Initial commit.
This commit is contained in:
134
cxs/reference.txt
Normal file
134
cxs/reference.txt
Normal file
@@ -0,0 +1,134 @@
|
||||
Exploit Scanning Reference
|
||||
==========================
|
||||
|
||||
m = Regular expression match = [regex]
|
||||
|
||||
cxs has a regular expression lookup table which it uses to identify suspicious
|
||||
files. These regex patterns look for two types of text constructs. Firstly,
|
||||
those of known exploits (a fingerprint approach). Secondly, generic text
|
||||
constructs found in common between many types of exploit (a heuristic
|
||||
approach). For example, one of the regex patterns looks for the use of base64
|
||||
encoded data in PHP scripts. This method of obfuscation is typically used by
|
||||
exploits to hide their true purpose. If this regex is matched from the text
|
||||
in a file, then that file will be reported as suspicious. You can ignore
|
||||
specific regex patterns using an ignore file and the match: prefix.
|
||||
|
||||
M = Known exploit = [Fingerprint Match]
|
||||
|
||||
cxs uses a lookup table of over 4500 exploit script fingerprints and matches
|
||||
scripts that have an identical fingerprint value.
|
||||
|
||||
O = socket
|
||||
|
||||
A socket is typically used to transfer data between two separate processes. You
|
||||
would not normally expect to find a socket within a web hosting account and its
|
||||
presence is therefore regarded here as suspicious.
|
||||
|
||||
L = Symlink to [symlink]
|
||||
|
||||
A symlink, or symbolic link, is a special type of file that provides a
|
||||
reference to another file or directory. These are usually used for convenience
|
||||
by the OS and server administrators to reorder the file system. For example, on
|
||||
a cPanel server symlinks are used in the user mail accounts structure for their
|
||||
imap implementation. You would not normally expect to find a symlink within a
|
||||
web hosting account web root to files outside of that account (e.g. to system
|
||||
files) and its presence is therefore regarded here as suspicious. Symlinks to
|
||||
files within an account are ignored.
|
||||
|
||||
f = suspicious file
|
||||
|
||||
cxs will report file suspicious files, e.g. image files that contain script
|
||||
code or C/C++ files. The former should not normally exists and you don't
|
||||
usually see C/C++ files in standard web hosting accounts.
|
||||
|
||||
S = SUID file
|
||||
|
||||
Files with SUID, or set user ID, permissions allow users to run an executable
|
||||
with the permissions of the executable's owner. Typically, this permission is
|
||||
used on files to provide elevated privileges on a server to a user executing
|
||||
such a file. You would not normally expect to find a file with SUID permissions
|
||||
within a web hosting account and its presence is therefore regarded here as
|
||||
suspicious.
|
||||
|
||||
G = GUID file
|
||||
|
||||
Files with GUID, or set group ID, permissions allow users to run an executable
|
||||
with the permissions of the executable's owner. Typically, this permission is
|
||||
used on files to provide elevated privileges on a server to a user executing
|
||||
such a file. You would not normally expect to find a file with SUID permissions
|
||||
within a web hosting account and its presence is therefore regarded here as
|
||||
suspicious.
|
||||
|
||||
c = core dump file
|
||||
|
||||
A core dump file is a special system file generated by some executables.
|
||||
Typically, they are generated when an executable hits a fatal error during
|
||||
execution. At best, such files indicate a problem with the executable involved
|
||||
and consumes considerable disk space. At worst, core dump files have been used
|
||||
to gain elevated user privileges and exploit a server.
|
||||
|
||||
C = core dump file deleted
|
||||
|
||||
This option will automatically delete core dump files as described above.
|
||||
|
||||
h = suspected exploit file
|
||||
|
||||
cxs uses a lookup table of file names and file types which are commonly used by
|
||||
exploits. For example, you would not normally expect to find a file named httpd
|
||||
within a web hosting account and indeed a common exploit uses that name in an
|
||||
attempt to appear innocuous.
|
||||
|
||||
e = Linux binary or executable file
|
||||
|
||||
A linux binary or executable file is one that will run on a linux OS (ELF -
|
||||
Executable and Linking Format). Typically, such files within user accounts are
|
||||
exploits that run as daemon processes mimicking system processes to remain
|
||||
hidden. You would not normally expect to find a linux binary file within a web
|
||||
hosting account and its presence is therefore regarded here as suspicious.
|
||||
|
||||
x = Windows binary or executable file
|
||||
|
||||
While a windows binary file cannot be executed on a linux OS, you would not
|
||||
normally expect to find one within a web hosting account and its presence could
|
||||
indicate a Trojan file and so is regarded here as suspicious.
|
||||
|
||||
d = suspicious directory name
|
||||
|
||||
cxs will report directory names that contain non-standard ASCII characters.
|
||||
Such directory can often be used in such a way as to appear hidden to the
|
||||
end-user. An example would be a directory called /.../ or / ../ which might
|
||||
appear innocuous but often such directories contain exploits.
|
||||
|
||||
n = hidden directory owned by nobody user
|
||||
|
||||
A directory with a leading dot (e.g. /.hidden/) will often not be apparent in
|
||||
many FTP client applications. One that is owned by the nobody user account has
|
||||
likely been created by a web script running under the nobody user account
|
||||
(typically a PHP script where suPHP is not enabled). Such directories are
|
||||
suspicious in their nature of attempting to be hidden and so are reported.
|
||||
|
||||
w = world writable directory
|
||||
|
||||
In a shared web hosting environment a directory that is world writable can
|
||||
typically be read and written to by any user on the server. Such directories
|
||||
should be avoided, especially in web roots, as it can allow exploits to spread
|
||||
between user accounts.
|
||||
|
||||
T = script file
|
||||
|
||||
This is a special option to identify scripts. It attempts to identify PHP,
|
||||
Perl, and other shebang ($!) script files such as shell scripts. You may not
|
||||
want to allow scripts to be uploaded through upload forms, or to be present in
|
||||
certain directories that you scan (e.g. /tmp or /dev/shm) so this option is
|
||||
available to detect them.
|
||||
|
||||
E = Email script match
|
||||
|
||||
This indicates that the script sends out email. This can be useful if you are
|
||||
trying to identify emails within an account that send out email.
|
||||
|
||||
s = Script version check [OLD/OK/UNKNOWN] [SCRIPTNAME INSTALLED <>= LATEST]
|
||||
|
||||
This option will search for common web script installations and report if older
|
||||
than the latest version on record. Using old versions of software often poses a
|
||||
serious security risk and users should be encouraged to keep them up to date.
|
||||
Reference in New Issue
Block a user