ChangeLog: 6.14 - Modified ModSecurity integration Install/Remove options in cxs UI for EA4 as cPanel has moved files to a different directory 6.13 - Fixed some incorrect file locks Removed Bareword file handles 6.11 - Ensure all file opens are properly flocked Switch to using require instead of eval/use to load runtime modules where possible Code review - started addressing perl critic suggestions in all scripts and modules Fixed incorrect --summary when subdomains outside of public_html while using --www Memory and CPU optimisations PHP script decoding up to 15% faster PHP fingerprint regex matching up to 50% faster postftpup converted to a cPanel Hook Exploit fingerprint definitions database additions 6.10 - On cPanel servers, ensure all document roots are scanned when using --www not just ~/public_html/ (i.e. domains, SSL, addons, subdomains) Fix pure-uploadscript init script to exit with appropriate status code Exploit fingerprint definitions database additions 6.09 - Fixed quarantine store of file group ownership used for display purposes only. The problem manifests when a users uid != gid and the incorrect group is used for display purposes Fixed Wmonitor display of file group ownership. The problem manifests when a the users uid != gid and the incorrect group is used for display purposes 6.08 - Replace /etc/cxs/test/ files with a single non-threatening script that will test trigger cxs and can be used to check the cxs ModSecurity rule is working. See /etc/cxs/install.txt for details Modified ModSecurity integration Install/Remove options in cxs UI for EA4 Exploit fingerprint definitions database additions 6.07 - Added text field in UI for PureFTPd/ModSecurity to indicate whether the options is currently enabled or disabled 6.06 - Fixed crond restart in UI on RHEL/CentOS/CloudLinux v7 which left pages blank Exploit fingerprint definitions database additions 6.05 - Added version detection for Drupal v8 Added PureFTPd integration Enable/Disable/Restart options to cxs UI Added ModSecurity integration Install/Remove options to cxs UI Mute perl lc UTF-16 warnings where necessary New --options [U]. This option will match PHP scripts that allow uploading files to the server via the HTTP POST method. This option requires that --options [m] is also specified Added --options [U] to the Restricted Mode UI options UI updates and improvements Exploit fingerprint definitions database additions 6.04 - Ensure CallUploadScript is disabled in /etc/pure-ftpd.conf on cPanel servers on uninstall Exploit fingerprint definitions database additions 6.03 - Fixed UI issue where --soptions [as] were not being set Exploit fingerprint definitions database additions 6.02 - Fixed issues with DA UI quarantine restore Improved DA UI POD display 6.01 - Added unsupported option --YSKIPUNCLAM. See POD for more information Exploit fingerprint definitions database additions 6.00 - Added new major feature for cxs Watch: --Wmonitor [file] This option allows you to monitor and report on changes to a list of resources in [file]. See cxs POD for more information Added option --Wmonignore [file] to use instead of --ignore [file] for use with --Wmonitor [file] Added IO::Select as a required perl module (a core perl module so should always be present) Improvements to php file detection Improvements to deobfuscation routines Fixed bug in display of atime for some quarantined files Fix BCC header replacement field in email reports Exploit fingerprint definitions database additions 5.33 - POD corrections and additions Exploit fingerprint definitions database additions 5.32 - Force email Date: field incase the MTA fails to add one Modified all report timestamps to use the same format Exploit fingerprint definitions database additions 5.31 - Ensure only root can attempt to download the bayes corpus Fixed POD reference to --bforget Fixed POD formatting of long example commands Updated Software Version Checking Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.30 - Modify cPanel install.txt to add the ConfigServer ModSecurity Vendor option Added new advanced PHP decoders Exploit fingerprint definitions database additions 5.29 - Modified documentation to address changes in ModSecurity v2.9 that requires the following is set as part of the ModSecurity config: SecUploadKeepFiles RelevantOnly Exploit fingerprint definitions database additions 5.28 - Added new option --[no]ssl. When enabled (the default) all cxs URL functions, such as updating, bayes corpus retrieval and license checking will be done over an SSL connection to ConfigServer servers Added /var/run/clamd.scan/clamd.sock as another default clamd socket location for --clamdsock [socket] Added unsupported option --YSKIPCGI. See POD for more information Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.27 - Fixed call for the now removed cxswatch.pm from --Wstop 5.26 - Added /scripts/postftpup to restart pure-uploadscript after an ftp server upgrade 5.25 - Trigger pure-uploadscript restart 5.24 - Added new advanced PHP decoders Exploit fingerprint definitions database additions 5.23 - Added the ability to use positive --options [+][], i.e. the default list of options is used in addition to those listed when prefixed with a plus Improvements to --decode ([D]) Added atime, ctime and mtime to newly quarantined file descriptions viewable from the UI and the CLI via --qview [file].restore4 Ensure /var/log/cxswatch.log ownership and permissions are set on each update in case of rotation File md5sum added to cgi and ftp alert email 5.22 - Ensure timestamp and cxs command are prepended to --report [file] Fix cxs Watch Timestamp in report emails When using --options W ensure that resource is a directory and not a symlink or socket 5.21 - Fixed issue in cxs Watch when --www is used and a new account is created through restore on cPanel servers cxs Watch now tracks the parent directories for all users when --allusers is used and will add them back if they disappear and are recreated 5.20 - Fixed systemd cxs watch UI commands Exploit fingerprint definitions database additions 5.19 - Re-added POSIX Locale after changes in v5.16 Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.18 - Added white-space pre-wrapping to HTML emails UI HTML updates and fixes Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.17 - Fixed --qcreate POD text Added systemd support for pure-uploadscript 5.16 - WARNING: The report format has changed in this version. If you are parsing cxs reports, they now show the filename and then all hits reported against that file before reporting the next file. Previously each reported hit was shown separately with the filename following Renamed cxs cron job in /etc/cron.d/ from cxs.cron to cxs-cron to cater for non-LSB compliant Linux cron managers New option --[no]html. With --[no]html enabled (default), emails will be sent in both plain-text and HTML formats. The option does not apply if --template [file] is used Fixed cxs Watch to remove rateignore data for a file if it is deleted Fixed rateignore hash array lookup and unneccessary rateignore removal causing files to be skipped Added unsupported option --YRATEIGN. See POD for more information Improvement to PHP script detection Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.15 - Fix for POD cron jobs RECOMMENDATIONS text 5.14 - Modified --Wrateignore [secs] so that ignored resources are rescanned once [sec] expires Modified cxs watch so that resource attribute changes only trigger an inotify event if --options [w] or [W] are used cxswatch.sh now disables the world writable directory check options on new installations (--options -wW) Removed options --Wsymlink [script], --Wsymlinkmax [num] and --Wsymlinksec [secs]. These options provided ineffective control of such exploits and caused performance isses with cxs Watch. The options will no longer function, but cxs commands will not fail if they are used Updated cxs RECOMMENDATIONS section 5.13 - Ensure --Wrateignore [secs] has default values set in cxs Watch if --Wsleep [num] is set to 0 Added unsupported options --YRATECNT [num] and YRATESEC [secs]. See POD for more information Exploit fingerprint definitions database additions 5.12 - Implemented native systemd support for startup and shutdown of cxs Watch Added version detection for Fancybox for Wordpress Exploit fingerprint definitions database additions 5.11 - Updated license servers Exploit fingerprint definitions database additions 5.10 - Disable --xtra [file] when using --wttw [file] Display error on license retrieval failure Added check for perl modules LWP::Protocol::https and Linux::Inotify2 on installation and upgrade Added new advanced PHP decoders Exploit fingerprint definitions database additions 5.09 - Fix for issues where license file became corrupted after update to v5.08 5.08 - Fixed a rare potential issue with fingerprint processing in --xtra [file] Added new advanced PHP decoders Updated scripts to use https://download.configserver.com Revert to using LWP::UserAgent instead of HTTP::Tiny for SSL support Exploit fingerprint definitions database additions 5.07 - Modified new installs to better initially update to the latest fingerprints Ignore and Xtra files can now use an Include statement to include additional files. If cxswatch is running then it will also watch the included files for changes and reload if necessary Added new quarantine option --qignore [method] which used when restoring a file using --qrestore [file] will create an entry in --ignore [file] before restoring the file. See POD for more info Optimised fingerprint database to remove duplicates and old entries of no value reducing the size without reducing effectiveness Exploit fingerprint definitions database additions 5.06 - HTTP::Tiny upgraded to v0.050 Modified use of BSD::Resource to be silent on failure Exploit fingerprint definitions database additions 5.05 - Updated installer to fix generic installs on some Redhat/CentOS setups Fixed issue with fingerprint database and a corrupt regex Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.04 - Improvements to .htaccess fingerprint P0216 -> P0767 Modify installer to always perform an update on installation to ensure the latest definitions are always available cxswatch will now scan a directories permissions if any of its attributes are changed and --options [w] and/or --options [W] is enabled Updated scripts to use download.configserver.com Exploit fingerprint definitions database additions 5.03 - Removed a false-postitive fingerprint definition Exploit fingerprint definitions database additions 5.02 - Ensure --ignore [file] is always loaded last Allow ignoring of Fingerprints New master bayes corpus generated Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.01 - Raised bayes low/medium/high thresholds New master bayes corpus generated Exploit regex definitions database additions Exploit fingerprint definitions database additions 5.00 - New feature --[no]bayes taken out of BETA and is the basis of v5 Added --[no]bayes to the UI New master bayes corpus generated Added warning in UI for --[no]fallback option regarding potential performance impact Exploit fingerprint definitions database additions 4.28 - Fixed cxs Watch loading the bayes database whether --bayes was in use or not 4.27 - Modified cxs Watch so that watches are updated/created if the alternative configuration file reload method is used Exploit fingerprint definitions database additions BETA: Added a local bayes corpus so that learning and forgetting can be implemented locally BETA: Added new option --blearn [X|C] so that new files can be added to the local corpus as either an exploit (X) or as a clean file (C) BETA: Added new option --bforget [X|C] so that new files can be removed from the local corpus as either an exploit (X) or as a clean file (C). Only files previously learned should be forgotten BETA: Modified cxs Watch to reload the master bayes corpus on change BETA: Modified cxs Watch to reload the local bayes corpus, if one exists, on change BETA: When cxs is upgraded and the master bayes corpus exists, the latest master corpus will be automatically downloaded BETA: New master bayes corpus generated BETA: Raised bayes low/medium/high thresholds 4.26 - A situation where Fingerprint P0452 persists was missed and is now removed 4.25 - Fingerprint P0452 removed as it appears some legitimate scripts are using the same obfuscation technique commonly used in exploits BETA: Bayes corpus size decreased by a further 28% but with increased accuracy Exploit fingerprint definitions database additions 4.24 - BETA: Bayes corpus format improved - if you are using this feature, download the new corpus using "cxs --bget" BETA: Bayes corpus memory footprint decreased by a further 20% BETA: Bayes corpus loading speed improvements 4.23 - Improvements to the main decoder regex Improvements to decoder string extraction Fixed formatting of --qlocal documentation BETA: New Bayes corpus generated - if you are using this feature, download the new corpus using "cxs --bget" BETA: Bayes corpus size decreased by 25% but with increased accuracy Exploit fingerprint definitions database additions 4.22 - Added option --qlocal which provides quarantine support when using mod_ruid2 by storing quarantined files within a users account. See documentation for more information and caveats BETA: Bayes learning improvements (speed, memory) BETA: Bayes reporting improvements (speed, memory) BETA: New Bayes corpus generated - if you are using this feature, download the new corpus using "cxs --bget" Improvements to PHP decoded script scanning efficiency 4.21 - BETA: Bayes corpus loading speed improved by 100% BETA: Bayes corpus memory footprint decreased by 20% BETA: Increased minimum score size for Bayes reporting to help reduce false-positives 4.20 - New option --[no]bayes (currently in BETA). Naive Bayesian probabability scanning of script files. This option uses an enhanced Naive Bayes algorithm to report a probability that a scanned script is an exploit. This is achieved through a trained corpus (database). See the cxs documentation for more details. Additions to main decoder regex Exploit fingerprint definitions database additions 4.19 - Additions to main decoder regex Modified option --template [file]. You can now use this to email the end user when performing --allusers and --user [user] scans. See the cxs Documentation for --template [file] for more information Output improvements to --qview [file] and more information provided in the POD Exploit fingerprint definitions database additions 4.18 - HTTP::Tiny reverted to v0.041 as it breaks on some installations 4.17 - Unsupported option --YSKIPWMAIL added. Using this, If --options [W] or --options [wW] is triggered, then the directory will be chmod as normal but no email will be sent. If any other option is triggered for the same scan, the email will still be sent. This option only applies to cxs Watch Added full pseudo-breadcrumbs to cPanel UI HTTP::Tiny upgraded to v0.042 On cPanel servers, use cPanel provided perldoc binary in UI if present Exploit fingerprint definitions database additions 4.16 - Updated POD to reflect --[no]fallback being disabled by default Changed default value of --Wsymlinkmax to 1000 Changed default value of --Wsymlinksec to 10 Added performance note about using --Wsymlink [script] to POD Modified cxswatch restart routine to run /etc/cxs/cxswatch.sh directly Modified cxswatch to more quickly detect restart requests on busy systems Exploit fingerprint definitions database additions 4.15 - Memory usage improvements and general speedups Added the ability to use negative --options [-][], i.e. the default list of options is used apart from those listed when prefixed with a minus --[no]fallback now defaults to --nofallback due to performance concerns which should be noted before enabling the option Exploit fingerprint definitions database additions 4.14 - Force cxs into a detached process if running --upgrade as a CRON job to fix upgrade hanging issue 4.13 - Significant speedups in regex (up to 300% faster) and FP matching Exploit fingerprint definitions database additions 4.12 - Code regression to prevent overloading update server during upgrades 4.11 - New feature: --[no]fallback. If clamd produces an error or is unavailable after a scan starts, this option will attempt to use clamscan to scan files until clamd is available again. This option is enabled by default Additional minor updates to the POD documentation Modify cxsdaily.sh to fork jobs to prevent hanging on new installs Added timeout (5 mins) to cxs upgrade routine Improvements to --wttw [file] 4.10 - Check file size against --sizemax [size] when using --wttw to ensure ignored files are not being submitted incorrectly Exploit fingerprint definitions database additions 4.09 - UI Fixes and updates Fixed issue with default perl binary on non-cPanel servers Use raw UI plugin on DA servers when generating cxs commands/scans to overcome buffering issues Exploit fingerprint definitions database additions 4.08 - Removed redundant v3 quarantine code Removed displaying "i" during scan if file ignored as it is not particularly helpful Updates to Piwik and ownCloud version detection Form design elements added Change to --sizemax [bytes] behaviour. In the past a file > [bytes] in size was ignored, now the file will be scanned but only the initial [bytes] of the file will be scanned Added decoding of octal as well as hex encoded characters for PHP scripts Exploit fingerprint definitions database additions 4.07 - Display "i" during scan if file ignored due to sizemax [bytes] being exceeded HTTP::Tiny upgraded to v0.039 Translate ampersand for HTML output Fixed cxs UI not adding files to the ignore file after using the Ignore link Additional checks for ignore, xtra and new detections updates for cxs watch daemon to reload the relevant files if necessary Exploit fingerprint definitions database additions 4.06 - Parameterise all calls to system() and Open3() Only list viewable files in UI "Other Files" option Fixed issue with ignoring user: and puser: with web scanning Added new --ignore [file] option ip: - ignore IP address for web and ftp uploads. This may or may not have any impact on performance with ftp uploads as the IP address will need to be established from the message log for each file Removed DNS lookup on FTP IP addresses to improve performance Exploit fingerprint definitions database additions 4.05 - Fixed POD display in UI 4.04 - Fixed issue with cxs Watch not reporting running state correctly 4.03 - Fixed issue with reporting boolean CLI options 4.02 - Fixed issue with creation of new quarantine directory for new installs Improved quarantine directory detection for conversion on upgrade to v4 4.01 - Introducing a new Quarantine system. This new version creates a more secure method of quarantining suspicious files in cxs. It removes the need for a directory with 1777 permissions. It also makes the layout and maintenance of the quarantine directory much simpler Automatically rename old quarantine directory to [dir].(timestamp) and create new quarantine structure. An email is sent to root with a reminder to remove the old directory Any pre v4 old quarantine directory can still be viewed and restored from through the UI if required, though this functionality (for old quarantine directories) will be removed in the future New option --qcreate. This option is used to create a new quarantine directory structure. It will rename any pre-existing directory to [name].(timestamp) New option --qclean [days]. This option is used to clean a quarantine directory specificed with --quarantine [dir], retaining the last [days] worth of files New option --qrestore [file]. This option is used to restore a quarantine file via the CLI to the original file location (v4 quarantined files only) New option --qview [file]. This option is used to view a quarantined file via the CLI Modified cxs UI to cater for new quarantine layout and provide some additional information on quarantined files Added new file /etc/cxs/cxsdaily.sh as an example file to symlink from /etc/cron.daily/ to perform daily tasks and added to RECOMMENDATIONS in the docs Modified cxs Watch scanning to automatically scan newly created directories for exploits to help overcome an issue where files are created before a new directory is watched Support for running cxs through suhosin has been removed Fixed issue with --defapache [user] Modified recommendations on file ownership and permissions when using --logfile [file] HTTP::Tiny upgraded to v0.037 POD documentation tidy Exploit fingerprint definitions database additions 3.27 - NOTE: Support for using suhosin is deprecated and will be removed in the near future - use ModSecurity instead. If you are unable to use ModSecurity, you will have to rely on either cxs Watch or manual scans New option added: --defapache [user]. This is the default account under which apache runs. This will be set to "apache" by default except on cPanel servers where it is set to "nobody" by default Make cxs watch restart reason more verbose Improved file type detection for files within archives Improvements to the main decoder regex Exploit regex definitions database additions Exploit fingerprint definitions database additions 3.26 - Fixed issue with cxs process termination due to scanning timeouts Prevent regex hangs due to some exploit tactics Fixed quarantine UI not restoring file permissions correctly 3.25 - Extended fingerprint checks for alternative linefeeds in scripts Fixed functionality of the included test.cgi upload test script Enforce stricter permissions on /var/log/cxswatch.log Disable option to upgrade cxs in DA UI and instruct to use CLI Added use of --force to --upgrade to redo upgrade to latest version if required Additional checks to terminate php child process if timeout occurs Exploit fingerprint definitions database additions 3.24 - Added the following to Script Version Scanning: Joomla XCloner Ext, WP XCloner Ext Added new advanced PHP decoders Exploit fingerprint definitions database additions 3.23 - Added the following to Script Version Scanning: CubeCart Fixed cxs Watch in DA where new account creation was not automatically detected HTTP::Tiny upgraded to v0.036 3.22 - Added the following to Script Version Scanning: AbanteCart, AEF, b2evolution, CMS Made Simple, CodeIgnitor, Concrete5, Dotclear, e107, Elgg, Feng Office, HESK, Jcow CE, MODX Evolution, MODX Revolution, Noahs Classifieds, OSClass, ownCloud, Oxwall, Piwigo, Piwik, Seo Panel, Serendipity, StatusNet, TomatoCart, Xoops, ZenPhoto, Zikula Added the following popular Wordpress extensions to Script Version Scanning: WP Sociable WP Share This WP WP Super Cache WP All In One WP Security & Firewall WP BulletProof Security WP FD Feedburner WP Google Adsense Plugin WP WordPress Simple Paypal Shopping Cart WP WordPress eShop WP WordPress s2Member WP UpdraftPlus WP BackUpWordPress Added the following popular Joomnla extensions to Script Version Scanning: Joomla Akeeba Joomla AllVideos Joomla CDN for Joomla Joomla Community Builder Joomla JEvents Joomla Jomsocial Joomla K2 Joomla Kunena Joomla Phoca Gallery Joomla sh404SEF Joomla Simple Image Gallery Joomla Xmap Exploit fingerprint definitions database additions 3.21 - Disable Script Version Scanning for web script scanning (cxscgi.sh) as it does not apply Perl module Storable added to the required list Added ten of the most popular Wordpress extensions to Script Version Scanning: WP Akismet Ext v2 WP Better WP Security Ext v3 WP Contact Form 7 Ext v3 WP Facebook Ext WP Google XML Sitemaps Ext v3 WP Jetpack Ext v2 WP NextGEN Gallery Ext v2 WP Seo Ext WP W3 Total Cache Ext WP WooCommerce Ext v2 Added ten of the most popular Joomla extensions to Script Version Scanning: Joomla Advanced Module Manager Ext v4 Joomla JCE Ext v2 Joomla RAntiSpam Ext v3 Joomla Joomla LiveHelpNow Chat Ext v2 Joomla Rapid Contact Ext Joomla Asynchronous Google Analytics Ext v2 Joomla Google Maps Ext v3 Joomla Sourcerer Ext v4 Joomla Tabs Ext v3 Joomla Modules Anywhere Ext v3 Added the following to Script Version Scanning: OpenCart, Nucleus CMS, Open Classifieds, LimeSurvey, ClipBucket, WHMCS, Coppermine Photo Gallery Exploit fingerprint definitions database additions 3.20 - Changed --options [s] to be --[no]sversionscan (Script Version Scanning) to make it independent of --[no]exploitscan, allowing a fast scan for old script installs. This option is enabled by default. Use --nosversionscan to disable Added the following to Script Version Scanning: Typo3, Invision Power Board, WebCalendar, MyBB, Dolphin, SMF, OpenX Source, SugarCRM Community Edition, Contao CMS, PrestaShop, PHP-Fusion, phpPgAdmin, SquirrelMail, Roundcube, Kayako, osTicket Added new --soptions [a] for --[no]sversionscan to report all versions of found scripts, not just old versions Added new --soptions [d] for --[no]sversionscan to report the directory containing the script, not the trigger file Exploit fingerprint definitions database additions 3.13 - UI button style modifications Added phpList, Moodle, Magento Community Edition and MediaWiki version checking to --options [s] Modified POD to screen wrap HTML code more effectively 3.12 - Fixed cxs uninstaller removing csf UI files on cPanel installs Added phpBB, phpMyAdmin, Zen Cart, osCommerce and VirtueMart version checking to --options [s] 3.11 - Added to RECOMMENDATIONS to still run a regular scan without --ctime [hours] to ensure new scan techniques and exploit signatures are used to check all existing files Fixed directory creation on installation for unofficial DA plugin Improved performance of file slurping and therefore scanning Added new --options [s] that will search for a few common web script installations and report if older than the latest version on record. See documentation for more information Exploit fingerprint definitions database additions 3.10 - Changed --throttle [num] to prevent throttling triggering a --timemax [secs] timeout Added detection for some PHP JPEG and TIFF EXIF exploits Improvements to image and zip file type detection Exploit fingerprint definitions database additions 3.09 - Improvements to Virtuozzo/OpenVZ system detection where /proc/vz/veinfo does not exist Added TimeStamp to the top of the scan report If /etc/csuibuttondisable exists then the UI buttons will revert for those that cannot cope with the themed ones 3.08 - Implemented new cxswatch log tail code UI display changes Exploit fingerprint definitions database additions 3.07 - Allow (limited) scans via UI in restricted mode Added Change Time (--ctime [hours]) option to UI If --quarantine has been disabled, ensure all reports contain a warning message with explanation 3.06 - Fixed bug with broken --cgi option (cxscgi.sh) from v3.05 Fixed UI configurable lines display for cxswatch.log Remove immutable and append-only flags from files when moving files to quarantine or deleting Fixed supplied test/test.php for newer PHP versions 3.05 - Added /etc, /sys and /proc to directories requiring --force to be used when scanning Added additional checks that any specified quarantine directory is valid Added new option --ctime [hours]. If you run regular full system scans then you can use --ctime [hours] to only scan files changed in the intervening hours. This can speed up scan times dramatically Apply hfile:, hdir: and hsym: ignores to FTP upload scanning Exploit fingerprint definitions database additions 3.04 - Fixed file view from quarantine - reported by Rack911 Further improved UI form data sanitisation Bolstered the UI warning with regard to disabling Restricted Mode 3.03 - Fixed broken UI items Improvements to the ignore logic Improved UI form data sanitisation Exploit fingerprint definitions database additions 3.02 - Security - Added UI Restricted Mode which is enabled by default. This disables features in the UI that could allow abritrary commands to be run as root and system files to be overwritten. To enable unrestricted access to the UI remove /etc/cxs/cxs.restricted Added UI option to completely disable the UI by creating the file /etc/cxs/cxs.disableui 3.01 - Implement slurp routine for configuration files to cater for incorrect linefeeds Improvements to forced quarantine feature within --xtra [file] and updated instructions provided in cxs.xtra.example Security - Quarantine improvements Exploit fingerprint definitions database additions 3.00 - Implemented hfile ignoring for ratelimiting in cxs Watch Implemented ignore caching in cxs Watch for ratelimited files HTTP::Tiny upgraded to v0.033 Exploit fingerprint definitions database additions 2.99 - Fix --wttw [file] successful submission text 2.98 - Added check for clamd when using --wttw [file] Added check for script files when using --wttw [file] HTTP::Tiny upgraded to v0.031 Removed a false-postitive fingerprint definition Exploit fingerprint definitions database additions 2.97 - Added support for cPanel v11.38.1+ AppConfig addon registration NOTE: In accordance with the new conventions for v11.38.1+ AppConfig the url to the cxs WHM plugin will change from /cgi/addon_cxs.cgi to /cgi/configserver/cxs.cgi. This will only happen with cxs v2.97+ and cPanel v11.38.1+. Older version of cxs will continue to use the old URL. This has no particular relevance to users accessing through WHM, but will affect direct URL access by users or third party applications Added new option --comment "text" which can be used to add a short comment to files submitted using --wttw [file] Modified --wttw [file] to ensure that it is not already detected as a Virus or Fingerprint (now requires --force to report a false-positive) Fixed packed hex advanced decoder regex Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.96 - Fixed --xtra [file] detection for regfile: and file: entries Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.95 - Internal version 2.94 - Removed a false-postitive fingerprint definition 2.93 - New features: --prenice [num], --pionice [num]. These options allow you to control the nice and ionice priorities of the running process. This can, for example, help even out the load on heavy IO servers or increase the speed of the scan on busy servers Exploit fingerprint definitions database additions 2.92 - Improvements to the main decoder regex Improvements to error reporting on UI restore Fixed typo in documentation regarding cxs.xtra :quarantine feature Added IP, where available, to --script [script] parameters passed to external script Exploit fingerprint definitions database additions 2.91 - Ensure cxswatch is stopped, disabled and removed on cxs uninstall Added cleaned script code scanning to text match and decoder regex detection to improve exploit script detection Modified --help to use the POD paginated viewer Exploit fingerprint definitions database additions 2.90 - Added alternative php binary locations for generic installations Improvements to --decode ([D]) Added new advanced PHP decoder Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.89 - Improvements to --decode ([D]) Repurposed --options [u] to specifically highlight scripts only within directories deemed suspicious, rather than general directories such as /image/ or /upload(s)/. This should make the option more useful and help avoid false-positives Exploit fingerprint definitions database additions 2.88 - Include gzdecode() detection for PHP scripts Switched from using LWP to HTTP::Tiny to reduce memory footprint and reliance on the LWP perl module. The HTTP::Tiny module is included in the distribution, so no further action is necessary Modified cxs watch daemon to use POSIX::setsid() Modified cxs quarantine routine to reduce memory footprint Modified loading of Pod::Usage only if necessary to reduce memory footprint Modified cxs watch to not fail startup if new watch resource disappears before completion Exploit fingerprint definitions database additions 2.87 - Improvements to the main decoder regex Reverted to using temporary files during PHP file decoding due to a major bug in PHP v5.4.* which produces "Ran out of opcode space!" in interactive mode Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.86 - Improvements to installer on initial fresh cPanel v11.36 installations Added a 20 second timeout for running --Wsymlink [script] and switched from using system call to open3 Added a 20 second timeout for running --script [script] and improve output printing from [script] Modified --options [u] to include more suspicious locations Exploit fingerprint definitions database additions 2.85 - Moved suspicious script location detection to its own option within: --options [u], --doptions [u], --voptions [u] and --qoptions [u] The option is included in the default setting for --options [options]. If you specify a list in any of these options and want to include this in them, then you need to add [u] to the list of options Separate dangerous quarantine options in the UI 2.84 - New feature: cxs watch daemon Symlink attack detection. This option will try and detect a symlink attack against the server. If --Wsymlinkmax [num] symlinks are created with one directory within --Wsymlinksec [secs] seconds then --Wsymlink [script] will be run. An example is provided for this script in /etc/cxs/symlinkdisable.example.pl Enable --Wsymlink /etc/cxs/symlinkdisable.example.pl on new installs in /etc/cxs/cxswatch.sh for email notifications Detect as suspicious, scripts found within /images/ and /upload(s)/ directories Fixed --Wadd [file] not working correctly in cxs watch Fixed --www not being adhered to for new users while cxs watch running Modified --www location on DA servers to the domains/ subdirectory of users account for cxs watch daemon and single user scans Improvements to file ownership detection in cxs watch. If a file is owned by "nobody" cxs will compare user home directories in /etc/passwd to the file location to try and determine a unique owner Fixed UI saving default "smtp" setting incorrectly (again) 2.83 - Updated to use the new cPanel 11.36+ integrated perl binary if exists Fixed UI saving default "smtp" setting incorrectly Modified --www location on DA servers to the domains/ subdirectory of users account as public_html/ is ignored as it is a symlink 2.82 - Added new advanced PHP decoder Impovements to detection of PHP script file type Added new functionality to --xtra [file] to force quarantine of a file with a matching regex if using --quarantine[dir]. See documentation or the latest /etc/cxs/cxs.xtra.example for information Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.81 - Fixed a false-positive with the main .htaccess regex Fixed UI not correctly saving --MD5 to cxs.defaults if set Fixed issue with temp file cleanup not reinitialising between scans 2.80 - Add scan type to Quarantine output for each entry Added timezone offset to cxs --mail emails Improvements to the main decoder regex Improvements to advanced PHP decoders to --decode ([D]) Exploit fingerprint definitions database additions 2.79 - Improved settings initialisation when scanning multiple files Added xtra supplied md5sum values to the report to help with match identification Removed the instructions for installing unofficial ClamAV databases as we don't support them 2.78 - Improvements to various advanced PHP decoders Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.77 - Ensure htaccess fingerprints only apply to .htaccess files On cPanel servers hide the Support icon introduced by cPanel in v11.34 Added unsupported feature --YSKIPFPREGEX to ignore inbuilt fingerprint regular expression matching when using --options [M], --xtra [file] contents will still match Added scanning for jsp scripts Added scanning for asp and aspx scripts Added scanning for java scripts Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.76 - Update to one of the main decoder regexes 2.75 - Added multiple new advanced PHP decoders Improvements to the main decoder regex Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.74 - Improvements to the daily update mechanism Fixed a false-positive with the main .htaccess regex 2.73 - Fixed a problem where compressed file depth was not being reset between files causing subsequent compressed files to be skipped from scanning Fixed problem where multi-depth compressed files were not being identified by their original filename correctly Added compressed file depth to output when matches found 2.72 - Added PNG and JPEG filetypes for hidden script scanning Fixed an issue where cxs was sometimes leaving temporary files in /tmp after compressed file expansion 2.71 - cxs will now treat .htaccess files as script files and fingerprints have been added for common exploits Added more information about existing csf anf cxs integration options (i.e. UI, ModSecurity, pure-ftpd) Added information that restores from quarantine must be done through the UI Exploit fingerprint definitions database additions 2.70 - Improvements to cxs Watch daemon ignore/xtra and new update reloading without restart Switched to using Sys::Hostname in cxs Watch daemon Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.69 - Switched to using Sys::Hostname to determine hostname as CloudLinux restricts access to /proc/sys/kernel/hostname for some reason 2.68 - Modified POD and UI to show full rather than abbreviated commands Added new option --template [file]. When using --mail [email] a standard email format is used. To customise this format an email template file can be used instead. You can now use this to email the Linux owner of the affected script under certain circumstances. See the cxs Documentation for more information Added new advanced PHP decoder for --decode ([D]) Improvements to advanced PHP decoders to --decode ([D]) Fixed PHP decoder issue that could restrict decoder depth under certain circumstances Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.67 - NOTE: If you are using the cxs ModSecurity hook and ModSecurity v2.6, you must now specify the ModSecurity configuration setting SecTmpDir. If you have not set SecTmpDir in your ModSecurity configuration, then you need to add the following on its own line before or after the ModSecurity cxs line: "SecTmpDir /tmp" and then restart httpd. The file you need to add this to, if not already present, on a cPanel server is: /usr/local/apache/conf/modsec2.user.conf Unless specified, --qoptions now defaults to [Mv] when --quarantine [dir] is used. Any existing installations using --quarantine [dir] will now have --qoptions [Mv] enabled, unless otherwise specified on the command line or in cxs.defaults Added unsupported feature --YSKIPREG to ignore inbuilt regex matching when using --options [m], --xtra [file] contents will still match Added unsupported feature --YSKIPMD5 to ignore inbuilt fingerprint matching when using --options [M], --xtra [file] contents will still match Added a new option, --doptions [mMfSGchexTEv]. This defaults to [Mv] when --delete is used. Any existing installations using --delete will now have --doptions [Mv] enabled, unless otherwise specified on the command line or in cxs.defaults Fixed an issue where, under certain circumstances, files contained within an archive were ignored for scanning 2.66 - Improvements to string detection in --decode ([D]) Added new advanced PHP decoder for --decode ([D]) Removed a false-positive fingerprint detection Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.65 - Added new advanced PHP decoder for --decode ([D]) Improvements made to md5sum ignore procedure Fixed problem when using md5sum ignore within archives 2.64 - Improvements to --decode ([D]) variable detection Added new advanced PHP decoder for --decode ([D]) Exploit fingerprint definitions database additions 2.63 - Additional reasons for scan skipping added for --debug output Reload ignore file in cxs watch parent as well as children for rate limit warning New feature added --Wrateignore [secs]. To help prevent excessive resource usage, cxs Watch will ignore files for [secs] seconds if the rate limit warning is issued. Scanning will then resume. Set this to 0 to disable the ignore feature. This option is set to 300 (i.e. 5 mins) for new installations 2.62 - Removed extraneous / in the cgi email notification for the "Web upload script URL" Added cxs Watch logging for Inotify IN_Q_OVERFLOW events with a recommendation to increase /proc/sys/fs/inotify/max_queued_events if this occurs Added file check before invoking Inotify to confirm it exists to avoid spurious errors on VPS servers Allow files as well as directories in --Wadd [file] Exploit regex definitions database additions Exploit fingerprint definitions database additions 2.61 - Improvements to hidden script file detection Added formatting to cgi and ftp email reports Added new fields to the cgi email report Change POD Examples section to use full command line options Improvements to ignoring any files based on md5sum (including those identified as exectuables, viruses, etc) Remove extraneous spaces from ignore and xtra md5sum entries Improvements to --MD5 so that all reported files displays the md5sum Changed the way md5sum values are displayed if --MD5 is used Improvements to the main decoder regex Exploit fingerprint definitions database additions 2.60 - Ensure that an account name is only passed to --script [script] when performing a manual scan using --user or --all Ignore adobe-xap-filters when detecting hidden script files Exploit fingerprint definitions database additions 2.59 - Improvements to quarantine procedure 2.58 - Fixed a problem in the UI where the selections for --options were applied from /etc/cxs/cxs.defaults, if set, rather than the selections in the UI if all the standard selections were ticked UI improvements Change file name check behaviour so that it still detects with empty files Include all item sizes in --summary report Include all ignored files in --summary report Improvements to hidden script file detection Exploit fingerprint definitions database additions 2.57 - Fixed problem with quarantine move failing - introduced in v2.56 Implement ignores for rate limit warnings in cxs Watch daemon Allow a value of 0 for --filemax [num] which disables the feature Set --filemax [num] to 0 in cxswatch.sh for new installs 2.56 - Improvements to quarantine move failure message Implement ignores in compressed files Added a rate limit warning to cxs Watch daemon. If a file is scanned more then (2 * Wsleep) times in (10 * Wsleep) seconds then a warning is logged. This is to help identify frequently scanned files that you might want to ignore (e.g. if they are very frequently updated log files) Improved installation procedure for checking required perl modules Exploit fingerprint definitions database additions 2.55 - Changes to htaccessdisable.pl example script Increased default value for --filemax [num] in cxswatch.sh for new installs If necessary, log license error to cxs Watch daemon log 2.54 - Added logrotate configuration for cxswatch Include an example perl script that will disable directory access with a .htaccess file if a match is found using the --script [script] option: /etc/cxs/htaccessdisable.pl Modifications to cxs Watch daemon so that it no longer needs to completely restart when new daily detections are downloaded Always log if skipping directories in cxs Watch daemon due to --filemax [num] Fixed a problem with a false-positive in the php interpreter timeout Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.53 - Timeout added for php interpreter during --decode ([D]) Do not disable --viruscan if clamd not running in cxs Watch Exploit fingerprint definitions database additions v2.52 - cxs Watch will now fail to start or will terminate on VPS servers if /proc/sys/fs/inotify/max_user_watches is set too low Added error reporting if clamd fails to respond, but stop reporting clamd errors if too many consecutive errors occur Updated POD regarding the new csf option: LF_CXS v2.51 - Improved temporary file cleanup Change cxs UI to use /sbin/pidof to determine if the Watch daemon is stopped, starting or running. If /sbin/pidof does not exist, no status is shown Modification to prevent scan failure if FTP is down and --options [P] used Exploit fingerprint definitions database additions v2.50 - Improvements to the Fingerprint Matching system Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.49 - Use temporary files when performing a virus scan during --decode ([D]) Change all clamd STREAM to SCAN scanning Use a robust routine for creating random temporary files during --options [Z] (scanning within archives) Exploit fingerprint definitions database additions v2.48 - Allow a value of 0 for --Wrefresh which disables the functionality in the cxs Watch daemon Added new advanced PHP decoder for --decode ([D]) Stop cxs Watch from following symlinks Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.47 - Added new advanced PHP decoders for --decode ([D]) Change main cxs Watch process name during startup while still starting Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.46 - Added two new advanced PHP decoders for --decode ([D]) Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.45 - Modification to quarantine to ensure unique filenames Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.44 - Added new --ignore [file] option pscript: - regex of web script to ignore Set --options [P] ftp timeout to 10 seconds Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.43 - SECURITY FIX. Anyone running cxs on a DirectAdmin server should upgrade to this release immediately Add check for successful open of admin.list on DA servers to avoid a segfault, which could lead to a buffer overflow v2.42 - Fixed problem where dir: ignores where not being fully implemented in single file scans Fixed problem where dir: and hdir: ignores where not being fully implemented by the cxs Watch daemon when auto-reloading an ignore file Exploit fingerprint definitions database additions v2.41 - Developed another new advanced PHP decoder for --decode ([D]) Fixed advanced decoder output formatting when using --decode [file] Exploit regex definitions database additions v2.40 - Modifications to cxs Watch daemon so that it no longer needs to completely restart if changes to --xtra [file] are detected Added detection and decoding of Hex encoding to advanced PHP decoders Exploit fingerprint definitions database additions v2.39 - Memory management and speedup improvements for cxs Watch Daemon Improvements to advanced PHP decoders to --decode ([D]) Corrected cxs POD to read --upgrade instead of --update Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.38 - Added more advanced PHP decoders to --decode ([D]) Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.37 - cxs Watch - report error if unable to increase /proc/sys/fs/inotify/max_user_watches Further improvements to --timemax [secs] reports Further improvements to error reporting during scans Exploit fingerprint definitions database additions v2.36 - cxs Watch will now restart if a change to a specific --xtra [file] is made. This triggers a full restart of cxs Watch Improvements to --timemax [secs] Improvements to error reporting during scans Added more advanced PHP decoders to --decode ([D]) Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.35 - Added new option --timemax [secs]. Scan timeout per file in seconds to prevent looping. Default is 30 seconds Additional logging on cxs watch startup to show the progress of user account inotify setup Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.34 - Modifications to the UI Updates to the failure detection of the quarantine procedure New option --force. If --force is not used then cxs will refuse to scan within restricted directories: /usr /var /bin /lib /lib64 /boot Modified daily update check to only restart cxs Watch if updates are actually new Modified cxs Watch to no longer require a /scripts/postwwwacct entry (which is now ignored) as it now monitors /var/cpanel/users/ for new users on cPanel servers Exploit fingerprint definitions database additions v2.33 - Redesigned cxs UI, included functions for controlling cxs Watch Added TERM logging to the cxs Watch daemon to signify termination v2.32 - Added init script for cxswatch daemon on cPanel servers. This is instead of using /etc/rc.local to start the daemon and can also be used to stop/start/restart/status the daemon. See the cxs documentation for more information Added entry to chkserv.d on cPanel servers so that cPanel will monitor the cxswatch daemon using tailwatchd. See the cxs documentation for more information v2.31 - Fixed issue with tarball and zip file contents checking Further improvements to the Fingerprint matching system Exploit fingerprint definitions database additions v2.30 - Significant speedups for pattern matching Improvements to the Fingerprint matching system which includes speedups and additional identification methods Fixed error message for scanning an non-existent file Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.29 - Fixed problem with quarantine file naming convention causing duplicate file names under certain circumstances and failing to quarantine the second instance Fixed spurious Cpanel::Version::gettree() warning in cPanel error log Exploit regex definitions database additions v2.28 - Fixed problem with cxs Watch daemon restart introduced in v2.2.27. You will have to manually restart any running cxs Watch daemon after this upgrade If BSD::Resource perl module is installed, double the configured process stack size to help avoid Segmentation Faults Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.27 - New --options [P]. This option will search standard web application configuration files for MySQL database passwords. It will then attempt to login via FTP on localhost with the username of the account being processed and the detected password (it will attempt up to two password hits per configuration file). If the login is successful, the option will trigger a match. See CLI documentation for more info Separated and highlighted advanced Exploit Scan options in the UI that can affect user data and/or produce false-positives in the vain hope it will stop some people just ticking everything and then wondering where their files have gone Added Net::FTP to the perl module requirements (this is a core perl module so should already be installed) New options --uidmin [uid] and --uidmax [uid] for the GENERIC install when used with --allusers. These have no effect on cPanel and DA Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.26 - Added new option for --xtra [file]: regfile: which is a regular expression match for a file or directory name Added new CLI option --smtp. This will send emails generated by --mail [email] via localhost SMTP instead of sendmail Added MIME::Base64 and Net::SMTP to the perl module requirements (both are core perl modules so should already be installed) v2.25 - Fix for UI version processing issue v2.24 - Allow binary submissions via --wttw Improvements to --decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.23 - Improved cxs Watch daemon scanning to include moved files to detect files uploaded by the cPanel File Manager Fixed bug where --cleanlog [file] was not logging the filename for cxsftp.sh scanning Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.22 - Exploit regex definitions database correction v2.21 - Speedups to --decode ([D]) option Improvements to decode regex Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.20 - Fixed issue with MD5 setting via UI when saving to defaults Improvements to regex validation to any specified --ignore or --xtra files Improvements to decode regex Improvements to --decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.19 - Added regex validation to any specified --ignore or --xtra files Added quarantine failure reason to messages Improvements to --decode ([D]) option to no longer use temporary files If [Fingerprint Match] found also perform a Virus Scan Automatically ignore --quarantine [dir] during scans Improvements to fingerprint matching Added new option --MD5 to display a matched file md5sum. See docs for more information Added new option md5sum: to --ignore [file]. See docs for more information Added new option md5sum: to --xtra [file]. See docs for more information Added new option "Ignore MD5" to cxs Quarantine UI for ftp, web and scan entries Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.18 - Further improvements to Filetype detection v2.17 - Added hdir:/quarantine_clamavconnector to the csf.ignore.example file Improvements to php script detection where extension is not .php Filetype detection speedups Filetype differentiation between MS-DOS and MS Windows executables Added new option --Wrefresh. To keep the cxs Watch daemon up to date, it will restart every 7 days by default. To change this interval, you can set B<--Wrefresh [days]> Improvements to the decode regex Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.16 - Further improvements to the check for PHP code hidden in GIF image files for "hidden script file", regex matching and decode scanning v2.14 - Improvements to the check for PHP code hidden in GIF image files for "hidden script file", regex matching and decode scanning Add link to the Changelog when cxs is upgraded If an ignore file us used with cxs Watch daemon and the ignore file is modified, cxs Watch will reload the ignore file and restart the child processes. However, after making a large number of changes to the ignore file or if adding puser: or user: to the ignore file, the cxs Watch daemon should be manually restarted Improved cxs Watch logging when suspicious file found and --Wloglevel set to 0 Exploit fingerprint definitions database additions v2.13 - During cxs Watch startup default to the POSIX locale to avoid error message ambiguity for intotify from the kernel Improvements to --decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.12 - Improvements to --decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.11 - Further SECURITY improvements to Quarantine functionality All cxs users should upgrade to this release immediately v2.10 - Fixed a SECURITY BUG in Quarantine file restore which could result in root privilege escalation. The destination restore file must not now exist before restoring will work. Our thanks to Jeff Petersen for reporting this issue All cxs users should upgrade to this release immediately v2.09 - New --options [R]. It will trigger a match for the inbuilt regex used by --options [D] when decoding PHP encoded (base64, etc) scripts Improvements to --decode ([D]) option so that both the last and the penultimate decode level are both scanned Added improved code for dropping privileges to the "nobody" user while running the interactive php interpreter as root Ensure Quarantine only works on files Updated UI text for options Removed duplicated regex definitions from the database now that --options [R] has been added. Be sure to add R to your --options lists if you specify them if you still want to trap these. v2.08 - Removed code that dropped privileges to the "nobody" user while running the interactive php interpreter as it broke subsequent scanning at depth Exploit regex definitions database additions Exploit fingerprint definitions database additions v2.07 - Improvements to --decode ([D]) option New Feature - Added daily check for new Exploit Fingerprints. If cxs is scheduled to check for a new version daily, an additional check for new Exploit Fingerprints released since the last cxs version is performed. These will be downloaded and used on subsequent scans Exploit fingerprint definitions database additions v2.06 - Fixed bug in application type detection introduced in v2.04 which restricted script specific regex detection from working correctly Exploit fingerprint definitions database additions v2.04 - Added Quarantine UI option to block FTP IP addresses in csf Fixed Quarantine UI display problems Added option --tscripts [list] which is a comma separated list of scripts that --options [T] will detect if you want to restrict which types are checked Exploit fingerprint definitions database additions v2.03 - Improvements to --decode [file] - don't process ignore file Speedups for --options [D] Speedups for cxs Watch daemon startup Fixes to cxs Watch daemon when processing new and --Wadd [file] directories where --ignore [file] and --filemax [num] were not applied Improvements to hdir, hfile and hsym processing for --ignore [file] Adjustments to --Wloglevel [num] Improvements to FTP IP detection v2.02 - Fixed bugs in --decode [file] output report and improved content of the report Exploit fingerprint definitions database additions v2.01 - Modified --decode [file] and --options [D] to drop privileges to the "nobody" user while running the interactive php interpreter and on the ownership of the decoded file while processing it v2.00 - Added new scanning option: cxs Watch. This is an alternative to ftp and web script upload scanning. The cxs Watch daemon uses a separate process to watch entire user accounts for new and modified files and scans them immediately. The scanning children use up significantly fewer resources than the ftp and web script upload scanning methods. This new feature requires: Redhat/CentOS v5+ (i.e. a kernel that supports inotify) Linux::Inotify2 Perl module Systems that do not meet these requirements can continue to use the ftp and web script upload scanning methods. See the documentation for more information about this new option under --Wstart --options [D] now enabled by default to improve exploit detection rates (default options:mMOLfSGchexdnwZD) Updated POD documentation, including a new RECOMMENDATIONS section Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.56 - Reinstated the Scan Report header for the --all option lost in v1.55 Added new option --www to only scan within the public_html/ directory when using --allusers or --user [user] Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.55 - Modified FTP IP Address lookup code to only read the last 64K of the relevant log file, improving lookup speed and resource usage Made /etc/init.d/pure-uploadscript LSB compliant Exploit fingerprint definitions database additions v1.54 - Added a note to the CGI alert email for ModSecurity false-positives where the request body is inspected before Apache has a chance to determine whether the called script exists (i.e. a 404) Added new option --wttw [file] which is available for submitting text exploits (i.e. PHP, Perl, Shell) to ConfigServer if cxs fails to detect it. The file is sent as an attachment via email. Please be sure to read the documentation before using this option Exploit fingerprint definitions database additions v1.53 - Sort File::Find directory traversal/files alphabetically Multiple scanning performance and resource usage improvements --voptions [M] removed as it serves no function Added text for --options [M] (Known exploit) where we have it Improvements to relative path file/directory scanning Exploit fingerprint definitions database additions v1.52 - Ignore SIGPIPE when using --decode (--options [D]) while running interactive php interpreter, which caused scans to abort Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.51 - Sort Quarantine UI users If --quarantine or --delete fails (e.g. an immutable file), report failure to do so. Failure to quarantine will no longer attempt removal of the original file Only "View" quarantine files in UI if they are text files Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.50 - Fixed a problem with the use of File::Copy and the quarantine system where files that are moved across file systems do not retain the correct permissions v1.49 - Display complete cxs command options at the top of reports, not just the CLI command (i.e. include defaults and cxs.default entries) Added a "View Quarantine" button at the bottom of the "View Quarantine User" UI page to return to the quarantine view Added default clamd rpm and apt-get socket location detection (/var/run/clamav/clamd.sock and /var/run/clamav/clamd.ctl) DirectAdmin development work (not currently supported) (RedHat Enterprise v3+/CentOS v3+/Debian v5+) Added code for future multiple license servers Fixed a problem with the use of File::Copy and the quarantine system where files that are moved across file systems do not retain the correct ownership Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.48 - Modified FTP scanning to honour hfile: ignore file entries Fixed problem with --qoptions [] sending all scan result matches to quarantine after a single legitimate match was found, regardless of the --qoptions [] specified v1.47 - Fixed problem with UI upgrade sleeping before upgrading (as introduced for cron jobs). Upgrading to this version will still sleep through the UI, but subsequent versions should be fine. Instead of using the UI, using the CLI will avoid this problem for this upgrade, i.e.: cxs -U v1.46 - Restore from quarantine in UI now preserves file ownership of the restored file Prefill UI Quarantine directory if set in cxs.defaults Added new option to Quarantine UI to bulk Restore files in the same way as bulk Delete works Exploit fingerprint definitions database additions v1.45 - Added new option --qoptions [mMOLfSGchexdnwTEv]. By default --quarantine [dir]> will move all file matches. If --qoptions [] is also used then only the selected file types will be moved Added --qoptions [mMOLfSGchexdnwTEv] to UI Improvements to --decode ([D]) option Added --upgrade timer to sleep for up to 1800 seconds when running as a cron job to avoid overloading the license server Added the the --jumpfrom [user] and --jumpto [user] options to the UI Exploit fingerprint definitions database additions v1.44 - Added Quarantine option to UI Modified the --jumpfrom [user], --jumpto [user] options so a special value can be used for the from and to [user] using a single letter then a plus sign to scan those users whose name begins with the letter specified (not case sensitive). Again, this is inclusive. For example, to scan all accounts beginning with k through to g use: --jumpfrom k+ --jumpto g+ Improvements to --decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.43 - Improvements to --decode ([D]) option. If the final decode depth results in a php Parse error, the previous depth is scanned instead. This improves the likelihood of a successful decode and scan Improvements to --decode ([D]) option. Decode PHP scripts in memory using the interactive php interpreter instead of using temporary files Improvements to --decode ([D]) option. Add timeout to php interpreter to avoid decoding hangs Exploit fingerprint definitions database additions v1.42 - Suppress error output from Archive::Zip v1.41 - Enabled option --options [Z] by default for scanning within compressed archives Suppress error output from Archive::Tar Exploit fingerprint definitions database additions v1.40 - Improved detection of ruby and c exploits Added the ability to use --quarantine and --delete when performing a manual or scheduled scan. However, since the likelihood of a false-positive is relatively high, this is not recommended without care and understanding of the implications Added test for existence of --quarantine [dir]. If it does not exist an error will be shown and the scan will continue with the quarantine directive disabled New --options [Z]. This option decompresses archives (i.e. zip, tar, tar.gz and tar.bz2 files) and scans each file within the archive using the same options provided to the original scan Added --options [Z] to WHM UI Updated perl modules requirements to now include: Archive::Zip and Archive::Tar Cater for single quotes in cron jobs in the WHM UI Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.39 - Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.38 - Improvements to --decode ([D]) option Added [D] option to WHM UI Fixed typo in WHM UI More detailed message for when --filemax reached in a directory Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.37 - Fixed bug in --options [D] when running under a non-root account Modified --script [script] execution to prevent stray output from [script] when --quiet used Added retry timeout in WHM UI for checking www.configserver.com for new version information (to avoid repeated hangs when unreachable) Included additional instructions in install.txt to install additional unofficial ClamAV databases from Sanesecurity Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.36 - Significant Improvements to --decode ([D]) option Added verbose switch to example cPanel Account Suspend perl script Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.35 - Optimised fingerprint definitions database Removed fingerprint definitions database false-positive v1.34 - Fixed licensing issue with v1.33 v1.33 - Updated example cPanel Account Suspend perl script to be verbose cxs startup speedups Add support to --script to pass the username when using --user [user] Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.32 - Include an example cPanel Account Suspend perl script for use with --script /etc/cxs/cpanelsuspend.pl Exploit fingerprint definitions database additions v1.31 - Always exit if ftp/cgi user is listed in a specified ignore file Disable pure-uploadscript if /etc/cxs/ftpddisable exists (in addition to /etc/ftpddisable) Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.30 - Added new option --script [script] which runs an external script whenever a match is detected against a file. See documentation for more information Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.29 - Significant improvements to --decode [file] Increased LWP timeout to cater for servers with slow connections to the license server Added total Viruses and Fingerprint Matches to the --mail Subject Added total Fingerprint Matches to the --summary Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.28 - If ftp is disabled in cPanel do not start pure-uploadscript New --options [E]. This option will match scripts that send out email using sendmail, exim or via SMTP. This option requires that --options [m] is also specified Improvement to --decode [file] variable detection Improvements to various eval() regex matches Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.27 - Fixed issue introduced in v1.26 that prevented ignoring of hdir and hfile options in an ignore file v1.26 - Allow the use of --background (-B) in cxsftp.sh Skip processing a home directory of / when using --all Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.25 - Improved handling of --decode failures Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.24 - Improvements to --decode [file] Add the cxs command line to a report even if the scan report is empty Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.23 - Fixed a false-positive detection of c/c++ source files Added filename legend to View option UI in Other Files For single or multiple user scans, Symlinks within the homedir will now be ignored Removed [\;\|\`\\] regex checks from the [f] and [d] --options, as it appears to be of little value (you could always add back such a check using a similar regex entry in an xtra file) Modified hidden text in image file check to only report if the text is script code Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.22 - Fixed --options [D] output not going to a --report [file] Improvement to --decode [file] variable detection Exploit fingerprint definitions database additions v1.21 - Added UID check to ensure updates are only performed by root (UID=0) New --options [D]. This is an experimental option that puts any PHP scripts containing an eval() function that decodes base64 and rot13 data through the (experimental) --decode [file] option during a scan. This will then highlight the decoded result if it hits any regex, fingerprint or virus scan matches Added eval(str_rot13 to --decode [file] Fixed --decode [file] not scanning final decoded result with regex definitions and fingerprints Improvements to --decode [file] detection and processing Modified pure-uploadscript init file to cope with multiple pure-ftpd pids on restart and to stop pure-ftpd more cleanly Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.20 - Improvements to regex definitions database Added new ignore options for sym:, psym: and hsym: to allow ignoring of symlinks Modified --generate to add sym: for symlinks to ignore file All UI user selections modified to be dropdown lists Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.19 - Fixed bug preventing csf from blocking FTP IP addresses when --block used Added failure message from csf to FTP email if deny fails Added new exploit scanning option W to be used with --option (must be explicitly added to the options list - the same way as the C option). The W option will chmod all world writable directories found to 755. Use this option with care as it could prevent web scripts from functioning on non-suPHP or non-SUEXEC enabled systems v1.18 - Scanning speedup when using --voptions Improvements to --decode performance and effectiveness New optimised fingerprint database. This new database, though with fewer entries, is better targetted at detecting relevant exploits that ClamAV misses (the majority!) Changed "Match for fingerprint of an exploit" to "Known exploit = [Fingerprint Match]" Changed "Match for regular expression (regex)" to "Regular expression match = [regex]" v1.17 - Fixed email " (Hits:nn)" not totalling all accounts hits v1.16 - Removed spurious "set to skip" message text Added " (Hits:nn)" to the Subject line of email reports Added new option --ulist [file] for use with the --all option to perform scans of only those users listed in [file] Regex scanning improvements Disable default deep scanning on FTP and web script uploads to help avoid false-positives. If you want to continue deep scanning add --deep to cxsftp.sh and/or cxscgi.sh Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.15 - Added breakout if --decode [file] depth is > 250 to prevent looping Fixed problem with quarantine UI to cope with a trailing slash on the --quarantine [dir] statement Improved detection of the quarantine directory in UI Added DNS lookups on FTP IP address reports Allow the use of floating point numbers with --throttle [num] Added "Ignore" option for FTP quarantines files to Quarantine UI to add a file: ignore statement to a relevant ignore file if configured Added new options --jumpfrom [user] and --jumpto [user] for use with the --all option to perform scans of only those user between the two points, both of which are inclusive Added jumpfrom and jumpto to UI resource choice Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.14 - Added new experimental options --decode [file] and --depth [num]. See the perldoc documentation for more information Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.13 - Modified FrontPage extensions check to be case-insensitive Use of --all --mail [email] and --nosummary will now only report suspicious accounts instead of all accounts. --report [file] will still contain the full report Updated cxs perldoc help Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.12 - New option (-X, --xtra [file]) to allow custom regular expression matches and filenames that cxs will additionally scan for Exploit fingerprint definitions database additions v1.11 - Modified hidden image text file to exclude most FrontPage extensions files Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.10 - Added new check to suspicious file routine to detect text files hiding as image files Made file extension checks case-insensitive Exploit fingerprint definitions database additions v1.09 - Improved licensing code tolerance on network failure for web and ftp scanning on servers that are behind NAT Exploit regex definitions database additions Exploit fingerprint definitions database additions Ftp and web scanning speedups v1.08 - Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.07 - Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.06 - Fixed issue with pure-uploadscript restart on cron job cxs upgrade Exploit fingerprint definitions database additions v1.05 - Improved UI detection of the quarantine directory in cxsftp.sh and cxscgi.sh if used v1.04 - Fixed duplicate virus scan on script files with regex matches Exploit fingerprint definitions database additions v1.03 - Added quotes around the $1 parameter in cxscgi.sh and cxsftp.sh to cope with files with spaces in their names. Existing scripts will be fixed on upgrade v1.02 - Added initial FreeBSD (v7.2) support - currently no UI cron job support has been implemented, jobs will have to be added to /etc/crontab manually on FreeBSD Fixed UI quarantine restore to always use correct uid and gid Exploit fingerprint definitions database additions Added some more examples to the POD and reference the examples in cxsftp.sh and cxscgi.sh v1.01 - Added new exploit scanning option M to be used with --option (enabled by default) and --voption. The M option scans a fingerprint lookup table of over 4500 known exploit scripts. If you cron jobs or have modified cxsftp.sh or cxscgi.sh that use an --options list, you might want to add M to the list to use this new feature Digest::MD5 added to required perl modules Added extra check in UI where alternative clamdsock is ticked but none entered in the textbox Exploit regex definitions database additions Don't show user in quarantine UI if empty v1.00 - Initial release