Page 1 of 1

CXS 2.84: Cannot disable "suspicious location"

Posted: 18 Jan 2013, 09:21
by gvard
Hello,

Since CXS 2.84, I've started receiving several quarantine alerts with this reason:

Suspicious file location for a script [application/x-php]


The problem is that several known applications put an empty index.php file (just the HTML tags) to prevent directory listing of that HTML file. Shouldn't this search option be assigned a letter in qoptions, so we could enable it when we needed it? Also, is there an option to exclude files that have this pattern:

Code: Select all

<html>
</html>

Re: CXS 2.84: Cannot disable "suspicious location"

Posted: 18 Jan 2013, 15:09
by ForumAdmin
It is regarded as a suspicious file which are detected through --options [f]. Ignoring such files can be done through the normal mechanisms in a cxs.ignore file (see cxs.ignore.example), e.g. using md5sums for a unique ignore.

Re: CXS 2.84: Cannot disable "suspicious location"

Posted: 19 Jan 2013, 06:19
by minadreapta
we are receiving hundreds of false positives from 8 servers using cxs.
it's not the file problem, it's the location that it is considered suspicious. there are a lot of scripts that put files on suspicious locations: wordpress, joomla, drupal, etc.
we are literally receiving on alert per minute since this option was enabled.
we can't ignore so many files, it should be an option to disable location check.

Re: CXS 2.84: Cannot disable "suspicious location"

Posted: 19 Jan 2013, 08:20
by gvard
Hello,

There is an application that creates PHP files with randon content and random name, however each file is exactly 27 bytes. Is there an option to exclude PHP files with 27 bytes size?

Re: CXS 2.84: Cannot disable "suspicious location"

Posted: 19 Jan 2013, 09:43
by minadreapta
there are a lot of files that are created, a lot of modules within wordpress and joomla create files in suspicious locations.
if you are in shared hosting business and have 5.000 WPs or Joomlas, this becomes a real nightmare.
we have stopped cxs for now unfortunately. it is filling up our report email address with hundreds of false positives per hour.

Re: CXS 2.84: Cannot disable "suspicious location"

Posted: 19 Jan 2013, 10:07
by ForumAdmin
We've now moved this to its own option in v2.85:
http://blog.configserver.com/index.php?itemid=707

Re: CXS 2.84: Cannot disable "suspicious location"

Posted: 19 Jan 2013, 10:07
by ForumAdmin
gvard wrote:There is an application that creates PHP files with randon content and random name, however each file is exactly 27 bytes. Is there an option to exclude PHP files with 27 bytes size?
No, there's no such option.