Exploit Scanning Reference ========================== m = Regular expression match = [regex] cxs has a regular expression lookup table which it uses to identify suspicious files. These regex patterns look for two types of text constructs. Firstly, those of known exploits (a fingerprint approach). Secondly, generic text constructs found in common between many types of exploit (a heuristic approach). For example, one of the regex patterns looks for the use of base64 encoded data in PHP scripts. This method of obfuscation is typically used by exploits to hide their true purpose. If this regex is matched from the text in a file, then that file will be reported as suspicious. You can ignore specific regex patterns using an ignore file and the match: prefix. M = Known exploit = [Fingerprint Match] cxs uses a lookup table of over 4500 exploit script fingerprints and matches scripts that have an identical fingerprint value. O = socket A socket is typically used to transfer data between two separate processes. You would not normally expect to find a socket within a web hosting account and its presence is therefore regarded here as suspicious. L = Symlink to [symlink] A symlink, or symbolic link, is a special type of file that provides a reference to another file or directory. These are usually used for convenience by the OS and server administrators to reorder the file system. For example, on a cPanel server symlinks are used in the user mail accounts structure for their imap implementation. You would not normally expect to find a symlink within a web hosting account web root to files outside of that account (e.g. to system files) and its presence is therefore regarded here as suspicious. Symlinks to files within an account are ignored. f = suspicious file cxs will report file suspicious files, e.g. image files that contain script code or C/C++ files. The former should not normally exists and you don't usually see C/C++ files in standard web hosting accounts. S = SUID file Files with SUID, or set user ID, permissions allow users to run an executable with the permissions of the executable's owner. Typically, this permission is used on files to provide elevated privileges on a server to a user executing such a file. You would not normally expect to find a file with SUID permissions within a web hosting account and its presence is therefore regarded here as suspicious. G = GUID file Files with GUID, or set group ID, permissions allow users to run an executable with the permissions of the executable's owner. Typically, this permission is used on files to provide elevated privileges on a server to a user executing such a file. You would not normally expect to find a file with SUID permissions within a web hosting account and its presence is therefore regarded here as suspicious. c = core dump file A core dump file is a special system file generated by some executables. Typically, they are generated when an executable hits a fatal error during execution. At best, such files indicate a problem with the executable involved and consumes considerable disk space. At worst, core dump files have been used to gain elevated user privileges and exploit a server. C = core dump file deleted This option will automatically delete core dump files as described above. h = suspected exploit file cxs uses a lookup table of file names and file types which are commonly used by exploits. For example, you would not normally expect to find a file named httpd within a web hosting account and indeed a common exploit uses that name in an attempt to appear innocuous. e = Linux binary or executable file A linux binary or executable file is one that will run on a linux OS (ELF - Executable and Linking Format). Typically, such files within user accounts are exploits that run as daemon processes mimicking system processes to remain hidden. You would not normally expect to find a linux binary file within a web hosting account and its presence is therefore regarded here as suspicious. x = Windows binary or executable file While a windows binary file cannot be executed on a linux OS, you would not normally expect to find one within a web hosting account and its presence could indicate a Trojan file and so is regarded here as suspicious. d = suspicious directory name cxs will report directory names that contain non-standard ASCII characters. Such directory can often be used in such a way as to appear hidden to the end-user. An example would be a directory called /.../ or / ../ which might appear innocuous but often such directories contain exploits. n = hidden directory owned by nobody user A directory with a leading dot (e.g. /.hidden/) will often not be apparent in many FTP client applications. One that is owned by the nobody user account has likely been created by a web script running under the nobody user account (typically a PHP script where suPHP is not enabled). Such directories are suspicious in their nature of attempting to be hidden and so are reported. w = world writable directory In a shared web hosting environment a directory that is world writable can typically be read and written to by any user on the server. Such directories should be avoided, especially in web roots, as it can allow exploits to spread between user accounts. T = script file This is a special option to identify scripts. It attempts to identify PHP, Perl, and other shebang ($!) script files such as shell scripts. You may not want to allow scripts to be uploaded through upload forms, or to be present in certain directories that you scan (e.g. /tmp or /dev/shm) so this option is available to detect them. E = Email script match This indicates that the script sends out email. This can be useful if you are trying to identify emails within an account that send out email. s = Script version check [OLD/OK/UNKNOWN] [SCRIPTNAME INSTALLED <>= LATEST] This option will search for common web script installations and report if older than the latest version on record. Using old versions of software often poses a serious security risk and users should be encouraged to keep them up to date.