Page 1 of 1

Can't make cxs.ignore work

Posted: 25 Nov 2022, 05:33
by luisfalcon
I'm trying to make cxs ignore the wordpress file admin-ajax.php so I created a file named cxs.ignore (it didn't exist) and put the following in it:

Code: Select all

hfile:/public_html/wp-admin/admin-ajax.php
Restarted the service but I'm still receiving emails about that file.

I read somewhere else on this forum that I needed to edit cxswatch.sh and add --ignore /etc/cxs/cxs.ignore but my cxswatch.sh has nothing in it, I mean, no command other than this:

Code: Select all

/usr/sbin/cxs --Wstart --config /etc/cxs/cxswatch.conf
Everything else is commented, however, when I receive the email it contains this command:

Code: Select all

/usr/sbin/cxs --cgi --clamdsock /var/clamd --cutcgimail --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfuSGchexdnwZRrD --noprobability --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 1000000 --smtp --ssl --nosummary --nosversionscan --timemax 30 --nounofficial --virusscan --vmrssmax 2000000 --voptions mfhexT --waitscan 0 /tmp/20221124-235835-Y4BLe0KETAtm604W9nvHBgAAAEs-file-BLzizt
Which does contain the --ignore /etc/cxs/cxs.ignore part... a little help pointing me to the right direction would be really appreciated.

Re: Can't make cxs.ignore work

Posted: 25 Nov 2022, 05:43
by luisfalcon
Also, if I click the "view cxs Watch Command" button inside WHM this is the command there:

Code: Select all

/usr/sbin/cxs --allusers --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 0 --noforce --html --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail some@email.com --options mMOLfSGchexdnZDRru --noprobability --qoptions Mv --quiet --report /var/log/cxs.scan --sizemax 1000000 --smtp --ssl --summary --sversionscan --throttle 15 --timemax 30 --nounofficial --virusscan --vmrssmax 2000000 --voptions mfhexT --waitscan 0 --Wloglevel 0 --Wmaxchild 3 --Wnotify inotify --Wrateignore 300 --Wrefresh 7 --Wsleep 3 --Wstart --www
Which also includes the -ignore /etc/cxs/cxs.ignore part

Re: Can't make cxs.ignore work

Posted: 25 Nov 2022, 05:59
by Sarah
Could you please post the cxs alert email you receive - subject and message - with domains and IP addresses removed?

Re: Can't make cxs.ignore work

Posted: 25 Nov 2022, 06:06
by luisfalcon
Subject

Code: Select all

cxs Scan on host.domain.com (Hits:1) (Viruses:0) (Fingerprints:1)
Body:

Code: Select all

Scanning web upload script file...
Time                   : Thu, 24 Nov 2022 23:58:36 -0500
Web referer URL        : google.com
Local IP               : 11.11.11.11
Web upload script user : nobody (99)
Web upload script owner: ertcin (1171)
Web upload script path : /home/user/public_html/wp-admin/admin-ajax.php
Web upload script URL  : domain.com/wp-admin/admin-ajax.php?action=uploadFontIcon
Remote IP              : 11.11.11.11
Deleted                : No
Quarantined            : Yes [/home/quarantine/cxscgi/20221124-235835-Y4BLe0KETAtm604W9nvHBgAAAEs-file-BLzizt.1669352316_1]

----------- SCAN REPORT -----------

TimeStamp: Thu, 24 Nov 2022 23:58:36 -0500

(/usr/sbin/cxs --cgi --clamdsock /var/clamd --cutcgimail --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 10000 --noforce --html --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail root --options mMOLfuSGchexdnwZRrD --noprobability --qoptions Mv --quarantine /home/quarantine --quiet --sizemax 1000000 --smtp --ssl --nosummary --nosversionscan --timemax 30 --nounofficial --virusscan --vmrssmax 2000000 --voptions mfhexT --waitscan 0 /tmp/20221124-235835-Y4BLe0KETAtm604W9nvHBgAAAEs-file-BLzizt)



'/tmp/20221124-235835-Y4BLe0KETAtm604W9nvHBgAAAEs-file-BLzizt'
(compressed file: .__a57bze8931.php [depth: 1]) Known exploit = [Fingerprint Match (sha256)]

Re: Can't make cxs.ignore work

Posted: 25 Nov 2022, 06:16
by Sarah
The reason it's not working is that this isn't a cxswatch alert. It's from cxs cgi scanning (modsecurity scanning). Cxs is not reporting the file admin-ajax.php as an exploit, it is reporting that the file admin-ajax.php is being used to upload possible exploits. I don't think you really want to ignore these because this is an actual exploit that someone is attempting to upload via the wordpress files.