web upload script file...
Time : Fri Oct 24 10:54:52 2014 -0300
Web referer URL : somedomain. com. br/wp-admin/admin-post.php?page=wysija_campaigns&action=themes
Local IP : X.X.X.X
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path :...

Hello, CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale.

I have several servers blacklisted because of one or two costumers having their websites hacked.

Does cps have or will have in a short short period any kind of tool for detecting and preventing this infection?

thks

Hi peeps,

I'll start asking a bit of patience from you. I'm a newbie to CXS and
rather a freshman when it comes to servers...

After being stung by hackers, we had our hosting provider install CXS on our server.

I've configured as much as I could however I keep on getting this email

*******************
/etc/cron.daily/cxsdaily sh:

Quarantine directory does not exist:
*******************...

Hi every day I get this alert:
cxswatch Scanning /home/vinaio/public_html/media/dojo/20140917:
# World writeable directory:
'/home/vinaio/public_html/media/dojo/20140917'

As dojo is a legitimate folder, I added it to the /etc/cxs/cxs.ignore list (dir:/home/vinaio/public_html/media/dojo/20140912) and then added this option to cxswatch:-I /etc/cxs/cxs.ignore
But I still get the same daily alert....

Known exploit = [PHP Defacement Exploit ]:

how to know more about the exploit and what does this code 0752 mean,

Thanks for the suggestions.

hello and first of all congraz for your great software!

today i noticed something strange in a account. the cxs scan returned the following

Scanning /home/xxxxxxx:
# Known exploit = [PHP REQUEST Exploit ]:
'/home/xxxxxxx/public_html/libraries/joomla/application/web/info.php'
# Known exploit = [PHP REQUEST Exploit ]:
'/home/xxxxxxx/public_html/libraries/joomla/filter/alias.php'
# Skipped - too...

Dears
is it acceptable to submit melecious scripts which has been used in my server (already has cxs) but did not discovered?
this is to add it in your database for future release
if there is any way to submit them, please let me know
Regards

hi
i am using cPanel with php 5.2.17
and cxs is working propebly
but when we update cxs to latest version we see this error when we scan a user

Scan Error [Unmatched [ in regex; marked by <-- HERE in m/<\?php error_reporting\(0\); ini_set\('display_errors', 0\);\@ini_set\('max_execution_time', 0 [ <-- HERE / at /usr/sbin/cxs line 232

how can i solve this problem ?
thanks

Hi,

We run CXS over all our fleet each week for a full scan, and one server sends dozens of messages towards the end of the scan which are all pretty much the same, only with the addition of an account of two extra having been scanned.

I did notice that this server runs the cxs update via a cron every morning which would make this occur right in the middle of the weekly full scan - could this...

Hello.

My modsecurity rule:
SecRequestBodyAccess On
SecRule FILES_TMPNAMES @inspectFile /etc/cxs/cxscgi_DOT_sh \
log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'
SecTmpDir /tmp

/etc/cxs/cxscgi_DOT_sh:
/usr/sbin/cxs --quiet --cgi --mail root --delete --logfile /var/log/cxs_upload.log --virusscan $1

If I try to upload malicious code I get in /var/log/cxs_upload.log:
Aug 6...

I have installed cxs and added the lines :

SecRequestBodyAccess On
SecRule FILES_TMPNAMES “@inspectFile /etc/cxs/cxscgi_DOT_sh” \
“log,auditlog,deny,severity:2,id:’1010101′”

To the file /usr/local/apache/conf/modsec2.user.conf

Now every time I edit css template in joomla and press save I get :

Not Acceptable

An appropriate representation of the requested resource...

Hi,

I get the following exploit on a site:
# Known exploit = [PHP Exploit ]

How do I find out more about the exploit? I know that WordPress sites are affected by it and it's the first line of the file, but the various files look different.
What's the signature?
How can I grep for this particular exploit's footprint?
P0358 references the local bayes db I think, or is it a reference to an...

Hello,

How can i block file with this script:

Thank you

With every account that runs a wordpress blog on our server, I've been getting this, starting around July 2nd.

I thought it might be the wysija plugin that was recently reported to have a security bug, but all of the sites don't have the plugin this refers to.
Still, the IPs these come from are all from suspect countries, so it's not an accident.
Each cxs entry has a different IP listed as the...

I know all about the cxs.xtra file which adds signatures (sort of) to be detected by my installation of CXS, is there a place though to submit files to be added/analysed by ConfigServer to CXS.

I manage a bunch of servers and I come regularly accross files that are not detected by CXS and would love nothing more than to submit them so they are added to the scan engine.