ConfigServer Community Forum

Hope someone can clarify something.

I understand about the false-positives (when the file doesn't exist), but I get a lot of e-mails having to do with viruses or fingerprints referring to files like:

or

These files get quarantined, but does that mean these wordpress files are exploitable and hackers are actually uploading files?

Or does this mean that someone did an apache POST and the...

I would like to know if by default cxs will run server-wide scan automatically (either by cronjob or other way?)
If yes, how to disable it?
Also I would like to know the command to scan one home dir only. Let say I want to scan /home/test/
What command I should run?

Many thanks in advance.

regards,
H

CXS service is not running.

I have cxs installed in our server. It is starting but the status is showing as

====
root@server # service cxswatch status
Status of cxswatch daemon: Stopped
====

====
root@server # ps aux | grep cxs
root 10255 0.0 0.0 105368 904 pts/0 S+ 19:07 0:00 grep cxs
root 1044139 0.7 0.1 251840 59448 ? Ds 18:55 0:05 cxswatch starting...
root 1044157 0.0 0.1 226764 33280 ? S...

Hello
i found a file it have this code

#!/bin/sh
#
# This file is part of the phpseclib project.
#
# (c) Andreas Fischer
#
# For the full copyright and license information, please view the LICENSE
# file that was distributed with this source code.
#
set -e
set -x

USERNAME='phpseclib'
PASSWORD='EePoov8po1aethu2kied1ne0'

# Create phpseclib user and home directory
sudo useradd --create-home...

Hi Guys,
Examples I'm trying to match (last 5 chars random):
/tmp/.xcloner-10d02
/tmp/.xcloner-a714a
/tmp/.xcloner-f6e8e

My cxs.ignore rule:
pdir:^\/tmp\/\.xcloner- +$

Still getting notified. Yes, I've restarted cxs Watch. Please help - thanks :)

Hi guys:
Which are step to migrate csx from old server to new server, putting config from old cxs in new cxs server, but diferent ip??
Regards.

After enabling IP reputation integration, I had multiple occasions of cpanel monitoriog reporting lfd failures and subsequent restarts on 2 servers. From lfd.log I was able to determine that the URI::Escape module was not installed. I manually installed that and thought the lfd stops and starts would be corrected. Alas I am now seeing FASTART errors that seem to coincide with the failures. I...

Hi,

Sorry new to CSX so be gentle :-)

I have the following report, is this a real or a false positive?

Thanks
/daveb

Scanning web upload script file...
Time : Tue, 19 Sep 2017 08:42:25 +1000
Web referer URL :
Local IP : 103.237.108.162
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/purecalm/public_html/wp-content
Web upload script URL :...

Searched and found this link.

After entering the command, I get a return to prompt with no output.

OS is CENTOS 6.8 standard v66.0.22

tried CSF -u got this

root@chaos # csf -u
Oops: Unable to download: Can't connect to download.configserver.com:443 (timeout)

Hello,
i have the latest version of CXS in cpanel.
Also i have some extra clamav rules from Atomicorp.
When i scan with clamscan -r -i /home/path/public_html
i can find some virus, for example Atomicorp.PHP.Malware.19.UNOFFICIAL FOUND
However when i scan with cxs, even if i enable all options for virus i find nothing.
For example:
/usr/sbin/cxs --report /var/log/cxs.scan --logfile...

I get people trolling I guess looking for scripts on the server to try to exploit.
I did change the username and domain name.
What I am wondering is how can I block and/or ban the IP address of the person after xx amount of hits?!?!

Scanning web upload script file...
Time : Mon, 4 Sep 2017 11:12:56 -0700
Web referer URL :
Local IP : 123.123.123.123
Web upload script user : nobody (99)
Web...

Hello,

I dont know how to report code not detected by CXS, so this is my contribution:

I found this today: a process running on my server, mining bitcoin or something like this.

The process:

The code I found on file:

So, this code download a binary and run on the server.

Hope CXS team can add this to be detected, because the CXS 6.39 (running as daemon cxswatch) dont detected today....

Current Version: ConfigServer eXploit Scanner - cxs v6.35
Running in Unrestricted Mode

Trying to upgrade to v6.38 and i get the following error:

Upgrading cxs...

Upgrading cxs from v6.35 to 6.38...
Retrieving new cxs installer...
...100%

Unpacking new cxs package...

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
sh: line 0: cd:...

Hello Chirpy!

The root email address is receiving cxs scan emails fine which is excellent. How can one configured CXS to send an email to the script owner's email address as well notifying of the quarantined file?

Thank you.

CXS was installed without any problems. CPanel den ConfigServer Clicking Exploit Scanner gives an error. We have updated Cpanel. I restarted the services and it did not work. I'm waiting for your help.

Error;

I want to know what all the symbols mean which the process indicator is showing.

I found the following list but it looks like too old because I cannot find s or $ in it:

m = regex pattern match
M = fingerprint match
v = virus
O = socket
L = symlink
f = suspicious file
F = skipped directory with too many entries
S = SUID file
G = GUID file
c = core dump file
C = core dump file...

hello

i buy 2 licens cxs and install on my server
but cxs detection this file as virus
easy-digital-downloads/includes/process-download.php

and i must ignore this file on all cpanel users.

It is very difficult

i use this coment
file:home/*/public_html/wp-content/plugins/easy-digital-downloads/includes/process-download.php

* =all user

but I did not get a positive result

palse help me for...

I've recently added quarantine form cxsftp and enabled the service, but it seems that any PHP script that gets uploaded I'm notified.

Scanning FTP file...
Time : Thu, 15 Jun 2017 14:10:32 -0300
FTP user : webmaster@*******.***
FTP file : /home/*******/public_html/*******/page.php
FTP owner : ******* (882)
FTP file md5sum : *******
Remote IP : *******
Blocked : No
Deleted : No
Quarantined : No...

I keep getting this error when trying to start the daemon.. I have tried all the fixes on the net and in here.. but I still cant get that value to change.. I am using centos5...

Unable to start cxs Watch daemon: /proc/sys/fs/inotify/max_user_watches is set too low

I have tried changing the value via fs.inotify.max_user_watches = 65536 but I still get the above error...

Anybody have an idea...

I keep getting false positive for (cxswatch Scanning /home/user/public_html/wp-content/cache/supercache/www.userdomain.com).

I have already put (hdir:/public_html/wp-content/cache/supercache) in cxs.ignore and restarted the service.

I still keep seeing many email regarding the same false positive any help would be great.