Install CXS ( ConfigServer eXploit Scanner ) on cPanel Server
ConfigServer eXploit Scanner is a tool to perform active scanning of files which are uploaded to the server. We can install CXS on a cPanel server easily through which we will get alerted if any file uploaded to our server. Also, we can manage CXS via WHM GUI easily just like CSF management. CXS will frequently scan our server and if anything found as suspicious then it will email us with the details such as IP of the user from where they upload, Web upload script user, Web upload script owner, Web upload script path, Web upload script URL, and also if we can configure CSX to quarantine if any suspicious file uploads occur then it will automatically quarantine those files to quarantine location which can be mentioned during installation. CXS will detect any malware and remove them from our cPanel server. If you need to make your server malware free, CXS is a great tool which will frequently scan your server and remove malware if any. The live scanning ability of CXS and the very large exploit database of known malware makes it a must have feature on cPanel server to protect against malware attacks. Let’s discuss some of features of CXS:
1) Actively scans all modified files within user accounts
2) PHP upload scripts (via a ModSecurity hook)
3) Perl upload scripts (via a ModSecurity hook)
4) CGI upload scripts (via a ModSecurity hook)
5) Any other web script type that utilizes the HTML form ENCTYPE multipart/form-data (via a ModSecurity hook)
6) Pure-ftpd uploads
In this tutorial, I’ll explain how to install and configure ConfigServer eXploit tool on cPanel server.
Let’s discuss about the installation and configuration of CXS on cPanel server:
1) As we know CXS is a commercial product, so we need to purchase a license from their website at http://configserver.com/cp/cxs.html . Once you have the license, SSH into your server and execute below commands to download and then install the software.
# cd /usr/local/src
# wget https://download.configserver.com/cxsinstaller.tgz
# tar -xzf cxsinstaller.tgz
# perl cxsinstaller.pl
2) Once you installed the CXS software, we need to create a directory for quarantine malware files if CXS detects any, while scanning. You can create quarantine directory by executing below commands.
# cxs –qcreate –quarantine /etc/cxs/quarantine
3) Once it creates, we need to edit cxswatch.sh, cxsftp.sh and cxsdaily.sh files and add below lines on each file. You can adjust the parameters to suit your own requirements.
Add the following line to the cxswatch.sh file:
/usr/sbin/cxs –options -wW –Wstart –allusers –www –smtp –ignore /etc/cxs/cxs.ignore –qoptions Mv –quarantine /etc/cxs/quarantine –log /var/log/cxs.log –Wmaxchild 3 –Wloglevel 0 –Wsleep 3 –filemax 0 –Wrateignore 300
Add the following line to the cxsftp.sh file:
/usr/sbin/cxs –quiet –ftp –quarantine /etc/cxs/quarantine –logfile /var/log/cxs.log –mail email@example.com “$1”
Add the following line to the cxsdaily.sh file:
/usr/sbin/cxs –qclean 7 –quarantine /etc/cxs/quarantine –quiet
Also make sure that ClamAV is installed on your server and then create a log file for CXS by executing below commands.
# touch /var/log/cxs.log
# chmod 630 /var/log/cxs.log
4) We need to enable CallUploadScript function in pure-ftp configuration file at /etc/pure-ftpd.conf, so that this will scan files which are uploaded via FTP in real time. And then change “#CallUploadScript” to “CallUploadScript” (remove #) and restart FTP service. Also schedule a daily cron to ensure CXS is updated to the latest database by executing below command.
# ln -s /etc/cxs/cxsdaily.sh /etc/cron.daily/
5) Create a new Cron job for scan all the files on daily basis as below:
0 4 * * * root /usr/sbin/cxs –logfile /var/log/cxs.log –mail firstname.lastname@example.org –exploitscan –virusscan –sversionscan –bayes -I /etc/cxs/cxs.ignore -Q /etc/cxs/quarantine –options mMOLfSGchexdnwZRD –voptions mfuhexT –qoptions Mv -Z –www –summary –html –ssl -C /var/clamd –nofallback -T 5 –ctime 48 –allusers –quiet
6) At last start CXS service and on check config to automatically start during boot time by executing below commands.
# service cxswatch start
# chkconfig cxswatch on
Sometimes the initial start-up will take little resource depending on number of cPanel accounts, once it completes, it uses almost no resources and will work properly on background.
If you need any further help, please reach our support department