False alarm - exploited .htaccess P0767

[davert]

I am getting what I am pretty sure is a false alarm since I added this. I can find nothing on the "new signature" in P0767. Help?

#Prevents showing indexes when there is no index.html etc
Options -Indexes

ServerSignature Off

<filesMatch "\.(php)$">
Header append X-Frame-Options SAMEORIGIN
</filesMatch>

[ForumAdmin]

That should not match the fingerprint. Can you please submit the file using:

cxs --wttw --comment "False Positive" --force /path/to/file and we will check it.

[davert]

Thanks. There's more to the file so maybe something else set it off but given the timing of the signature list update, I think it's what I did…

[ForumAdmin]

It's the image leeching stuff at the top of the file that is triggering it. We'll investigate the fingerprint, but for now you can whitelist the file in a cxs.ignore if you have one.

[davert]

Thanks. I was going to ask you about that -- I have another file that I am trying to whitelist and it's not accepting it. Can't figure out if it's permissions or the format…

file:/home/user/public_html/directory/cl86f.dat
Also tried file:cl86f.dat

the cxs.ignore file doesn't have example syntax.

[ForumAdmin]

1. Ensure that you have --ignore /etc/cxs/cxs.ignore on your cxs command line or listed correctly in /etc/cxs/cxs.defaults

2. A sample file with examples should be in /etc/cxs/cxs.ignore.example

3. If using cxs Watch, try restarting it

The format you used as:

file:/home/user/public_html/directory/cl86f.dat

We've now redeveloped the regex. If you do the following it should no longer detect it:

Code: Select all

rm -f /etc/cxs/new.fp
cxs -U

[davert]

Thank you! I will make sure the ignore file is listed. There aren't actually any examples in the ignore.example file (which is what I'm using)… but you think that format should work? I'll try restarting Watch. Thanks again for the unexpectedly good support.

[davert]

Yup, that did it! Thanks again!