Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > CXS Report -- Should I be Concerned?


CXS Report -- Should I be Concerned?




Posted by Ricjustsaid, 11-08-2011, 10:48 PM
Hi guys! A few weeks ago I installed Configserver eXploit Scanner on my server to protect against malicious file uploads. The server I'm running it on is a personal server, and I don't host any other users on the box. Anyway, this morning I got a report saying that a malicious file was uploaded and quarantined, along with a message stating that it could be a false positive since the upload script doesn't exist. "somefolder" itself doesn't exist on the filesystem per-say; I use mod_rewrite for fURLs so you could visit that certain path where I have a custom script located. It's not an upload script, though - it just pulls info from a database and displays it. In fact, there are no upload scripts available on my website at all... Now, the quarantined file does exist in the quarantine directory (but not in /tmp/). It appears to be an OSCommerce exploit, but I'm not running OSCommerce! Looking at the Apache error_log, I'm seeing entries like this: Obviously "/somefolder//admin/file_manager.php/login.php" does not exist. It seems like the double forward slashes are throwing CXS off and the web upload script is incorrectly reported, but I can't be sure. Can any of you experienced CXS users shed some light on this? Is this the same false-positive issue noted on the CXS forum here? Thanks guys for any advice!
Posted by fshagan, 11-09-2011, 01:24 AM
It sounds like the same issue. What I don't understand is why the request for the non-existent file happens in the first place. I get that Apache processes requests in phases, and the mod_security rules take effect before Apache has verified that the file exists. And that the CXS web upload scanning uses mod_security rules, so sometimes there's a request for a file that doesn't exist. But where does the request come from? Is it from someone knocking on port 80 with the request?
Posted by Ricjustsaid, 11-09-2011, 01:58 AM
I think you're right - someone (maybe an automated process) makes requests for vulnerable scripts. They're probably probing servers for old scripts with known exploits (at least, that's what I've been thinking). What worries me is the fact that an exploit script was quarantined. How did it get uploaded in the first place, if the target script does not exist? Am I right in thinking that the content of the exploit script is contained in the request body, and ModSecurity uploaded it to /tmp where CXS took over and quarantined it?
Posted by fshagan, 11-09-2011, 10:58 AM
I think what happens is this: 1. Hacker probes server, tries to upload hacker script 2. Apache recognizes this request in "step one" and the file name is cached. 3. Apache calls step two, when the mod_security rules trigger CXS to quarantine the file as soon as it is uploaded. 4. Apache refuses the upload due to lack of login verification, etc. 5. CXS reports the file name as quarantined, even though it really doesn't exist on the server. It was knocking on the door, and CXS started quarantine procedures even before Apache refused entry. This is only a guess based on what the ConfigServer forum post said. [Edit: sorry, just noticed that the file does exist on your server; I missed that.]


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Host in eu (Views: 707)
small reseller and billing? (Views: 667)
Help needed in order to understand what's wrong (Views: 699)
Am I running out of power? (Views: 791)
Looking for reseller in Netherlands (Views: 697)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.