CXS 2.84: Cannot disable "suspicious location"

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Locked
gvard
Junior Member
Posts: 39
Joined: 16 Feb 2008, 19:42

CXS 2.84: Cannot disable "suspicious location"

Post by gvard »

Hello,

Since CXS 2.84, I've started receiving several quarantine alerts with this reason:

Suspicious file location for a script [application/x-php]


The problem is that several known applications put an empty index.php file (just the HTML tags) to prevent directory listing of that HTML file. Shouldn't this search option be assigned a letter in qoptions, so we could enable it when we needed it? Also, is there an option to exclude files that have this pattern:

Code: Select all

<html>
</html>
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: CXS 2.84: Cannot disable "suspicious location"

Post by ForumAdmin »

It is regarded as a suspicious file which are detected through --options [f]. Ignoring such files can be done through the normal mechanisms in a cxs.ignore file (see cxs.ignore.example), e.g. using md5sums for a unique ignore.
minadreapta
Junior Member
Posts: 43
Joined: 19 Dec 2007, 12:52

Re: CXS 2.84: Cannot disable "suspicious location"

Post by minadreapta »

we are receiving hundreds of false positives from 8 servers using cxs.
it's not the file problem, it's the location that it is considered suspicious. there are a lot of scripts that put files on suspicious locations: wordpress, joomla, drupal, etc.
we are literally receiving on alert per minute since this option was enabled.
we can't ignore so many files, it should be an option to disable location check.
gvard
Junior Member
Posts: 39
Joined: 16 Feb 2008, 19:42

Re: CXS 2.84: Cannot disable "suspicious location"

Post by gvard »

Hello,

There is an application that creates PHP files with randon content and random name, however each file is exactly 27 bytes. Is there an option to exclude PHP files with 27 bytes size?
minadreapta
Junior Member
Posts: 43
Joined: 19 Dec 2007, 12:52

Re: CXS 2.84: Cannot disable "suspicious location"

Post by minadreapta »

there are a lot of files that are created, a lot of modules within wordpress and joomla create files in suspicious locations.
if you are in shared hosting business and have 5.000 WPs or Joomlas, this becomes a real nightmare.
we have stopped cxs for now unfortunately. it is filling up our report email address with hundreds of false positives per hour.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: CXS 2.84: Cannot disable "suspicious location"

Post by ForumAdmin »

We've now moved this to its own option in v2.85:
http://blog.configserver.com/index.php?itemid=707
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: CXS 2.84: Cannot disable "suspicious location"

Post by ForumAdmin »

gvard wrote:There is an application that creates PHP files with randon content and random name, however each file is exactly 27 bytes. Is there an option to exclude PHP files with 27 bytes size?
No, there's no such option.
Locked