Scanning on a non-existent file

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
LukeDouglas
Junior Member
Posts: 26
Joined: 22 Apr 2016, 17:35

Scanning on a non-existent file

Post by LukeDouglas »

I got an email with this message:

Code: Select all

Scanning web upload script file...
Time                   : Mon, 16 Sep 2019 15:23:48 -0500
Web referer URL        : 
Local IP               : 162.241.XXX.XXX
Web upload script user : nobody (99)
Web upload script owner:  ()
Web upload script path : /home/FOLDERNAME/public_html/wp-content
Web upload script URL  : http://WEBSITENAME/wp-content/themes/village/blueprint/gallery/ajaxupload/server/php.php
Remote IP              : 202.104.9.163
Deleted                : No
Quarantined            : Yes [/home/quarantine/cxscgi/20190916-152347-XX-vU4N7HH4hibQ5LzkRxwAAAUI-file-7uQGzx.1568665428_1]

NOTE: [/home/FOLDERNAME/public_html/wp-content] does not exist on this server. However, ModSecurity is still triggering cxs to scan the attempted uploading of potentially malicious data
I did check the File Manager and there is NO /public_html?wp-content folder. So someone attempted to access a non-existent folder. Is there a way I can stop sending of any warnings for '/wp-content/', '/wp-includes/' and '/wp-admin/' folders as well as any files in the root with 'wp*.php' wildcard? I run a Joomla shop and NONE of the websites on my server has 'any' WordPress installs,
codebee
Junior Member
Posts: 3
Joined: 10 Dec 2019, 15:06

Re: Scanning on a non-existent file

Post by codebee »

Have the same question - How do we disable these email alters for file paths that don't actually exist?
Sarah
Moderator
Posts: 835
Joined: 09 Dec 2006, 22:49

Re: Scanning on a non-existent file

Post by Sarah »

See the option "--cutcgimail" in the cxs documentation. In the cxscgi Configuration Wizard it is listed as "Reduce the number of emails from ModSecurity hits".
codebee
Junior Member
Posts: 3
Joined: 10 Dec 2019, 15:06

Re: Scanning on a non-existent file

Post by codebee »

Sarah wrote: 05 Sep 2020, 11:52--cutcgimail
Hey Sarah, thanks for the super fast response! Managed to find that option in the settings so will give it a try thank you.
bouvrie
Junior Member
Posts: 16
Joined: 23 Nov 2011, 09:49

Re: Scanning on a non-existent file

Post by bouvrie »

Seeing that these requests often come from exploit scanners, is there a way to instantly delete the uploaded file & add the offending Remote IP address to the blocklist?

Instead of wasting precious server resources, analyzing a file that has no business on the server and won't be processed further anyway?
pyrographics
Junior Member
Posts: 1
Joined: 14 Sep 2020, 17:07

Re: Scanning on a non-existent file

Post by pyrographics »

This has become a big hassle on our server thanks to the wp-file-manager exploit going around now. Nevermind that it doesn't exist on our server we are getting hundreds of hits to it each day. CXS quarantines the offensive non-uploaded file into /home/whatever-username/.quarantine/ and then cPanel's new virus scanning then hits on it listing it as a problem. I wish there was a way to just delete the results of these hits instead of quarantineing them. Also I don't know why the quarantine is under the user's folder instead of the /home/quarantine/ folder that is specified.
Post Reply