ConfigServer Community Forum

Hello, for a couple of days I have been observing a lot of processes of the type that I copy, consuming a lot of CPU. What could be the reason for this? How to improve this?

/usr/local/cpanel/3rdparty/bin/perl /usr/sbin/cxs --quiet --cgi --smtp -Q /home/quarantine --qoptions Mv --mail root /tmp/20180213-101404-WoKsXDM0nATHpttXnR3e9QAAARQ-file-jOooCug

thanks
miguel

So my issue is the following:

In CXS 8 the very first option is:

What to scan:
If scanning a user, only scan within in the web root (e.g. ~user/public_html/)

Now, WHM Teak Settings has:

Restrict document roots to public_html which we have set to Disabled on all 25 production servers.

Which means that Addon Domains are created in /home/user/wordpress2 instead of...

I get an alert on every file that is uploaded - T option is not enabled/checked on either FTP or Regular scan.

Example
Scanning /home/XXXXX/public_html/hosting/modules/support/Zendesk/class.jwt.php:

(/usr/sbin/cxs --baction high --bayes --breport medium --clamdsock /var/clamd --nodbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --mail root...

Awesome sounding new features!

Hi
1-I purchased cxs scanner and every time i do manual scan to all of my whm account after the scan does finish i see that some of my whm account was deleted without my permission.what shoud i do to prevent delet my whm account?
next question is that i have phishing in my server but cxs doesn't detect and remove theme and i receive abuse from datacenter every day
thanks

Hi,

I would like to know if I need to enable Apache SpamAssassin™ on our VPS Server or not. We have ConfigServer eXploit and mail scanner already installed

Thanks

Junaid Hussain
Riyadh
Saudi Arabia

Getting lots of what appear to be false positives on the WordPress file:
default-widgets.php
since the WordPress 4.9.1 update.

as:
ClamAV detected virus =

Anyone else noticing this as well?

Thanks all!

Hello

I recently get a lot of ModSecurity false-positive alerts and a little search lead me to this post :

So I set LF_APACHE_404 to 60 but but my problem is that attacks are from different IP's!
Is there another parameter to help this problem?

Hello guys,

I have a server where CXS is installed, but when I try to run a manual scan it doesn't actually scan any files. It goes through all folders and that's it.

Here's what's happening:

# /usr/sbin/cxs --baction high --bayes --breport medium --clamdsock /var/clamd --deep --defapache nobody --report /var/log/cxs.scan --logfile /var/log/cxs.log --doptions Mv --exploitscan --fallback...

I get inundated with hacker activity, mainly exploiting Wordpress to install files which CSXS deletes or quarantines but nothing stops the same hackers on the same IP addresses from attacking multiple WP installs.

I don't know of a way to deal with the issue other than to manually block all of the IP addresses. Maybe blocking the IP addresses does no good as it seems I am chasing my tail. No...

Hi!

I find cxs very usefful on our Cpanel servers, and wish to use it on non-cpanel servers, to ensure their security.
I see that Cpanel is required, but i dont know if is viable use it (on limited way, or just only a few features) on non-cpanel server, or its not possible (and never be because...) use cxs on non Cpanel server.

Only i need is scan for files and daemon. Not need of interface or...

Hi there,

we're getting a lot of alerts for exploit P1410 but the affected files seem to be a simple archive script included in a lot of apps like coppermine, joomla extensions, CMS Made Simple and so on. The apparently bad file is even included in official sources of the named products. I don't know if maybe some malware used partially the same code as the legitimate script and now all are...

I am getting hundreds of alerts, like this:

'/home/USERNAME/public_html/wp-content/plugins/jetpack/modules/widgets/google-translate.php'
Script version check

It can't be that every user on all servers has a bad version of this module, included with Jetpack. Could this be a false positive?

- Scott

Hope someone can clarify something.

I understand about the false-positives (when the file doesn't exist), but I get a lot of e-mails having to do with viruses or fingerprints referring to files like:

or

These files get quarantined, but does that mean these wordpress files are exploitable and hackers are actually uploading files?

Or does this mean that someone did an apache POST and the...

Hello,

Whether md5sum function still works on cxs latest version?. I try add in /etc/cxs/cxs.xtra one line like this:

md5sum:877f9a8d0b94fee1051cebbbbabd1344

and I add --xtra /etc/cxs/cxs.xtra in scan command, but I always get result Fingerprint Match=0 (not found) and file not quarantined.

Please Advise
Regard's
Yanwar P
Web Hosting Indonesia

I would like to know if by default cxs will run server-wide scan automatically (either by cronjob or other way?)
If yes, how to disable it?
Also I would like to know the command to scan one home dir only. Let say I want to scan /home/test/
What command I should run?

Many thanks in advance.

regards,
H

CXS service is not running.

I have cxs installed in our server. It is starting but the status is showing as

====
root@server # service cxswatch status
Status of cxswatch daemon: Stopped
====

====
root@server # ps aux | grep cxs
root 10255 0.0 0.0 105368 904 pts/0 S+ 19:07 0:00 grep cxs
root 1044139 0.7 0.1 251840 59448 ? Ds 18:55 0:05 cxswatch starting...
root 1044157 0.0 0.1 226764 33280 ? S...

Hello
i found a file it have this code

#!/bin/sh
#
# This file is part of the phpseclib project.
#
# (c) Andreas Fischer
#
# For the full copyright and license information, please view the LICENSE
# file that was distributed with this source code.
#
set -e
set -x

USERNAME='phpseclib'
PASSWORD='EePoov8po1aethu2kied1ne0'

# Create phpseclib user and home directory
sudo useradd --create-home...