Christmas Holiday

We will be closing our Store, Sales and Helpdesk from 17:30 Wednesday, 23rd December 2020 to 09:00 Monday, 4th January 2021. No orders, support requests or sales emails will be processed between those dates.

If you purchase a license or Service Package before the closing date and require installation, please be sure to leave at least 24 hours before then for the work to be done. Otherwise, any work will be scheduled for after this period.

Scanning on a non-existent file

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
LukeDouglas
Junior Member
Posts: 26
Joined: 22 Apr 2016, 17:35

Scanning on a non-existent file

Post by LukeDouglas »

I got an email with this message:

Code: Select all

Scanning web upload script file...
Time                   : Mon, 16 Sep 2019 15:23:48 -0500
Web referer URL        : 
Local IP               : 162.241.XXX.XXX
Web upload script user : nobody (99)
Web upload script owner:  ()
Web upload script path : /home/FOLDERNAME/public_html/wp-content
Web upload script URL  : http://WEBSITENAME/wp-content/themes/village/blueprint/gallery/ajaxupload/server/php.php
Remote IP              : 202.104.9.163
Deleted                : No
Quarantined            : Yes [/home/quarantine/cxscgi/20190916-152347-XX-vU4N7HH4hibQ5LzkRxwAAAUI-file-7uQGzx.1568665428_1]

NOTE: [/home/FOLDERNAME/public_html/wp-content] does not exist on this server. However, ModSecurity is still triggering cxs to scan the attempted uploading of potentially malicious data
I did check the File Manager and there is NO /public_html?wp-content folder. So someone attempted to access a non-existent folder. Is there a way I can stop sending of any warnings for '/wp-content/', '/wp-includes/' and '/wp-admin/' folders as well as any files in the root with 'wp*.php' wildcard? I run a Joomla shop and NONE of the websites on my server has 'any' WordPress installs,
codebee
Junior Member
Posts: 3
Joined: 10 Dec 2019, 15:06

Re: Scanning on a non-existent file

Post by codebee »

Have the same question - How do we disable these email alters for file paths that don't actually exist?
Sarah
Moderator
Posts: 837
Joined: 09 Dec 2006, 22:49

Re: Scanning on a non-existent file

Post by Sarah »

See the option "--cutcgimail" in the cxs documentation. In the cxscgi Configuration Wizard it is listed as "Reduce the number of emails from ModSecurity hits".
codebee
Junior Member
Posts: 3
Joined: 10 Dec 2019, 15:06

Re: Scanning on a non-existent file

Post by codebee »

Sarah wrote: 05 Sep 2020, 11:52--cutcgimail
Hey Sarah, thanks for the super fast response! Managed to find that option in the settings so will give it a try thank you.
bouvrie
Junior Member
Posts: 16
Joined: 23 Nov 2011, 09:49

Re: Scanning on a non-existent file

Post by bouvrie »

Seeing that these requests often come from exploit scanners, is there a way to instantly delete the uploaded file & add the offending Remote IP address to the blocklist?

Instead of wasting precious server resources, analyzing a file that has no business on the server and won't be processed further anyway?
pyrographics
Junior Member
Posts: 1
Joined: 14 Sep 2020, 17:07

Re: Scanning on a non-existent file

Post by pyrographics »

This has become a big hassle on our server thanks to the wp-file-manager exploit going around now. Nevermind that it doesn't exist on our server we are getting hundreds of hits to it each day. CXS quarantines the offensive non-uploaded file into /home/whatever-username/.quarantine/ and then cPanel's new virus scanning then hits on it listing it as a problem. I wish there was a way to just delete the results of these hits instead of quarantineing them. Also I don't know why the quarantine is under the user's folder instead of the /home/quarantine/ folder that is specified.
JasGot
Junior Member
Posts: 29
Joined: 10 Jan 2008, 17:16

Re: Scanning on a non-existent file

Post by JasGot »

This is a nuisance for us too. 14 e-mails per hou about a file that doesn't exist.

/home/{account]/public_html/image.php

How can it detect a virus if there is no file?
Post Reply