Initial commit.

cxs/cpanelsuspend.example.pl

@@ -0,0 +1,50 @@
+#!/usr/local/cpanel/3rdparty/bin/perl
+#******************************************************************************
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.waytotheweb.com
+# Email: sales@waytotheweb.com
+#******************************************************************************
+# Example cPanel Account Suspend Script when using --all
+#
+# NOTE: If you intend to use this script, copy it to a different filename as
+# this file will be overwritten when cxs upgrades
+use strict;
+
+# Set to 1 to have more verbose output
+my $verbose = 0;
+
+# Check we have all arguments
+if (@ARGV < 4) {print "\ncpanelsuspend.pl: Not enough Args to suspend: @ARGV\n"; exit}
+
+# Check we are running as root
+if ($< != 0) {print "\ncpanelsuspend.pl: Not root ($<)\n"; exit}
+
+# Assign arguments to variables
+my $filename = $ARGV[0];
+my $option = $ARGV[1];
+my $message = $ARGV[2];
+my $account = $ARGV[3];
+
+# If option is a Virus or Known Exploit
+if ($option =~ /v|M$/) {
+
+        # if this is definitely a cPanel account
+        if (-e "/var/cpanel/users/$account") {
+
+                # If this account is not already suspended
+                unless (-e "/var/cpanel/suspended/$account") {
+
+                        print "\n\ncpanelsuspend.pl: Suspending Account $account...\n";
+
+                        # Suspend the account
+                        system("/scripts/suspendacct","$account");
+
+                        print "\n";
+
+                } else {if ($verbose) {print "\ncpanelsuspend.pl: Already Suspended\n"}}
+
+        } else {if ($verbose) {print "\ncpanelsuspend.pl: Not a cPanel account ($account)\n"}}
+
+} else {if ($verbose) {print "\ncpanelsuspend.pl: Not a suspend option ($option)\n"}}
+
+exit;

cxs/csfajaxtail.js

@@ -0,0 +1,129 @@
+//#############################################################################
+//# Copyright 2006-2016, Way to the Web Limited
+//# URL: http://www.configserver.com
+//# Email: sales@waytotheweb.com
+//#############################################################################
+
+var CSFscript = '';
+var CSFcountval = 6;
+var CSFlineval = 100;
+var CSFcounter;
+var CSFcount = 1;
+var CSFpause = 0;
+var CSFfrombot = 120;
+var CSFfromright = 10;
+var CSFsettimer = 1;
+var CSFheight = 0;
+var CSFwidth = 0;
+var CSFajaxHTTP = CSFcreateRequestObject();
+
+function CSFcreateRequestObject() {
+	var CSFajaxRequest;
+	if (window.XMLHttpRequest) {
+		CSFajaxRequest = new XMLHttpRequest();
+	}
+	else if (window.ActiveXObject) {
+		CSFajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
+	}
+	else {
+		alert('There was a problem creating the XMLHttpRequest object in your browser');
+		CSFajaxRequest = '';
+	}
+	return CSFajaxRequest;
+}
+
+function CSFsendRequest(url) {
+	var now = new Date();
+	CSFajaxHTTP.open('get', url + '&nocache=' + now.getTime());
+	CSFajaxHTTP.onreadystatechange = CSFhandleResponse;
+	CSFajaxHTTP.send();
+	document.getElementById("CSFrefreshing").style.display = "inline";
+} 
+
+function CSFhandleResponse() {
+	if(CSFajaxHTTP.readyState == 4 && CSFajaxHTTP.status == 200){
+		var response = CSFajaxHTTP.responseText;
+		if(response) {
+			var CSFobj = document.getElementById("CSFajax");
+			CSFobj.innerHTML = CSFajaxHTTP.responseText;
+			windowSize();
+			if (CSFheight > 0) {CSFobj.style.height = (CSFheight - CSFobj.offsetTop - CSFfrombot)  + "px";}
+			if (CSFwidth > 0) {CSFobj.style.width = (CSFwidth - CSFobj.offsetLeft - CSFfromright)  + "px";}
+			CSFobj.scrollTop = CSFobj.scrollHeight;
+			document.getElementById("CSFrefreshing").style.display = "none";
+			if (CSFsettimer) {CSFcounter = setInterval(CSFtimer, 1000);}
+		}
+	}
+}
+
+function CSFgrep() {
+	var CSFlogobj = document.getElementById("CSFlognum");
+	var CSFlognum;
+	if (CSFlogobj) {CSFlognum = '&lognum=' + CSFlogobj.options[CSFlogobj.selectedIndex].value}
+	else {CSFlognum = ""}
+	if (document.getElementById("CSFgrep_i").checked) {CSFlognum = CSFlognum + "&grepi=1"}
+	if (document.getElementById("CSFgrep_E").checked) {CSFlognum = CSFlognum + "&grepE=1"}
+	var CSFurl = CSFscript + '&grep=' + document.getElementById("CSFgrep").value + CSFlognum;
+	if (document.getElementById("CSFgrep_D").checked) {
+		window.open(CSFurl);
+	} else {
+		CSFsendRequest(CSFurl);
+	}
+}
+
+function CSFtimer() {
+	if (CSFpause) {return}
+	CSFcount = CSFcount - 1;
+	document.getElementById("CSFtimer").innerHTML = CSFcount;
+	if (CSFcount <= 0) {
+		clearInterval(CSFcounter);
+		var CSFlogobj = document.getElementById("CSFlognum");
+		var CSFlognum;
+		if (CSFlogobj) {CSFlognum = '&lognum=' + CSFlogobj.options[CSFlogobj.selectedIndex].value}
+		else {CSFlognum = ""}
+		CSFsendRequest(CSFscript + '&lines=' + document.getElementById("CSFlines").value + CSFlognum);
+		CSFcount = CSFcountval;
+		return;
+	}
+}
+
+function CSFpausetimer() {
+	if (CSFpause) {
+		CSFpause = 0;
+		document.getElementById("CSFpauseID").innerHTML = "Pause";
+	}
+	else {
+		CSFpause = 1;
+		document.getElementById("CSFpauseID").innerHTML = "Continue";
+	}
+}
+
+function CSFrefreshtimer() {
+	var pause = CSFpause;
+	CSFcount = 1;
+	CSFpause = 0;
+	CSFtimer();
+	CSFpause = pause;
+	CSFcount = CSFcountval - 1;
+	document.getElementById("CSFtimer").innerHTML = CSFcount;
+}
+
+function windowSize() {
+	if( typeof( window.innerHeight ) == 'number' ) {
+		CSFheight = window.innerHeight;
+		CSFwidth = window.innerWidth;
+	}
+	else if (document.documentElement && (document.documentElement.clientHeight)) {
+		CSFheight = document.documentElement.clientHeight;
+		CSFwidth = document.documentElement.clientWidth;
+	}
+	else if (document.body && (document.body.clientHeight)) {
+		CSFheight = document.body.clientHeight;
+		CSFwidth = document.body.clientWidth;
+	}
+}
+//#############################################################################
+//# Copyright 2006-2016, Way to the Web Limited
+//# URL: http://www.configserver.com
+//# Email: sales@waytotheweb.com
+//#############################################################################

cxs/cxs.default

@@ -0,0 +1 @@
+ignore=/etc/cxs/cxs.ignore

cxs/cxs.defaults.example

@@ -0,0 +1 @@
+ignore=/etc/cxs/cxs.ignore

cxs/cxs.ignore

@@ -0,0 +1,85 @@
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of files, directories, users and regex matches that
+# cxs will ignore.
+#
+# You must use the following format:
+#
+# user:    - ignore user
+# file:    - ignore file
+# dir:     - ignore directory
+# sym:     - ignore symlink
+# script:  - ignore web script (ModSecurity hook)
+#
+# puser:   - regex of users to ignore
+# pfile:   - regex of files to ignore
+# pdir:    - regex of directories to ignore
+# psym:    - regex of symlinks to ignore
+# pscript: - regex of web script to ignore (ModSecurity hook)
+#
+# The following do not apply to web script uploads via ModSecurity hook:
+# hfile:   - ignore file relative to a users homedir
+# hdir:    - ignore directory relative to a users homedir
+# hsym:    - ignore symlink relative to a users homedir
+#
+# match:   - ignore regex pattern match
+# md5sum:  - ignore file md5sum
+# fp:      - ignore fingerprint match
+#
+# The following only apply to web and ftp script uploads:
+# ip:      - ignore uploads from IP address
+#
+# You can include additional entries using external files with:
+# Include /path/to/cxs.altignore
+#
+hdir:/etc
+hdir:/mail
+hdir:/tmp
+hdir:/.cagefs
+hdir:/.fantasticodata
+hdir:/.rvsitebuilder
+hdir:/.sqmaildata
+hdir:/.trash
+hdir:/.quarantine
+hdir:/quarantine_clamavconnector
+hsym:/access-logs
+hfile:/public_html/cgi-bin/randhtml.cgi
+hfile:/public_html/cgi-bin/entropybanner.cgi
+hfile:/public_html/cgi-bin/cgiemail
+hfile:/public_html/cgi-bin/cgiecho
+hfile:/public_html/cgi-bin/cpdownload/cpaneldownacct.cgi
+hfile:/public_html/cgi-bin/cpdownload/cpaneldownload.cgi
+hfile:/public_html/cgi-bin/cpdownload/cpanelkill.cgi
+hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.c
+hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.cgi
+pfile:^/tmp/clamav-.*
+pdir:^/tmp/clamav-.* 
+pfile:^/tmp/cxs_.*
+md5sum:f3c8aaf882d1ed25a7f5fe7fd2ee4d9d
+match:symlink\s*\(
+
+# ignore specific file types
+pfile:.*\.xap$
+pfile:.*\.jpg$
+pfile:.*\.jp2$
+pfile:.*\.jpeg$
+pfile:.*\.bmp$
+pfile:.*\.gif$
+pfile:.*\.tif$
+pfile:.*\.flv$
+pfile:.*\.mp2$
+pfile:.*\.mp3$
+pfile:.*\.mp4$
+pfile:.*\.wav$
+pfile:.*\.avi$
+pfile:.*\.mov$
+pfile:.*\.pdf$
+pfile:.*\.doc$
+pfile:.*\.docx$
+pfile:.*\.xls$
+pfile:.*\.ppt$
+pfile:.*\.txt$
+

cxs/cxs.ignore.example

@@ -0,0 +1,61 @@
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of files, directories, users and regex matches that
+# cxs will ignore.
+#
+# You must use the following format:
+#
+# user:    - ignore user
+# file:    - ignore file
+# dir:     - ignore directory
+# sym:     - ignore symlink
+# script:  - ignore web script (ModSecurity hook)
+#
+# puser:   - regex of users to ignore
+# pfile:   - regex of files to ignore
+# pdir:    - regex of directories to ignore
+# psym:    - regex of symlinks to ignore
+# pscript: - regex of web script to ignore (ModSecurity hook)
+#
+# The following do not apply to web script uploads via ModSecurity hook:
+# hfile:   - ignore file relative to a users homedir
+# hdir:    - ignore directory relative to a users homedir
+# hsym:    - ignore symlink relative to a users homedir
+#
+# match:   - ignore regex pattern match
+# md5sum:  - ignore file md5sum
+# fp:      - ignore fingerprint match
+#
+# The following only apply to web and ftp script uploads:
+# ip:      - ignore uploads from IP address
+#
+# You can include additional entries using external files with:
+# Include /path/to/cxs.altignore
+#
+hdir:/etc
+hdir:/mail
+hdir:/tmp
+hdir:/.cagefs
+hdir:/.fantasticodata
+hdir:/.rvsitebuilder
+hdir:/.sqmaildata
+hdir:/.trash
+hdir:/.quarantine
+hdir:/quarantine_clamavconnector
+hsym:/access-logs
+hfile:/public_html/cgi-bin/randhtml.cgi
+hfile:/public_html/cgi-bin/entropybanner.cgi
+hfile:/public_html/cgi-bin/cgiemail
+hfile:/public_html/cgi-bin/cgiecho
+hfile:/public_html/cgi-bin/cpdownload/cpaneldownacct.cgi
+hfile:/public_html/cgi-bin/cpdownload/cpaneldownload.cgi
+hfile:/public_html/cgi-bin/cpdownload/cpanelkill.cgi
+hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.c
+hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.cgi
+pfile:^/tmp/clamav-.*
+pdir:^/tmp/clamav-.* 
+pfile:^/tmp/cxs_.*
+md5sum:f3c8aaf882d1ed25a7f5fe7fd2ee4d9d

cxs/cxs.monitor.example

@@ -0,0 +1,39 @@
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of files and directories for cxs Watch to monitor.
+# The feature is intended to only monitor a small number of infrequently used
+# files or small directories and generate reports of the changes
+#
+# You must use the following format of one record per line:
+#
+# options|interval|/path/to/resource
+#
+# options (standard):
+# C = Created
+# M = Modified
+# A = Attributes Changed
+# D = Deleted
+#
+# options (additional):
+# 5 = Compare before and after file md5sums - not recommended with large files
+#     or directories that could affect performance
+# X = Compare before and after file contents (creates diff output) when 
+#     modified - not generally recommended due to memory requirements
+# Q = Store a copy of before and after files in quarantine when modified - not
+#     generally recommended as it may impact disk space
+# L = Log continuous report to /var/log/cxsmonitor.log
+#
+# interval:
+# Seconds before a report is sent (i.e. not sent less than NN seconds apart),
+# e.g. 60 will not send report less than 1 minute apart
+#
+# /path/to/resource:
+# The full path to a file or directory to monitor
+#
+# Example to monitor cron job changes and report not more that once per minute:
+#CMAD|60|/var/spool/cron/
+#
+# For more information see the cxs POD documentation

cxs/cxs.template.example

@@ -0,0 +1,11 @@
+From: [from]
+To: [to]
+CC: [user]
+Subject: cxs Scan on [hostname] (Hits:[hits]) (Viruses:[viruses]) (Fingerprints:[fingerprints])
+
+Time        : [time]
+User Contact: [user]
+
+The following has been reported by the ConfigServer eXploit Scanner running on [hostname]:
+
+[text]

cxs/cxs.xtra

@@ -0,0 +1,33 @@
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of regular expression matches and filenames that
+# cxs will additionally scan for, one per line.
+#
+# You must use the following format:
+#
+# regall:   - regular expression match for all script files
+# regphp:   - regular expression match for only php script files
+# regperl:  - regular expression match for only perl script files
+# regfile:  - regular expression match for a file or directory name
+# file:     - file or directory name match (not a regex)
+# md5sum:   - md5sum of a file to match as: Known exploit = [Fingerprint Match]
+#
+# Examples:
+#	regall:/etc/passwd
+#	regfile:\.pl$
+#	file:r00t.php
+#
+# To force quarantine of a file when using --quarantine, prefix the match with
+# "quarantine:", e.g.:
+#
+#	regall:quarantine:/etc/passwd
+#	regfile:quarantine:\.pl$
+#	file:quarantine:r00t.php
+#
+# You can include additional entries using external files with:
+# Include /path/to/cxs.altxtra
+#
+# Note: All regex's must be properly specified and escaped to work correctly

cxs/cxs.xtra.example

@@ -0,0 +1,33 @@
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of regular expression matches and filenames that
+# cxs will additionally scan for, one per line.
+#
+# You must use the following format:
+#
+# regall:   - regular expression match for all script files
+# regphp:   - regular expression match for only php script files
+# regperl:  - regular expression match for only perl script files
+# regfile:  - regular expression match for a file or directory name
+# file:     - file or directory name match (not a regex)
+# md5sum:   - md5sum of a file to match as: Known exploit = [Fingerprint Match]
+#
+# Examples:
+#	regall:/etc/passwd
+#	regfile:\.pl$
+#	file:r00t.php
+#
+# To force quarantine of a file when using --quarantine, prefix the match with
+# "quarantine:", e.g.:
+#
+#	regall:quarantine:/etc/passwd
+#	regfile:quarantine:\.pl$
+#	file:quarantine:r00t.php
+#
+# You can include additional entries using external files with:
+# Include /path/to/cxs.altxtra
+#
+# Note: All regex's must be properly specified and escaped to work correctly

cxs/cxs/index.cgi

@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+###############################################################################
+# Copyright 2009-2013, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# start main
+use strict;
+use File::Find;
+use Fcntl qw(:DEFAULT :flock);
+use Sys::Hostname qw(hostname);
+use IPC::Open3;
+use File::Copy;
+use Digest::MD5;
+
+our ($script, $script_da, $images, %FORM, $myv, %in);
+
+my ($childin, $childout);
+my $pid = open3($childin, $childout, $childout, "/usr/sbin/cxs --version");
+my @data = <$childout>;
+waitpid ($pid, 0);
+chomp @data;
+if ($data[0] =~ /v(.*)$/) {$myv = $1}
+
+$script = "/cxs/index.cgi";
+$images = "/cxs/images";
+
+print "Content-type: text/html\r\n\r\n";
+
+do '../web-lib.pl';      
+&init_config();         
+&ReadParse();
+%FORM = %in;
+
+print <<EOF;
+<!DOCTYPE html>
+<HTML>
+<HEAD>
+<TITLE>ConfigServer Security & Firewall</TITLE>
+</HEAD>
+<BODY>
+EOF
+unless ($FORM{action} eq "tailcmd" or $FORM{action} eq "logtailcmd") {
+	print "<img src='images/cxs_small.png' align='absmiddle' /> <b style='font-size: 16px'>ConfigServer Exploit Scanner - cxs v$myv</b>";
+}
+
+do "/etc/cxs/cxsui.pl";
+print "</BODY>\n</HTML>\n";
+
+1;

cxs/cxs/module.info

@@ -0,0 +1,3 @@
+name=cxs
+desc=ConfigServer Exploit Scanner
+category=system

cxs/cxscgi.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The option --cgi MUST be used on the cxs command line here
+#
+# Examples (only use ONE line for cxs scanning):
+#/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
+#/usr/sbin/cxs --quiet --cgi --smtp --mail root --quarantine /home/safe/ "$1"
+#/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
+#
+# If you use --logfile, remember to chmod 666 [file] to allow write access
+#
+# You should include --smtp to allow the nobody user (which ModSecurity runs
+# under) to send email.
+
+#/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
+/usr/sbin/cxs --quiet --cgi --block --smtp --mail csf@gazduire.ro --qoptions mMOfSGchdnTv -I /etc/cxs/cxs.ignore --logfile /var/log/cxs.log "$1"

cxs/cxschroot.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# Experimental procedure to create a chroot environment for script decoding
+
+DESTDIR="/home/cxschroot"
+
+echo -n "Preparing chroot environment..."
+mkdir -p $DESTDIR/sys
+mkdir -p $DESTDIR/proc
+mkdir -p $DESTDIR/dev
+mkdir -p $DESTDIR/etc
+mkdir -p $DESTDIR/tmp
+mkdir -p $DESTDIR/lib
+mkdir -p $DESTDIR/lib64
+cp /lib/libgcc* $DESTDIR/lib/
+if [ -d "/lib64/" ]; then
+	cp /lib64/libgcc* $DESTDIR/lib64/
+fi
+echo "DONE"
+
+echo -n "Copying files..."
+for prog in /bin/bash /bin/ls /usr/bin/id /usr/local/bin/php /usr/bin/php; do
+	if [ -e $prog ]; then
+		mkdir -p $DESTDIR/`dirname $prog`
+		cp $prog $DESTDIR/$prog
+
+		for lib in `ldd $prog |sed -rn 's/[^\/]*(.*\/lib.*\/[^ ]*).*/\1/gp'`; do 
+			mkdir -p $DESTDIR/`dirname $lib`
+			cp $lib $DESTDIR/$lib
+		done
+	fi
+done
+echo "DONE"
+
+echo "Adding cxschroot user..."
+useradd -M -s /bin/false cxschroot
+chown cxschroot:cxschroot $DESTDIR/tmp
+echo "DONE"
+
+echo "Block outgoing connections by cxschroot in csf..."
+echo '#!/bin/bash
+/sbin/iptables -I OUTPUT -m owner --uid-owner cxschroot -j DROP
+' >> /etc/csf/csfpost.sh
+chmod +x /etc/csf/csfpost.sh
+/sbin/iptables -I OUTPUT -m owner --uid-owner cxschroot -j DROP
+echo "DONE"
+echo
+echo "You should now be able to use            : cxs --chroot /home/cxschroot --chuser cxschroot ..."
+echo "You can test the chroot environment using: cxs --chroot /home/cxschroot --chuser cxschroot --chtest"
+echo

cxs/cxscron.txt

@@ -0,0 +1,28 @@
+Taken from man -s5 crontab:
+<p>Commands are executed by cron when the minute, hour, and month of year fields match the current time, and at least one of the two day fields (day of month, or day of week) match the current time (see "Note" below). Note that this means that non-existent times, such as "missing hours" during daylight savings conversion, will never match, causing jobs scheduled during the "missing times" not to be run. Similarly, times that occur more than once (again, during daylight savings conversion) will cause matching jobs to be run twice.</p>
+
+<p>cron examines cron entries once every minute.</p>
+
+<p>The time and date fields are:</p>
+<pre>
+      field          allowed values
+      -----          --------------
+      minute         0-59
+      hour           0-23
+      day of month   1-31
+      month          1-12 (or names, see below)
+      day of week    0-7 (0 or 7 is Sun, or use names)
+</pre>
+<p>A field may be an asterisk (*), which always stands for "first-last".</p>
+
+<p>Ranges of numbers are allowed. Ranges are two numbers separated with a hyphen. The specified range is inclusive. For example, 8-11 for an "hours" entry specifies execution at hours 8, 9, 10 and 11.</p>
+
+<p>Lists are allowed. A list is a set of numbers (or ranges) separated by commas. Examples: "1,2,5,9", "0-4,8-12".</p>
+
+<p>Step values can be used in conjunction with ranges. Following a range with "<number>" specifies skips of the number's value through the range. For example, "0-23/2" can be used in the hours field to specify command execution every other hour (the alternative in the V7 standard is "0,2,4,6,8,10,12,14,16,18,20,22"). Steps are also permitted after an asterisk, so if you want to say "every two hours", just use "*/2".</p>
+
+<p>Names can also be used for the "month" and "day of week" fields. Use the first three letters of the particular day or month (case doesn't matter). Ranges or lists of names are not allowed.<p>
+
+<p>The "sixth" field (the rest of the line) specifies the command to be run. The entire command portion of the line, up to a newline or % character, will be executed by /bin/sh or by the shell specified in the SHELL variable of the cronfile. Percent-signs (%) in the command, unless escaped with backslash (\), will be changed into newline characters, and all data after the first % will be sent to the command as standard input.</p>
+
+<p>Note: The day of a command's execution can be specified by two fields: day of month, and day of week. If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time. For example, "30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.</p>

cxs/cxsdaily.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# Run this script via cron daily
+
+# Daily update of cxs and/or fingerprint definitions
+/usr/sbin/cxs --upgrade --quiet
+
+# Daily cleanup of quarantine if used. Modify to specify your quarantine
+# directory and duplicate if you use more than one.
+#
+# Set --qclean to the number of days to retain, e.g. 7 = one week
+
+/usr/sbin/cxs --qclean 7 --quarantine /home/quarantine --quiet

cxs/cxsftp.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The option --ftp MUST be used on the cxs command line here
+#
+# Examples (only use ONE line for cxs scanning):
+#/usr/sbin/cxs --quiet --ftp --mail root "$1"
+#/usr/sbin/cxs --quiet --ftp --mail root --quarantine /home/safe/ "$1"
+#/usr/sbin/cxs --quiet --ftp --mail root --quarantine /home/safe/ --block "$1"
+#/usr/sbin/cxs --quiet --ftp --logfile /var/log/cxs.log "$1"
+#
+# If you use --logfile, remember to chmod 666 [file] to allow write access
+
+#/usr/sbin/cxs --quiet --ftp --smtp --mail root "$1"
+/usr/sbin/cxs --quiet --ftp --exploitscan --virusscan --block --smtp --mail csf@gazduire.ro -I /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --quarantine /home/quarantine/ --qoptions Mfchv -C /tmp/    clamd -E "$1"

cxs/cxswatch.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The option --Wstart MUST be used on the cxs command line here
+#
+# Examples (only use ONE line for cxs scanning):
+#/usr/sbin/cxs --Wstart --allusers --mail root
+#/usr/sbin/cxs --Wstart --allusers --www --mail root --quarantine /home/safe/ --qoptions Mv --Wadd /etc/cxs/cxs.wadd
+#
+# We would recommend using --qoptions Mv initially if you use --quarantine
+# otherwise you might find cxs quarantining files that you do not want to.
+# For example, you probably do NOT want to quarantine all script files (T)!
+#
+
+#/usr/sbin/cxs --options -wW --Wstart --allusers --www --smtp --mail root --Wmaxchild 3 --Wloglevel 0 --Wsleep 3 --filemax 0 --Wrateignore 300
+/usr/sbin/cxs --Wstart --allusers --www --exploitscan --virusscan --block --smtp --mail csf@gazduire.ro -Q /home/quarantine/ -I /etc/cxs/cxs.ignore --options mMvOfuSGchnZRD --qoptions mMfcv -C /tmp/clamd --Wmaxchild 1 --Wloglevel 0 --Wsleep 5 --filemax 0 --Wrateignore 300 --Wsymlink /etc/cxs/symlinkdisable.pl

cxs/htaccessdisable.example.pl

@@ -0,0 +1,55 @@
+#!/usr/local/cpanel/3rdparty/bin/perl
+#******************************************************************************
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.waytotheweb.com
+# Email: sales@waytotheweb.com
+#******************************************************************************
+# Example to disable a directory containing a match using a .htaccess file
+#
+# NOTE: If you intend to use this script, copy it to a different filename as
+# this file will be overwritten when cxs upgrades
+use strict;
+use File::Basename;
+
+# Set to 1 to have more verbose output
+my $verbose = 0;
+
+if (@ARGV < 2) {print "\ncpanelsuspend.pl: Not enough Args to suspend: @ARGV\n"; exit}
+
+# Assign arguments to variables
+my $filename = $ARGV[0];
+my $option = $ARGV[1];
+my $message = $ARGV[2];
+my $account = $ARGV[3];
+
+# Get the directory name from the file name
+my $dirname  = dirname($filename);
+
+# If option is a Virus or Known Exploit
+if ($option =~ /v|M$/) {
+
+	# Check we have a directory
+	if (-d $dirname) {
+
+		# Check that we haven't already disabled a .htaccess file in this directory
+		if (!(-e "$dirname/.htaccess.cxs_disable") and -e "$dirname/.htaccess") {
+			system("/bin/cp","-a","$dirname/.htaccess","$dirname/.htaccess.cxs_disable");
+		}
+		elsif (-e "$dirname/.htaccess.cxs_disable" and !(-e "$dirname/.htaccess")) {
+			unlink("$dirname/.htaccess.cxs_disable");
+		}
+
+		# Write out a new .htaccess file denying access
+		open (my $HTACCESS, ">", "$dirname/.htaccess") or die "htaccessdisable.pl: Unable to create [$dirname/.htaccess] - $!";
+		print $HTACCESS "#cxs has disabled web access to this directory\n";
+		print $HTACCESS "deny from all\n";
+		close ($HTACCESS) or die "htaccessdisable.pl: Unable to create [$dirname/.htaccess] - $!";
+
+		if ($verbose) {print "\nhtaccessdisable.pl: Directory [$dirname] disabled\n"}
+
+	} else {if ($verbose) {print "\nhtaccessdisable.pl: Directory for [$filename] does not exist\n"}}
+
+
+} else {if ($verbose) {print "\nhtaccessdisable.pl: Not a suspend option ($option)\n"}}
+
+exit;

cxs/install.txt

@@ -0,0 +1,151 @@
+###############################################################################
+# Copyright 2009-2016, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+
+Installation
+============
+
+1. Product installation:
+
+	wget http://download.configserver.com/cxsinstaller.tgz
+	tar -xzf cxsinstaller.tgz
+	perl cxsinstaller.pl
+	rm -fv cxsinstaller.*
+
+2. You should now read the cxs documentation either through:
+
+	1. The UI
+	2. # perldoc cxs
+	3. # cxs --help
+
+If you decide to use the cxs Watch daemon you can skip items 3 to 5. Instead,
+read the documentation under the cxs Watch Daemon section on using this method.
+To install the required perl module for the cxs Watch daemon on a cPanel server
+you can use:
+
+	/scripts/perlinstaller Linux::Inotify2
+
+3. You will want to modify the following files to suit your requirements after
+   you have read the cxs documentation and studied the CLI option. These files
+   can be changed at any time and contain the cxs commands and options you want
+   to use for scanning files as they are uploaded:
+
+	The pure-ftpd upload scanner script that runs cxs:
+	/etc/cxs/cxsftp.sh
+
+	The web script upload scanner script that runs cxs:
+	/etc/cxs/cxscgi.sh
+
+4. Web script upload scanning is performed via mod_security.
+
+   This can be enabled two ways:
+
+   a. Add the following two lines (be careful of line breaks) to your mod_security
+      rules file (/usr/local/apache/conf/modsec2.user.conf on cPanel):
+
+	SecRequestBodyAccess On
+	SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
+		"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
+	SecUploadKeepFiles RelevantOnly
+	SecTmpDir /tmp
+
+	If you allow the uploading of very large files, you may need to 
+	increase the default mod_security allowable size of 128MB by using the
+	SecRequestBodyLimit directive after SecRequestBodyAccess:
+	
+	SecRequestBodyLimit 134217728
+
+	This value is in bytes (134217728 = 128MB). You might also want to
+	create the temporary files in a directory other than /tmp using:
+
+	SecTmpDir /path/to/dir
+
+	Where /path/to/dir is a directory where the large files can be
+	temporarily stored and must be writable to by the nobody user
+
+	Then restart httpd
+
+   b. Use the inbuilt cPanel ModSecurity Vendor Rules mechanism by either:
+
+        1. WHM > ModSecurity Vendors > Add Vendor > Vendor Configuration URL
+	   
+	   https://download.configserver.com/waf/meta_configserver.yaml
+
+	   Save and then restart httpd
+
+	or
+
+	2. Issue the following commands:
+
+           /scripts/modsec_vendor add https://download.configserver.com/waf/meta_configserver.yaml
+           /scripts/modsec_vendor enable configserver
+
+           Then restart httpd
+
+    You can have the ConfigServer Vendor enabled along with any other Vendor
+    that you may already be using.
+
+5. Pure-ftpd upload scanning requires you to edit the active pure-ftpd.conf
+   (e.g. /etc/pure-ftpd.conf) and adding/modifying the line:
+
+	CallUploadScript yes
+
+   Note: Pure-ftpd must be compiled with --with-uploadscript option (usually
+   done by default)
+
+   On Linux:
+   Then restart pure-ftpd and pure-uploadscript. The installation process adds
+   a new service in /etc/init.d/pure-uploadscript which runs as a daemon and
+   passes ftp uploads to /etc/cxs/cxsftp.sh
+
+   On FreeBSD:
+   Then add the following lines to /etc/rc.conf:
+
+	pureftpd_enable="YES"
+	pureftpd_upload_enable="YES"
+	pureftpd_uploadscript="/etc/cxs/cxsftp.sh"
+
+   Then restart pure-ftpd
+
+6. ClamAV scanning requires a running clamd daemon. By default cxs will look
+   for the clamd socket at /tmp/clamd and /var/clamd, if it is located
+   elsewhere then you must use the --clamdsock option and pass the socket
+   location in every cxs call (i.e. in cxsftp.sh, cxscgi.sh and the cxs CLI) or
+   use a cxs.defaults file.
+
+7. If you want automatic updates then use the following as an example:
+
+	ln -s /etc/cxs/cxsdaily.sh /etc/cron.daily/
+
+8. You can test ModSecurity upload checks by running the following command
+   which will trigger the cxs ModSecurity rule if correctly configured:
+
+   curl -F "file=@/etc/cxs/test/testexploit.php" 127.0.0.1
+
+   To test FTP uploads, download /etc/cxs/test/testexploit.php and then upload
+   using ftp.
+
+9. See the RECOMMENDATIONS in the cxs POD documentation
+
+
+Webmin Module Installation/Upgrade (not yet implemented)
+==================================
+
+To install or upgrade the cxs webmin module:
+
+Install cxs as above
+Install the cxs webmin module in:
+  Webmin > Webmin Configuration > Webmin Modules >
+  From local file > /etc/cxs/cxswebmin.tgz > Install Module
+
+
+Uninstallation
+==============
+
+Reverse items 4, 5 and 7 above, then:
+
+cd /etc/cxs
+sh uninstall.sh
+cd /root

cxs/license.txt

@@ -0,0 +1,223 @@
+Way to the Web Product License
+
+LICENCE TERMS AND CONDITIONS
+
+1.	LICENCE
+
+	1.1	Way to the Web  Limited of 73, Donaldson Way, Woodley, 
+		Reading, Berkshire, RG5 4XL ("Way to the Web")  hereby grants 
+		you a non-exclusive, non-transferable licence to download and 
+		use (the "Product") and the accompanying documentation (the 
+		"Documentation") on the following terms.
+
+	1.2	The copyright and all other rights in the Product and the 
+		 Documentation remain with Way to the Web.
+
+2.	ACCEPTANCE
+
+	You are deemed to have accepted the terms and conditions of this 
+	Licence by downloading the Product.
+
+3.	SCOPE OF LICENCE
+
+	3.1	You shall not:
+
+		3.1.1	modify, adapt, merge, translate, decompile, 
+		disassemble, or reverse engineer the Product, except as 
+		permitted by law; or
+
+		3.1.2	sell, assign, rent, sub-license, loan, mortgage, 
+		charge or otherwise deal in any way in the Product or 
+		Documentation or any interest in them except as expressly 
+		provided in this Licence.
+
+4.	DURATION OF LICENCE
+
+	4.1	This Licence  shall commence on the date hereof and, subject 
+	to other terms of this Licence,  shall continue thereafter for as 
+	long as you continue to use the Product.
+
+	4.2	This Licence shall terminate automatically if you fail to 
+	abide by any of its terms.
+
+	4.3	Upon termination of this Licence you shall destroy the 
+	Product and the Documentation and shall erase all copies of the 
+	Product under your control and stored on any medium.
+
+5.	WARRANTIES AND REMEDIES
+
+	5.1	Way to the Web warrants that for a period of 90 days from the 
+	date that the Product is downloaded, it will provide the facilities 
+	and functions set out in the Documentation when properly used and 
+	further, that the Documentation will provide adequate instruction to 
+	enable you to make proper  use of such facilities and functions.
+
+	5.2	The said warranty shall be subject to you complying with  
+	your obligations hereunder and to there having been made no 
+	alterations to the Product by any person other than Way to the Web. 
+	When notifying a defect or error  you shall  (so far as you are able) 
+	provide Way to the Web with a documented example of such defect or 
+	error.
+
+	5. 3	Way to the Web shall have no liability or obligations under 
+	the said warranty other than to remedy breaches thereof  by the 
+	provision of materials and services within a reasonable time and 
+	without charge to you.  If Way to the Web shall fail to comply with 
+	such obligations its liability for such failure shall be limited as 
+	specified in Clause 6. The foregoing states the entire liability of 
+	Way to the Web, whether in contract or tort, for defects and errors 
+	in the Products and the Documentation.
+
+	5.4	You acknowledge that the Products have not been prepared to 
+	meet your individual requirements and that it is therefore your 
+	responsibility to ensure that the facilities and functions described 
+	in the Documentation meet your requirements. Way to the Web shall not 
+	be liable for any failure of the Products to provide any facility or 
+	function not specified in the Documentation
+
+	5.5	Way to the Web does not warrant that the operation of the 
+	Products will be uninterrupted or error free or that all errors will 
+	be remedied.
+
+	5.6	Except as expressly provided in this Licence, no warranty, 
+	condition, undertaking or term, express or implied, statutory or 
+	otherwise, as to the condition, quality, performance or fitness for 
+	purpose of the Products or the Documentation is given or assumed by 
+	Way to the Web and all such warranties, conditions, undertakings and 
+	terms are hereby excluded to the fullest extent permitted by law.
+
+6.  	LIABILITY
+
+	6.1	Way to the Web will indemnify you and keep you fully and 
+	effectively indemnified against any loss of or damage to any property 
+	or injury to or death of any person caused by any negligent act or 
+	omission or wilful misconduct of  Way to the Web, its employees, 
+	agents or sub-contractors or by any breach of its contractual 
+	obligations arising out of this Licence.
+
+	6.2	Except in respect of injury to or death of any person caused
+	 by negligence (for which no limit applies) Way to the Web's 
+	liability to you under sub-clause 6.1 above in respect of each event 
+	or series of connected events shall not exceed one and a half times 
+	the price you paid to licence the Product.
+
+	6.3	Notwithstanding anything else contained in this Licence, Way 
+	to the Web shall not be liable to you for loss of profits or 
+	contracts or indirect or consequential loss or damage whether arising 
+	from negligence, breach of contract or howsoever caused
+
+	6.4	 Way to the Web shall not be liable to you for any loss 
+	arising out of  your failure to keep full and up-to-date security 
+	copies of the computer programs and data you use.
+
+7.	CONFIDENTIAL INFORMATION
+
+	7.1	You undertake   to treat as confidential and keep secret all 
+	information contained or embodied in the Products and the 
+	Documentation  which,  by its nature has the necessary quality of 
+	confidence about it ("Confidential Information"), provided that this 
+	clause shall not extend to any information which is already public 
+	knowledge or becomes so at a future date (otherwise than as a result 
+	of a breach of this clause).
+
+	7.2	You shall not without the prior written consent of Way to the 
+	Web divulge any part of the Confidential Information to any person 
+	except to:
+
+		7.2.1	your own employees and then only to those employees 
+		who need to know the same;
+
+		7.2.2	your auditors and any other persons or bodies having 
+		a right duty or obligation to know your business and then 
+		only in pursuance of such right duty or obligation;
+
+		7.2.3	any person who is from time to time appointed by you 
+		to maintain your network, website  or  the equipment upon 
+		which the Product is being used (in accordance with the terms 
+		of the Licence) and then only to the extent necessary to 
+		enable such person properly to maintain such network, website 
+		or equipment.
+
+	7.3	You undertake to ensure that the persons and bodies mentioned 
+	in paragraphs 7.2.1, 7.2.2 and 7.2.3 are made aware prior  to the 
+	disclosure of any part of the Confidential Information that the same 
+	is confidential and that they owe a duty of confidence to Way to the 
+	Web. You shall indemnify Way to the Web against any loss or damage 
+	which Way to the Web may sustain or incur as a result of  your 
+	failing to comply with such undertaking
+
+	7.4	You shall promptly notify Way to the Web if you become aware 
+	of any breach of confidence by any person to whom you  divulge all or 
+	any part of the Confidential Information and shall give Way to the 
+	Web all reasonable assistance in connection with any proceedings 
+	which Way to the Web may institute against such person for breach of 
+	confidence.
+
+	7.5	The foregoing obligations as to confidentiality shall remain 
+	in full force and effect notwithstanding any termination of this  
+	Licence.
+
+8.  	INDEMNITIES
+
+	8.1	Way to the Web shall indemnify you against any claim that the 
+	normal use or possession of the Products and/or Documentation 
+	infringes the intellectual property rights of any third party 
+	provided that Way to the Web is given immediate and complete control 
+	of such claim, that  you do not prejudice  Way to the Web's defence 
+	of such claim, that you give  Way to the Web all reasonable 
+	assistance with such claim and that the claim does not arise as a 
+	result of the use of the Products and/or Documentation in combination 
+	with any equipment or programs not supplied or approved by  Way to 
+	the Web. Way to the Web shall have the right to replace or change all 
+	or any part of the Products and/or Documentation in order to avoid 
+	any infringement. The foregoing states the entire liability of Way to 
+	the Web to you in respect of the infringement of the intellectual 
+	property rights of any third party
+
+	8.2	Except to the extent caused by  Way to the Web's breach of 
+	its obligations hereunder, or its negligent or wilful misconduct in 
+	connection with this Licence, and without limiting Way to the Web's 
+	obligations in sub-clause 8.1 above, you shall indemnify and hold  
+	Way to the Web harmless from any and all liability, loss and damage  
+	Way to the Web may suffer as a result of claims demands or judgments 
+	by any third party arising out of  your use or operation of the 
+	Products,  the Documentation and related output. You shall, at your 
+	expense, defend any such action, suit or claim against  Way to the 
+	Web.
+
+9.	SUPPORT
+
+	Way to the Web's technical support staff will, between the hours of 
+	9.00 and 17.30 UK time Monday to Friday inclusive (except on bank and 
+	public holidays), endeavour to answer on-line or by email any queries 
+	you may have about the Product. For support please either use the 
+	on-line support desk or the on-line support forum given on our 
+	Website or in the Documentation.  Any Product updates that may be 
+	made available by Way to the Web from time to time will be supplied 
+	at Way to the Web's then prevailing charges and subject to Way to the 
+	Web's then prevailing terms and conditions. Way to the Web does not 
+	guarantee backward compatibility with previous versions of the 
+	Product as it retains the right to add, remove or modify any feature 
+	or function in previous versions, at its sole discretion.
+
+10.	OTHER SERVICES
+
+	Way to the Web may also provide you with, at its option and subject 
+	to its then prevailing charges and terms and conditions, other 
+	services in relation to the Product, such as installation and 
+	consultancy  services. Please contact Way to the Web at the number 
+	given on our Website or in the Documentation for more information 
+	about such services.
+
+11.	CONSUMERS
+
+	If you deal as a consumer as defined in the Unfair Contract Terms Act 
+	1977, your statutory rights remain unaffected.
+
+12.	LAW
+
+	This Licence constitutes the entire agreement between you and Way to 
+	the Web relating to the Product and the Documentation and is governed 
+	by and construed in accordance with  the laws of England. The courts 
+	of England shall have exclusive jurisdiction. 
+

cxs/reference.txt

@@ -0,0 +1,134 @@
+Exploit Scanning Reference
+==========================
+
+m = Regular expression match = [regex]
+
+cxs has a regular expression lookup table which it uses to identify suspicious
+files. These regex patterns look for two types of text constructs. Firstly,
+those of known exploits (a fingerprint approach). Secondly, generic text
+constructs found in common between many types of exploit (a heuristic
+approach). For example, one of the regex patterns looks for the use of base64
+encoded data in PHP scripts. This method of obfuscation is typically used by
+exploits to hide their true purpose. If this regex is matched from the text
+in a file, then that file will be reported as suspicious. You can ignore
+specific regex patterns using an ignore file and the match: prefix.
+
+M = Known exploit = [Fingerprint Match]
+
+cxs uses a lookup table of over 4500 exploit script fingerprints and matches
+scripts that have an identical fingerprint value.
+
+O = socket
+
+A socket is typically used to transfer data between two separate processes. You
+would not normally expect to find a socket within a web hosting account and its
+presence is therefore regarded here as suspicious.
+
+L = Symlink to [symlink]
+
+A symlink, or symbolic link, is a special type of file that provides a
+reference to another file or directory. These are usually used for convenience
+by the OS and server administrators to reorder the file system. For example, on
+a cPanel server symlinks are used in the user mail accounts structure for their
+imap implementation. You would not normally expect to find a symlink within a
+web hosting account web root to files outside of that account (e.g. to system
+files) and its presence is therefore regarded here as suspicious. Symlinks to
+files within an account are ignored.
+
+f = suspicious file
+
+cxs will report file suspicious files, e.g. image files that contain script
+code or C/C++ files. The former should not normally exists and you don't
+usually see C/C++ files in standard web hosting accounts.
+
+S = SUID file
+
+Files with SUID, or set user ID, permissions allow users to run an executable
+with the permissions of the executable's owner. Typically, this permission is
+used on files to provide elevated privileges on a server to a user executing
+such a file. You would not normally expect to find a file with SUID permissions
+within a web hosting account and its presence is therefore regarded here as
+suspicious.
+
+G = GUID file
+
+Files with GUID, or set group ID, permissions allow users to run an executable
+with the permissions of the executable's owner. Typically, this permission is
+used on files to provide elevated privileges on a server to a user executing
+such a file. You would not normally expect to find a file with SUID permissions
+within a web hosting account and its presence is therefore regarded here as
+suspicious.
+
+c = core dump file
+
+A core dump file is a special system file generated by some executables.
+Typically, they are generated when an executable hits a fatal error during
+execution. At best, such files indicate a problem with the executable involved
+and consumes considerable disk space. At worst, core dump files have been used
+to gain elevated user privileges and exploit a server.
+
+C = core dump file deleted
+
+This option will automatically delete core dump files as described above.
+
+h = suspected exploit file
+
+cxs uses a lookup table of file names and file types which are commonly used by
+exploits. For example, you would not normally expect to find a file named httpd
+within a web hosting account and indeed a common exploit uses that name in an
+attempt to appear innocuous.
+
+e = Linux binary or executable file
+
+A linux binary or executable file is one that will run on a linux OS (ELF -
+Executable and Linking Format). Typically, such files within user accounts are
+exploits that run as daemon processes mimicking system processes to remain
+hidden. You would not normally expect to find a linux binary file within a web
+hosting account and its presence is therefore regarded here as suspicious.
+
+x = Windows binary or executable file
+
+While a windows binary file cannot be executed on a linux OS, you would not
+normally expect to find one within a web hosting account and its presence could
+indicate a Trojan file and so is regarded here as suspicious.
+
+d = suspicious directory name
+
+cxs will report directory names that contain non-standard ASCII characters.
+Such directory can often be used in such a way as to appear hidden to the
+end-user. An example would be a directory called /.../ or / ../ which might
+appear innocuous but often such directories contain exploits.
+
+n = hidden directory owned by nobody user
+
+A directory with a leading dot (e.g. /.hidden/) will often not be apparent in
+many FTP client applications. One that is owned by the nobody user account has
+likely been created by a web script running under the nobody user account
+(typically a PHP script where suPHP is not enabled). Such directories are
+suspicious in their nature of attempting to be hidden and so are reported.
+
+w = world writable directory
+
+In a shared web hosting environment a directory that is world writable can
+typically be read and written to by any user on the server. Such directories
+should be avoided, especially in web roots, as it can allow exploits to spread
+between user accounts.
+
+T = script file
+
+This is a special option to identify scripts. It attempts to identify PHP,
+Perl, and other shebang ($!) script files such as shell scripts. You may not
+want to allow scripts to be uploaded through upload forms, or to be present in
+certain directories that you scan (e.g. /tmp or /dev/shm) so this option is
+available to detect them.
+
+E = Email script match
+
+This indicates that the script sends out email. This can be useful if you are
+trying to identify emails within an account that send out email.
+
+s = Script version check [OLD/OK/UNKNOWN] [SCRIPTNAME INSTALLED <>= LATEST]
+
+This option will search for common web script installations and report if older
+than the latest version on record. Using old versions of software often poses a
+serious security risk and users should be encouraged to keep them up to date.

cxs/servers

@@ -0,0 +1 @@
+aHR0cDovL2xpY2Vuc2UuY29uZmlnc2VydmVyLmNvbQ==

cxs/symlinkdisable.pl

@@ -0,0 +1,95 @@
+#!/usr/local/cpanel/3rdparty/bin/perl
+#******************************************************************************
+# Copyright 2009-2013, Way to the Web Limited
+# URL: http://www.waytotheweb.com
+# Email: sales@waytotheweb.com
+#******************************************************************************
+# Example cPanel Symlink Script for cxs watch --Wsymlink [script] option
+#
+# NOTE: If you intend to use this script, copy it to a different filename as
+# this file will be overwritten when cxs upgrades. When you do this you also
+# need to change the --Wsymlink [script] in /etc/cxs/cxswatch.sh and restart
+# cxs watch
+
+use strict;
+use Sys::Hostname;
+use POSIX qw(strftime);
+use Fcntl qw(:DEFAULT :flock);
+
+# Set to 1 to only send an email
+# Set to 2 to send an email and disable the directory with chmod 000 and chattr +i
+# Set to 3 to send an email and suspend the cPanel account if determined
+my $action = 1;
+
+# Assign arguments to variables
+my $directory = $ARGV[0];
+my $account = $ARGV[1];
+
+# Setup hostname for emails
+my $hostname = hostname;
+
+# Setup timesone for emails
+my $tz = strftime("\%z", localtime);
+
+# Check if we've already sent an alert for this directory in the last hour to
+# prevent flooding. Remember to remove the temporary file in
+# /etc/cxs/symlinktmp/ if you want to detect hits again within the hour
+if ($directory) {
+        unless (-d "/etc/cxs/symlinktmp") {mkdir("/etc/cxs/symlinktmp")}
+        my $cmpdir = $directory;
+        $cmpdir =~ s/\W/_/g;
+        if (-e "/etc/cxs/symlinktmp/$cmpdir") {
+                open (FILE, "</etc/cxs/symlinktmp/$cmpdir");
+                flock (FILE, LOCK_SH);
+                my $time = <FILE>;
+                close (FILE);
+                chomp $time;
+                if (time - $time < 3600) {
+                        # We have sent an alert so exit
+                        exit;
+                } else {
+                        unlink ("/etc/cxs/symlinktmp/$cmpdir");
+                }
+        } else {
+                sysopen (FILE, "/etc/cxs/symlinktmp/$cmpdir", O_WRONLY | O_CREAT);
+                flock (FILE, LOCK_EX);
+                print FILE time;
+                close (FILE);
+        }
+}
+
+#Perform the configured action
+if ($action >= 1) {
+        # send an email to root from root
+        if ($account eq "") {$account = "[unknown]"}
+        open (FH, "|/usr/sbin/sendmail -t");
+        print FH "From: root\n";
+        print FH "To: root\n";
+        print FH "Subject: Possible Symlink Attack detected in $directory on $hostname\n";
+        print FH "\n";
+        print FH "Time:      ".localtime(time)." $tz\n";
+        print FH "Account:   $account\n";
+        print FH "Directory: $directory\n";
+        if ($action == 2) {print FH "Action:    Directory disabled with chmod 000 and chattr +1\n"}
+        if ($action == 3 and $account ne "[unkown]") {print FH "Action:    Account suspended where possible\n"}
+        close (FH);
+}
+if ($action == 2) {
+        # check this is a directory
+        if (-d $directory) {
+                # disable $directory
+                system ("chmod 000 '$directory'; chattr +i '$directory'");
+        }
+}
+if ($action == 3 and $account ne "") {
+        # if this is definitely a cPanel account
+        if (-e "/var/cpanel/users/$account") {
+                # If this account is not already suspended
+                unless (-e "/var/cpanel/suspended/$account") {
+                                # Suspend the account
+                                system("/scripts/suspendacct","$account");
+                }
+        }
+}
+
+exit;

cxs/test/testexploit.php

@@ -0,0 +1 @@
+<?php echo "thisisacxstestexploit"; ?>

cxs/uninstall.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+echo "Uninstalling cxs..."
+echo
+
+rm -fv /var/run/chkservd/cxswatch
+sed -i '/^cxswatch:/d' /etc/chkserv.d/chkservd.conf
+/scripts/restartsrv_chkservd
+
+if test `cat /proc/1/comm` = "systemd"
+then
+    systemctl disable cxswatch.service
+    systemctl disable pure-uploadscript.service
+    systemctl stop cxswatch.service
+    systemctl stop pure-uploadscript.service
+    rm -fv /usr/lib/systemd/system/cxswatch.service
+    rm -fv /usr/lib/systemd/system/pure-uploadscript.service
+    systemctl daemon-reload
+else
+    /etc/init.d/cxswatch stop
+    /sbin/chkconfig cxswatch off
+    /sbin/chkconfig cxswatch --del
+    rm -fv /etc/init.d/cxswatch
+
+    /etc/init.d/pure-uploadscript stop
+    chkconfig pure-uploadscript off
+    chkconfig pure-uploadscript --del
+    rm -fv /etc/init.d/pure-uploadscript
+fi
+
+sed -i "s/^CallUploadScript/\#CallUploadScript/" /etc/pure-ftpd.conf
+sed -i "/^CallUploadScript/d" /var/cpanel/conf/pureftpd/main
+/scripts/restartsrv_ftpserver
+
+if [ -e "/usr/local/cpanel/bin/unregister_appconfig" ]; then
+    cd /
+	/usr/local/cpanel/bin/unregister_appconfig cxs
+fi
+
+rm -fv /usr/sbin/cxs
+rm -fv /etc/cron.d/cxs-cron
+rm -fv /etc/cron.daily/cxsdaily.sh
+rm -fv /scripts/postftpup
+
+/bin/rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cxs.cgi
+/bin/rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cxs
+
+/bin/rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cxs.cgi
+/bin/rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cxs
+
+/scripts/modsec_vendor remove configserver
+/usr/local/cpanel/bin/manage_hooks delete module ConfigServer::CXS::FTPHook > /dev/null 2>&1
+
+rm -Rfv /etc/cxs
+
+wget -q -O /dev/null http://license.configserver.com/cgi-bin/cxs/uninstall.cgi
+
+echo
+echo "...Done"