bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
6f091c6d42a848c94e20f069373de3a5ef4271f0
zira-etc/cxs/changelog.txt
bms8197 e2954d55f4 Initial commit.
2021-05-24 22:18:33 +03:00

2438 lines
81 KiB
Plaintext
Raw Blame History

ChangeLog:
6.14 - Modified ModSecurity integration Install/Remove options in cxs UI for
EA4 as cPanel has moved files to a different directory
6.13 - Fixed some incorrect file locks
Removed Bareword file handles
6.11 - Ensure all file opens are properly flocked
Switch to using require instead of eval/use to load runtime modules
where possible
Code review - started addressing perl critic suggestions in all
scripts and modules
Fixed incorrect --summary when subdomains outside of public_html while
using --www
Memory and CPU optimisations
PHP script decoding up to 15% faster
PHP fingerprint regex matching up to 50% faster
postftpup converted to a cPanel Hook
Exploit fingerprint definitions database additions
6.10 - On cPanel servers, ensure all document roots are scanned when using
--www not just ~/public_html/ (i.e. domains, SSL, addons, subdomains)
Fix pure-uploadscript init script to exit with appropriate status code
Exploit fingerprint definitions database additions
6.09 - Fixed quarantine store of file group ownership used for display
purposes only. The problem manifests when a users uid != gid and the
incorrect group is used for display purposes
Fixed Wmonitor display of file group ownership. The problem manifests
when a the users uid != gid and the incorrect group is used for
display purposes
6.08 - Replace /etc/cxs/test/ files with a single non-threatening script that
will test trigger cxs and can be used to check the cxs ModSecurity
rule is working. See /etc/cxs/install.txt for details
Modified ModSecurity integration Install/Remove options in cxs UI for
EA4
Exploit fingerprint definitions database additions
6.07 - Added text field in UI for PureFTPd/ModSecurity to indicate whether
the options is currently enabled or disabled
6.06 - Fixed crond restart in UI on RHEL/CentOS/CloudLinux v7 which left
pages blank
Exploit fingerprint definitions database additions
6.05 - Added version detection for Drupal v8
Added PureFTPd integration Enable/Disable/Restart options to cxs UI
Added ModSecurity integration Install/Remove options to cxs UI
Mute perl lc UTF-16 warnings where necessary
New --options [U]. This option will match PHP scripts that allow
uploading files to the server via the HTTP POST method. This option
requires that --options [m] is also specified
Added --options [U] to the Restricted Mode UI options
UI updates and improvements
Exploit fingerprint definitions database additions
6.04 - Ensure CallUploadScript is disabled in /etc/pure-ftpd.conf on cPanel
servers on uninstall
Exploit fingerprint definitions database additions
6.03 - Fixed UI issue where --soptions [as] were not being set
Exploit fingerprint definitions database additions
6.02 - Fixed issues with DA UI quarantine restore
Improved DA UI POD display
6.01 - Added unsupported option --YSKIPUNCLAM. See POD for more information
Exploit fingerprint definitions database additions
6.00 - Added new major feature for cxs Watch: --Wmonitor [file]
This option allows you to monitor and report on changes to a list of
resources in [file]. See cxs POD for more information
Added option --Wmonignore [file] to use instead of --ignore [file] for
use with --Wmonitor [file]
Added IO::Select as a required perl module (a core perl module so
should always be present)
Improvements to php file detection
Improvements to deobfuscation routines
Fixed bug in display of atime for some quarantined files
Fix BCC header replacement field in email reports
Exploit fingerprint definitions database additions
5.33 - POD corrections and additions
Exploit fingerprint definitions database additions
5.32 - Force email Date: field incase the MTA fails to add one
Modified all report timestamps to use the same format
Exploit fingerprint definitions database additions
5.31 - Ensure only root can attempt to download the bayes corpus
Fixed POD reference to --bforget
Fixed POD formatting of long example commands
Updated Software Version Checking
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.30 - Modify cPanel install.txt to add the ConfigServer ModSecurity Vendor
option
Added new advanced PHP decoders
Exploit fingerprint definitions database additions
5.29 - Modified documentation to address changes in ModSecurity v2.9 that
requires the following is set as part of the ModSecurity config:
SecUploadKeepFiles RelevantOnly
Exploit fingerprint definitions database additions
5.28 - Added new option --[no]ssl. When enabled (the default) all cxs URL
functions, such as updating, bayes corpus retrieval and license
checking will be done over an SSL connection to ConfigServer servers
Added /var/run/clamd.scan/clamd.sock as another default clamd socket
location for --clamdsock [socket]
Added unsupported option --YSKIPCGI. See POD for more information
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.27 - Fixed call for the now removed cxswatch.pm from --Wstop
5.26 - Added /scripts/postftpup to restart pure-uploadscript after an ftp
server upgrade
5.25 - Trigger pure-uploadscript restart
5.24 - Added new advanced PHP decoders
Exploit fingerprint definitions database additions
5.23 - Added the ability to use positive --options [+][], i.e. the default
list of options is used in addition to those listed when prefixed with
a plus
Improvements to --decode ([D])
Added atime, ctime and mtime to newly quarantined file descriptions
viewable from the UI and the CLI via --qview [file].restore4
Ensure /var/log/cxswatch.log ownership and permissions are set on each
update in case of rotation
File md5sum added to cgi and ftp alert email
5.22 - Ensure timestamp and cxs command are prepended to --report [file]
Fix cxs Watch Timestamp in report emails
When using --options W ensure that resource is a directory and not a
symlink or socket
5.21 - Fixed issue in cxs Watch when --www is used and a new account is
created through restore on cPanel servers
cxs Watch now tracks the parent directories for all users when
--allusers is used and will add them back if they disappear and are
recreated
5.20 - Fixed systemd cxs watch UI commands
Exploit fingerprint definitions database additions
5.19 - Re-added POSIX Locale after changes in v5.16
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.18 - Added white-space pre-wrapping to HTML emails
UI HTML updates and fixes
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.17 - Fixed --qcreate POD text
Added systemd support for pure-uploadscript
5.16 - WARNING: The report format has changed in this version. If you are
parsing cxs reports, they now show the filename and then all hits
reported against that file before reporting the next file. Previously
each reported hit was shown separately with the filename following
Renamed cxs cron job in /etc/cron.d/ from cxs.cron to cxs-cron to
cater for non-LSB compliant Linux cron managers
New option --[no]html. With --[no]html enabled (default), emails will
be sent in both plain-text and HTML formats. The option does not apply
if --template [file] is used
Fixed cxs Watch to remove rateignore data for a file if it is deleted
Fixed rateignore hash array lookup and unneccessary rateignore removal
causing files to be skipped
Added unsupported option --YRATEIGN. See POD for more information
Improvement to PHP script detection
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.15 - Fix for POD cron jobs RECOMMENDATIONS text
5.14 - Modified --Wrateignore [secs] so that ignored resources are rescanned
once [sec] expires
Modified cxs watch so that resource attribute changes only trigger an
inotify event if --options [w] or [W] are used
cxswatch.sh now disables the world writable directory check options
on new installations (--options -wW)
Removed options --Wsymlink [script], --Wsymlinkmax [num] and
--Wsymlinksec [secs]. These options provided ineffective control of
such exploits and caused performance isses with cxs Watch. The options
will no longer function, but cxs commands will not fail if they are
used
Updated cxs RECOMMENDATIONS section
5.13 - Ensure --Wrateignore [secs] has default values set in cxs Watch if
--Wsleep [num] is set to 0
Added unsupported options --YRATECNT [num] and YRATESEC [secs]. See
POD for more information
Exploit fingerprint definitions database additions
5.12 - Implemented native systemd support for startup and shutdown of cxs
Watch
Added version detection for Fancybox for Wordpress
Exploit fingerprint definitions database additions
5.11 - Updated license servers
Exploit fingerprint definitions database additions
5.10 - Disable --xtra [file] when using --wttw [file]
Display error on license retrieval failure
Added check for perl modules LWP::Protocol::https and Linux::Inotify2
on installation and upgrade
Added new advanced PHP decoders
Exploit fingerprint definitions database additions
5.09 - Fix for issues where license file became corrupted after update to
v5.08
5.08 - Fixed a rare potential issue with fingerprint processing in
--xtra [file]
Added new advanced PHP decoders
Updated scripts to use https://download.configserver.com
Revert to using LWP::UserAgent instead of HTTP::Tiny for SSL support
Exploit fingerprint definitions database additions
5.07 - Modified new installs to better initially update to the latest
fingerprints
Ignore and Xtra files can now use an Include statement to include
additional files. If cxswatch is running then it will also watch the
included files for changes and reload if necessary
Added new quarantine option --qignore [method] which used when
restoring a file using --qrestore [file] will create an entry in
--ignore [file] before restoring the file. See POD for more info
Optimised fingerprint database to remove duplicates and old entries of
no value reducing the size without reducing effectiveness
Exploit fingerprint definitions database additions
5.06 - HTTP::Tiny upgraded to v0.050
Modified use of BSD::Resource to be silent on failure
Exploit fingerprint definitions database additions
5.05 - Updated installer to fix generic installs on some Redhat/CentOS setups
Fixed issue with fingerprint database and a corrupt regex
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.04 - Improvements to .htaccess fingerprint P0216 -> P0767
Modify installer to always perform an update on installation to ensure
the latest definitions are always available
cxswatch will now scan a directories permissions if any of its
attributes are changed and --options [w] and/or --options [W] is
enabled
Updated scripts to use download.configserver.com
Exploit fingerprint definitions database additions
5.03 - Removed a false-postitive fingerprint definition
Exploit fingerprint definitions database additions
5.02 - Ensure --ignore [file] is always loaded last
Allow ignoring of Fingerprints
New master bayes corpus generated
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.01 - Raised bayes low/medium/high thresholds
New master bayes corpus generated
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
5.00 - New feature --[no]bayes taken out of BETA and is the basis of v5
Added --[no]bayes to the UI
New master bayes corpus generated
Added warning in UI for --[no]fallback option regarding potential
performance impact
Exploit fingerprint definitions database additions
4.28 - Fixed cxs Watch loading the bayes database whether --bayes was in use
or not
4.27 - Modified cxs Watch so that watches are updated/created if the
alternative configuration file reload method is used
Exploit fingerprint definitions database additions
BETA: Added a local bayes corpus so that learning and forgetting can
be implemented locally
BETA: Added new option --blearn [X|C] so that new files can be added
to the local corpus as either an exploit (X) or as a clean file (C)
BETA: Added new option --bforget [X|C] so that new files can be
removed from the local corpus as either an exploit (X) or as a clean
file (C). Only files previously learned should be forgotten
BETA: Modified cxs Watch to reload the master bayes corpus on change
BETA: Modified cxs Watch to reload the local bayes corpus, if one
exists, on change
BETA: When cxs is upgraded and the master bayes corpus exists, the
latest master corpus will be automatically downloaded
BETA: New master bayes corpus generated
BETA: Raised bayes low/medium/high thresholds
4.26 - A situation where Fingerprint P0452 persists was missed and is now
removed
4.25 - Fingerprint P0452 removed as it appears some legitimate scripts are
using the same obfuscation technique commonly used in exploits
BETA: Bayes corpus size decreased by a further 28% but with increased
accuracy
Exploit fingerprint definitions database additions
4.24 - BETA: Bayes corpus format improved - if you are using this feature,
download the new corpus using "cxs --bget"
BETA: Bayes corpus memory footprint decreased by a further 20%
BETA: Bayes corpus loading speed improvements
4.23 - Improvements to the main decoder regex
Improvements to decoder string extraction
Fixed formatting of --qlocal documentation
BETA: New Bayes corpus generated - if you are using this feature,
download the new corpus using "cxs --bget"
BETA: Bayes corpus size decreased by 25% but with increased accuracy
Exploit fingerprint definitions database additions
4.22 - Added option --qlocal which provides quarantine support when using
mod_ruid2 by storing quarantined files within a users account. See
documentation for more information and caveats
BETA: Bayes learning improvements (speed, memory)
BETA: Bayes reporting improvements (speed, memory)
BETA: New Bayes corpus generated - if you are using this feature,
download the new corpus using "cxs --bget"
Improvements to PHP decoded script scanning efficiency
4.21 - BETA: Bayes corpus loading speed improved by 100%
BETA: Bayes corpus memory footprint decreased by 20%
BETA: Increased minimum score size for Bayes reporting to help reduce
false-positives
4.20 - New option --[no]bayes (currently in BETA). Naive Bayesian
probabability scanning of script files. This option uses an enhanced
Naive Bayes algorithm to report a probability that a scanned script is
an exploit. This is achieved through a trained corpus (database). See
the cxs documentation for more details.
Additions to main decoder regex
Exploit fingerprint definitions database additions
4.19 - Additions to main decoder regex
Modified option --template [file]. You can now use this to email the
end user when performing --allusers and --user [user] scans. See the
cxs Documentation for --template [file] for more information
Output improvements to --qview [file] and more information provided in
the POD
Exploit fingerprint definitions database additions
4.18 - HTTP::Tiny reverted to v0.041 as it breaks on some installations
4.17 - Unsupported option --YSKIPWMAIL added. Using this, If --options [W] or
--options [wW] is triggered, then the directory will be chmod as
normal but no email will be sent. If any other option is triggered for
the same scan, the email will still be sent. This option only applies
to cxs Watch
Added full pseudo-breadcrumbs to cPanel UI
HTTP::Tiny upgraded to v0.042
On cPanel servers, use cPanel provided perldoc binary in UI if present
Exploit fingerprint definitions database additions
4.16 - Updated POD to reflect --[no]fallback being disabled by default
Changed default value of --Wsymlinkmax to 1000
Changed default value of --Wsymlinksec to 10
Added performance note about using --Wsymlink [script] to POD
Modified cxswatch restart routine to run /etc/cxs/cxswatch.sh directly
Modified cxswatch to more quickly detect restart requests on busy
systems
Exploit fingerprint definitions database additions
4.15 - Memory usage improvements and general speedups
Added the ability to use negative --options [-][], i.e. the default
list of options is used apart from those listed when prefixed with a
minus
--[no]fallback now defaults to --nofallback due to performance
concerns which should be noted before enabling the option
Exploit fingerprint definitions database additions
4.14 - Force cxs into a detached process if running --upgrade as a CRON job
to fix upgrade hanging issue
4.13 - Significant speedups in regex (up to 300% faster) and FP matching
Exploit fingerprint definitions database additions
4.12 - Code regression to prevent overloading update server during upgrades
4.11 - New feature: --[no]fallback. If clamd produces an error or is
unavailable after a scan starts, this option will attempt to use
clamscan to scan files until clamd is available again. This option is
enabled by default
Additional minor updates to the POD documentation
Modify cxsdaily.sh to fork jobs to prevent hanging on new installs
Added timeout (5 mins) to cxs upgrade routine
Improvements to --wttw [file]
4.10 - Check file size against --sizemax [size] when using --wttw to ensure
ignored files are not being submitted incorrectly
Exploit fingerprint definitions database additions
4.09 - UI Fixes and updates
Fixed issue with default perl binary on non-cPanel servers
Use raw UI plugin on DA servers when generating cxs commands/scans to
overcome buffering issues
Exploit fingerprint definitions database additions
4.08 - Removed redundant v3 quarantine code
Removed displaying "i" during scan if file ignored as it is not
particularly helpful
Updates to Piwik and ownCloud version detection
Form design elements added
Change to --sizemax [bytes] behaviour. In the past a file > [bytes] in
size was ignored, now the file will be scanned but only the initial
[bytes] of the file will be scanned
Added decoding of octal as well as hex encoded characters for PHP
scripts
Exploit fingerprint definitions database additions
4.07 - Display "i" during scan if file ignored due to sizemax [bytes] being
exceeded
HTTP::Tiny upgraded to v0.039
Translate ampersand for HTML output
Fixed cxs UI not adding files to the ignore file after using the
Ignore link
Additional checks for ignore, xtra and new detections updates for cxs
watch daemon to reload the relevant files if necessary
Exploit fingerprint definitions database additions
4.06 - Parameterise all calls to system() and Open3()
Only list viewable files in UI "Other Files" option
Fixed issue with ignoring user: and puser: with web scanning
Added new --ignore [file] option ip: - ignore IP address for web and
ftp uploads. This may or may not have any impact on performance with
ftp uploads as the IP address will need to be established from the
message log for each file
Removed DNS lookup on FTP IP addresses to improve performance
Exploit fingerprint definitions database additions
4.05 - Fixed POD display in UI
4.04 - Fixed issue with cxs Watch not reporting running state correctly
4.03 - Fixed issue with reporting boolean CLI options
4.02 - Fixed issue with creation of new quarantine directory for new installs
Improved quarantine directory detection for conversion on upgrade to
v4
4.01 - Introducing a new Quarantine system. This new version creates a more
secure method of quarantining suspicious files in cxs. It removes the
need for a directory with 1777 permissions. It also makes the layout
and maintenance of the quarantine directory much simpler
Automatically rename old quarantine directory to [dir].(timestamp)
and create new quarantine structure. An email is sent to root with a
reminder to remove the old directory
Any pre v4 old quarantine directory can still be viewed and restored
from through the UI if required, though this functionality (for old
quarantine directories) will be removed in the future
New option --qcreate. This option is used to create a new quarantine
directory structure. It will rename any pre-existing directory to
[name].(timestamp)
New option --qclean [days]. This option is used to clean a quarantine
directory specificed with --quarantine [dir], retaining the last
[days] worth of files
New option --qrestore [file]. This option is used to restore a
quarantine file via the CLI to the original file location (v4
quarantined files only)
New option --qview [file]. This option is used to view a quarantined
file via the CLI
Modified cxs UI to cater for new quarantine layout and provide some
additional information on quarantined files
Added new file /etc/cxs/cxsdaily.sh as an example file to symlink
from /etc/cron.daily/ to perform daily tasks and added to
RECOMMENDATIONS in the docs
Modified cxs Watch scanning to automatically scan newly created
directories for exploits to help overcome an issue where files are
created before a new directory is watched
Support for running cxs through suhosin has been removed
Fixed issue with --defapache [user]
Modified recommendations on file ownership and permissions when using
--logfile [file]
HTTP::Tiny upgraded to v0.037
POD documentation tidy
Exploit fingerprint definitions database additions
3.27 - NOTE: Support for using suhosin is deprecated and will be removed in
the near future - use ModSecurity instead. If you are unable to use
ModSecurity, you will have to rely on either cxs Watch or manual scans
New option added: --defapache [user]. This is the default account
under which apache runs. This will be set to "apache" by default
except on cPanel servers where it is set to "nobody" by default
Make cxs watch restart reason more verbose
Improved file type detection for files within archives
Improvements to the main decoder regex
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
3.26 - Fixed issue with cxs process termination due to scanning timeouts
Prevent regex hangs due to some exploit tactics
Fixed quarantine UI not restoring file permissions correctly
3.25 - Extended fingerprint checks for alternative linefeeds in scripts
Fixed functionality of the included test.cgi upload test script
Enforce stricter permissions on /var/log/cxswatch.log
Disable option to upgrade cxs in DA UI and instruct to use CLI
Added use of --force to --upgrade to redo upgrade to latest version if
required
Additional checks to terminate php child process if timeout occurs
Exploit fingerprint definitions database additions
3.24 - Added the following to Script Version Scanning:
Joomla XCloner Ext, WP XCloner Ext
Added new advanced PHP decoders
Exploit fingerprint definitions database additions
3.23 - Added the following to Script Version Scanning:
CubeCart
Fixed cxs Watch in DA where new account creation was not automatically
detected
HTTP::Tiny upgraded to v0.036
3.22 - Added the following to Script Version Scanning:
AbanteCart, AEF, b2evolution, CMS Made Simple, CodeIgnitor, Concrete5,
Dotclear, e107, Elgg, Feng Office, HESK, Jcow CE, MODX Evolution,
MODX Revolution, Noahs Classifieds, OSClass, ownCloud, Oxwall, Piwigo,
Piwik, Seo Panel, Serendipity, StatusNet, TomatoCart, Xoops, ZenPhoto,
Zikula
Added the following popular Wordpress extensions to Script Version
Scanning:
WP Sociable
WP Share This
WP WP Super Cache
WP All In One WP Security & Firewall
WP BulletProof Security
WP FD Feedburner
WP Google Adsense Plugin
WP WordPress Simple Paypal Shopping Cart
WP WordPress eShop
WP WordPress s2Member
WP UpdraftPlus
WP BackUpWordPress
Added the following popular Joomnla extensions to Script Version
Scanning:
Joomla Akeeba
Joomla AllVideos
Joomla CDN for Joomla
Joomla Community Builder
Joomla JEvents
Joomla Jomsocial
Joomla K2
Joomla Kunena
Joomla Phoca Gallery
Joomla sh404SEF
Joomla Simple Image Gallery
Joomla Xmap
Exploit fingerprint definitions database additions
3.21 - Disable Script Version Scanning for web script scanning (cxscgi.sh) as
it does not apply
Perl module Storable added to the required list
Added ten of the most popular Wordpress extensions to Script Version
Scanning:
WP Akismet Ext v2
WP Better WP Security Ext v3
WP Contact Form 7 Ext v3
WP Facebook Ext
WP Google XML Sitemaps Ext v3
WP Jetpack Ext v2
WP NextGEN Gallery Ext v2
WP Seo Ext
WP W3 Total Cache Ext
WP WooCommerce Ext v2
Added ten of the most popular Joomla extensions to Script Version
Scanning:
Joomla Advanced Module Manager Ext v4
Joomla JCE Ext v2
Joomla RAntiSpam Ext v3
Joomla Joomla LiveHelpNow Chat Ext v2
Joomla Rapid Contact Ext
Joomla Asynchronous Google Analytics Ext v2
Joomla Google Maps Ext v3
Joomla Sourcerer Ext v4
Joomla Tabs Ext v3
Joomla Modules Anywhere Ext v3
Added the following to Script Version Scanning:
OpenCart, Nucleus CMS, Open Classifieds, LimeSurvey, ClipBucket,
WHMCS, Coppermine Photo Gallery
Exploit fingerprint definitions database additions
3.20 - Changed --options [s] to be --[no]sversionscan (Script Version
Scanning) to make it independent of --[no]exploitscan, allowing a fast
scan for old script installs. This option is enabled by default. Use
--nosversionscan to disable
Added the following to Script Version Scanning:
Typo3, Invision Power Board, WebCalendar, MyBB, Dolphin, SMF, OpenX
Source, SugarCRM Community Edition, Contao CMS, PrestaShop,
PHP-Fusion, phpPgAdmin, SquirrelMail, Roundcube, Kayako, osTicket
Added new --soptions [a] for --[no]sversionscan to report all versions
of found scripts, not just old versions
Added new --soptions [d] for --[no]sversionscan to report the
directory containing the script, not the trigger file
Exploit fingerprint definitions database additions
3.13 - UI button style modifications
Added phpList, Moodle, Magento Community Edition and MediaWiki version
checking to --options [s]
Modified POD to screen wrap HTML code more effectively
3.12 - Fixed cxs uninstaller removing csf UI files on cPanel installs
Added phpBB, phpMyAdmin, Zen Cart, osCommerce and VirtueMart version
checking to --options [s]
3.11 - Added to RECOMMENDATIONS to still run a regular scan without --ctime
[hours] to ensure new scan techniques and exploit signatures are used
to check all existing files
Fixed directory creation on installation for unofficial DA plugin
Improved performance of file slurping and therefore scanning
Added new --options [s] that will search for a few common web script
installations and report if older than the latest version on record.
See documentation for more information
Exploit fingerprint definitions database additions
3.10 - Changed --throttle [num] to prevent throttling triggering a
--timemax [secs] timeout
Added detection for some PHP JPEG and TIFF EXIF exploits
Improvements to image and zip file type detection
Exploit fingerprint definitions database additions
3.09 - Improvements to Virtuozzo/OpenVZ system detection where
/proc/vz/veinfo does not exist
Added TimeStamp to the top of the scan report
If /etc/csuibuttondisable exists then the UI buttons will revert for
those that cannot cope with the themed ones
3.08 - Implemented new cxswatch log tail code
UI display changes
Exploit fingerprint definitions database additions
3.07 - Allow (limited) scans via UI in restricted mode
Added Change Time (--ctime [hours]) option to UI
If --quarantine has been disabled, ensure all reports contain a
warning message with explanation
3.06 - Fixed bug with broken --cgi option (cxscgi.sh) from v3.05
Fixed UI configurable lines display for cxswatch.log
Remove immutable and append-only flags from files when moving files to
quarantine or deleting
Fixed supplied test/test.php for newer PHP versions
3.05 - Added /etc, /sys and /proc to directories requiring --force to be used
when scanning
Added additional checks that any specified quarantine directory is
valid
Added new option --ctime [hours]. If you run regular full system scans
then you can use --ctime [hours] to only scan files changed in the
intervening hours. This can speed up scan times dramatically
Apply hfile:, hdir: and hsym: ignores to FTP upload scanning
Exploit fingerprint definitions database additions
3.04 - Fixed file view from quarantine - reported by Rack911
Further improved UI form data sanitisation
Bolstered the UI warning with regard to disabling Restricted Mode
3.03 - Fixed broken UI items
Improvements to the ignore logic
Improved UI form data sanitisation
Exploit fingerprint definitions database additions
3.02 - Security - Added UI Restricted Mode which is enabled by default. This
disables features in the UI that could allow abritrary commands to be
run as root and system files to be overwritten. To enable unrestricted
access to the UI remove /etc/cxs/cxs.restricted
Added UI option to completely disable the UI by creating the file
/etc/cxs/cxs.disableui
3.01 - Implement slurp routine for configuration files to cater for incorrect
linefeeds
Improvements to forced quarantine feature within --xtra [file] and
updated instructions provided in cxs.xtra.example
Security - Quarantine improvements
Exploit fingerprint definitions database additions
3.00 - Implemented hfile ignoring for ratelimiting in cxs Watch
Implemented ignore caching in cxs Watch for ratelimited files
HTTP::Tiny upgraded to v0.033
Exploit fingerprint definitions database additions
2.99 - Fix --wttw [file] successful submission text
2.98 - Added check for clamd when using --wttw [file]
Added check for script files when using --wttw [file]
HTTP::Tiny upgraded to v0.031
Removed a false-postitive fingerprint definition
Exploit fingerprint definitions database additions
2.97 - Added support for cPanel v11.38.1+ AppConfig addon registration
NOTE: In accordance with the new conventions for v11.38.1+ AppConfig
the url to the cxs WHM plugin will change from /cgi/addon_cxs.cgi to
/cgi/configserver/cxs.cgi. This will only happen with cxs v2.97+ and
cPanel v11.38.1+. Older version of cxs will continue to use the old
URL. This has no particular relevance to users accessing through WHM,
but will affect direct URL access by users or third party
applications
Added new option --comment "text" which can be used to add a short
comment to files submitted using --wttw [file]
Modified --wttw [file] to ensure that it is not already detected as a
Virus or Fingerprint (now requires --force to report a false-positive)
Fixed packed hex advanced decoder regex
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.96 - Fixed --xtra [file] detection for regfile: and file: entries
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.95 - Internal version
2.94 - Removed a false-postitive fingerprint definition
2.93 - New features: --prenice [num], --pionice [num]. These options allow
you to control the nice and ionice priorities of the running process.
This can, for example, help even out the load on heavy IO servers or
increase the speed of the scan on busy servers
Exploit fingerprint definitions database additions
2.92 - Improvements to the main decoder regex
Improvements to error reporting on UI restore
Fixed typo in documentation regarding cxs.xtra :quarantine feature
Added IP, where available, to --script [script] parameters passed to
external script
Exploit fingerprint definitions database additions
2.91 - Ensure cxswatch is stopped, disabled and removed on cxs uninstall
Added cleaned script code scanning to text match and decoder regex
detection to improve exploit script detection
Modified --help to use the POD paginated viewer
Exploit fingerprint definitions database additions
2.90 - Added alternative php binary locations for generic installations
Improvements to --decode ([D])
Added new advanced PHP decoder
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.89 - Improvements to --decode ([D])
Repurposed --options [u] to specifically highlight scripts only within
directories deemed suspicious, rather than general directories such as
/image/ or /upload(s)/. This should make the option more useful and
help avoid false-positives
Exploit fingerprint definitions database additions
2.88 - Include gzdecode() detection for PHP scripts
Switched from using LWP to HTTP::Tiny to reduce memory footprint and
reliance on the LWP perl module. The HTTP::Tiny module is included in
the distribution, so no further action is necessary
Modified cxs watch daemon to use POSIX::setsid()
Modified cxs quarantine routine to reduce memory footprint
Modified loading of Pod::Usage only if necessary to reduce memory
footprint
Modified cxs watch to not fail startup if new watch resource
disappears before completion
Exploit fingerprint definitions database additions
2.87 - Improvements to the main decoder regex
Reverted to using temporary files during PHP file decoding due to a
major bug in PHP v5.4.* which produces "Ran out of opcode space!" in
interactive mode
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.86 - Improvements to installer on initial fresh cPanel v11.36 installations
Added a 20 second timeout for running --Wsymlink [script] and switched
from using system call to open3
Added a 20 second timeout for running --script [script] and improve
output printing from [script]
Modified --options [u] to include more suspicious locations
Exploit fingerprint definitions database additions
2.85 - Moved suspicious script location detection to its own option within:
--options [u], --doptions [u], --voptions [u] and --qoptions [u]
The option is included in the default setting for --options [options].
If you specify a list in any of these options and want to include this
in them, then you need to add [u] to the list of options
Separate dangerous quarantine options in the UI
2.84 - New feature: cxs watch daemon Symlink attack detection. This option
will try and detect a symlink attack against the server. If
--Wsymlinkmax [num] symlinks are created with one directory within
--Wsymlinksec [secs] seconds then --Wsymlink [script] will be run. An
example is provided for this script in
/etc/cxs/symlinkdisable.example.pl
Enable --Wsymlink /etc/cxs/symlinkdisable.example.pl on new installs
in /etc/cxs/cxswatch.sh for email notifications
Detect as suspicious, scripts found within /images/ and /upload(s)/
directories
Fixed --Wadd [file] not working correctly in cxs watch
Fixed --www not being adhered to for new users while cxs watch running
Modified --www location on DA servers to the domains/ subdirectory of
users account for cxs watch daemon and single user scans
Improvements to file ownership detection in cxs watch. If a file is
owned by "nobody" cxs will compare user home directories in
/etc/passwd to the file location to try and determine a unique owner
Fixed UI saving default "smtp" setting incorrectly (again)
2.83 - Updated to use the new cPanel 11.36+ integrated perl binary if exists
Fixed UI saving default "smtp" setting incorrectly
Modified --www location on DA servers to the domains/ subdirectory of
users account as public_html/ is ignored as it is a symlink
2.82 - Added new advanced PHP decoder
Impovements to detection of PHP script file type
Added new functionality to --xtra [file] to force quarantine of a file
with a matching regex if using --quarantine[dir]. See documentation or
the latest /etc/cxs/cxs.xtra.example for information
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.81 - Fixed a false-positive with the main .htaccess regex
Fixed UI not correctly saving --MD5 to cxs.defaults if set
Fixed issue with temp file cleanup not reinitialising between scans
2.80 - Add scan type to Quarantine output for each entry
Added timezone offset to cxs --mail emails
Improvements to the main decoder regex
Improvements to advanced PHP decoders to --decode ([D])
Exploit fingerprint definitions database additions
2.79 - Improved settings initialisation when scanning multiple files
Added xtra supplied md5sum values to the report to help with match
identification
Removed the instructions for installing unofficial ClamAV databases as
we don't support them
2.78 - Improvements to various advanced PHP decoders
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.77 - Ensure htaccess fingerprints only apply to .htaccess files
On cPanel servers hide the Support icon introduced by cPanel in v11.34
Added unsupported feature --YSKIPFPREGEX to ignore inbuilt fingerprint
regular expression matching when using --options [M], --xtra [file]
contents will still match
Added scanning for jsp scripts
Added scanning for asp and aspx scripts
Added scanning for java scripts
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.76 - Update to one of the main decoder regexes
2.75 - Added multiple new advanced PHP decoders
Improvements to the main decoder regex
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.74 - Improvements to the daily update mechanism
Fixed a false-positive with the main .htaccess regex
2.73 - Fixed a problem where compressed file depth was not being reset
between files causing subsequent compressed files to be skipped from
scanning
Fixed problem where multi-depth compressed files were not being
identified by their original filename correctly
Added compressed file depth to output when matches found
2.72 - Added PNG and JPEG filetypes for hidden script scanning
Fixed an issue where cxs was sometimes leaving temporary files in /tmp
after compressed file expansion
2.71 - cxs will now treat .htaccess files as script files and fingerprints
have been added for common exploits
Added more information about existing csf anf cxs integration options
(i.e. UI, ModSecurity, pure-ftpd)
Added information that restores from quarantine must be done through
the UI
Exploit fingerprint definitions database additions
2.70 - Improvements to cxs Watch daemon ignore/xtra and new update reloading
without restart
Switched to using Sys::Hostname in cxs Watch daemon
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.69 - Switched to using Sys::Hostname to determine hostname as CloudLinux
restricts access to /proc/sys/kernel/hostname for some reason
2.68 - Modified POD and UI to show full rather than abbreviated commands
Added new option --template [file]. When using --mail [email] a
standard email format is used. To customise this format an email
template file can be used instead. You can now use this to email the
Linux owner of the affected script under certain circumstances. See
the cxs Documentation for more information
Added new advanced PHP decoder for --decode ([D])
Improvements to advanced PHP decoders to --decode ([D])
Fixed PHP decoder issue that could restrict decoder depth under
certain circumstances
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.67 - NOTE: If you are using the cxs ModSecurity hook and ModSecurity v2.6,
you must now specify the ModSecurity configuration setting SecTmpDir.
If you have not set SecTmpDir in your ModSecurity configuration, then
you need to add the following on its own line before or after the
ModSecurity cxs line: "SecTmpDir /tmp" and then restart httpd. The
file you need to add this to, if not already present, on a cPanel
server is: /usr/local/apache/conf/modsec2.user.conf
Unless specified, --qoptions now defaults to [Mv] when
--quarantine [dir] is used. Any existing installations using
--quarantine [dir] will now have --qoptions [Mv] enabled, unless
otherwise specified on the command line or in cxs.defaults
Added unsupported feature --YSKIPREG to ignore inbuilt regex matching
when using --options [m], --xtra [file] contents will still match
Added unsupported feature --YSKIPMD5 to ignore inbuilt fingerprint
matching when using --options [M], --xtra [file] contents will still
match
Added a new option, --doptions [mMfSGchexTEv]. This defaults to [Mv]
when --delete is used. Any existing installations using --delete will
now have --doptions [Mv] enabled, unless otherwise specified on the
command line or in cxs.defaults
Fixed an issue where, under certain circumstances, files contained
within an archive were ignored for scanning
2.66 - Improvements to string detection in --decode ([D])
Added new advanced PHP decoder for --decode ([D])
Removed a false-positive fingerprint detection
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.65 - Added new advanced PHP decoder for --decode ([D])
Improvements made to md5sum ignore procedure
Fixed problem when using md5sum ignore within archives
2.64 - Improvements to --decode ([D]) variable detection
Added new advanced PHP decoder for --decode ([D])
Exploit fingerprint definitions database additions
2.63 - Additional reasons for scan skipping added for --debug output
Reload ignore file in cxs watch parent as well as children for rate
limit warning
New feature added --Wrateignore [secs]. To help prevent excessive
resource usage, cxs Watch will ignore files for [secs] seconds if the
rate limit warning is issued. Scanning will then resume. Set this to 0
to disable the ignore feature. This option is set to 300 (i.e. 5 mins)
for new installations
2.62 - Removed extraneous / in the cgi email notification for the "Web upload
script URL"
Added cxs Watch logging for Inotify IN_Q_OVERFLOW events with a
recommendation to increase /proc/sys/fs/inotify/max_queued_events if
this occurs
Added file check before invoking Inotify to confirm it exists to avoid
spurious errors on VPS servers
Allow files as well as directories in --Wadd [file]
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
2.61 - Improvements to hidden script file detection
Added formatting to cgi and ftp email reports
Added new fields to the cgi email report
Change POD Examples section to use full command line options
Improvements to ignoring any files based on md5sum (including those
identified as exectuables, viruses, etc)
Remove extraneous spaces from ignore and xtra md5sum entries
Improvements to --MD5 so that all reported files displays the md5sum
Changed the way md5sum values are displayed if --MD5 is used
Improvements to the main decoder regex
Exploit fingerprint definitions database additions
2.60 - Ensure that an account name is only passed to --script [script] when
performing a manual scan using --user or --all
Ignore adobe-xap-filters when detecting hidden script files
Exploit fingerprint definitions database additions
2.59 - Improvements to quarantine procedure
2.58 - Fixed a problem in the UI where the selections for --options were
applied from /etc/cxs/cxs.defaults, if set, rather than the selections
in the UI if all the standard selections were ticked
UI improvements
Change file name check behaviour so that it still detects with empty
files
Include all item sizes in --summary report
Include all ignored files in --summary report
Improvements to hidden script file detection
Exploit fingerprint definitions database additions
2.57 - Fixed problem with quarantine move failing - introduced in v2.56
Implement ignores for rate limit warnings in cxs Watch daemon
Allow a value of 0 for --filemax [num] which disables the feature
Set --filemax [num] to 0 in cxswatch.sh for new installs
2.56 - Improvements to quarantine move failure message
Implement ignores in compressed files
Added a rate limit warning to cxs Watch daemon. If a file is scanned
more then (2 * Wsleep) times in (10 * Wsleep) seconds then a warning
is logged. This is to help identify frequently scanned files that you
might want to ignore (e.g. if they are very frequently updated log
files)
Improved installation procedure for checking required perl modules
Exploit fingerprint definitions database additions
2.55 - Changes to htaccessdisable.pl example script
Increased default value for --filemax [num] in cxswatch.sh for new
installs
If necessary, log license error to cxs Watch daemon log
2.54 - Added logrotate configuration for cxswatch
Include an example perl script that will disable directory access with
a .htaccess file if a match is found using the --script [script]
option: /etc/cxs/htaccessdisable.pl
Modifications to cxs Watch daemon so that it no longer needs to
completely restart when new daily detections are downloaded
Always log if skipping directories in cxs Watch daemon due to
--filemax [num]
Fixed a problem with a false-positive in the php interpreter timeout
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.53 - Timeout added for php interpreter during --decode ([D])
Do not disable --viruscan if clamd not running in cxs Watch
Exploit fingerprint definitions database additions
v2.52 - cxs Watch will now fail to start or will terminate on VPS servers if
/proc/sys/fs/inotify/max_user_watches is set too low
Added error reporting if clamd fails to respond, but stop reporting
clamd errors if too many consecutive errors occur
Updated POD regarding the new csf option: LF_CXS
v2.51 - Improved temporary file cleanup
Change cxs UI to use /sbin/pidof to determine if the Watch daemon is
stopped, starting or running. If /sbin/pidof does not exist, no
status is shown
Modification to prevent scan failure if FTP is down and --options [P]
used
Exploit fingerprint definitions database additions
v2.50 - Improvements to the Fingerprint Matching system
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.49 - Use temporary files when performing a virus scan during --decode ([D])
Change all clamd STREAM to SCAN scanning
Use a robust routine for creating random temporary files during
--options [Z] (scanning within archives)
Exploit fingerprint definitions database additions
v2.48 - Allow a value of 0 for --Wrefresh which disables the functionality in
the cxs Watch daemon
Added new advanced PHP decoder for --decode ([D])
Stop cxs Watch from following symlinks
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.47 - Added new advanced PHP decoders for --decode ([D])
Change main cxs Watch process name during startup while still starting
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.46 - Added two new advanced PHP decoders for --decode ([D])
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.45 - Modification to quarantine to ensure unique filenames
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.44 - Added new --ignore [file] option pscript: - regex of web script to
ignore
Set --options [P] ftp timeout to 10 seconds
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.43 - SECURITY FIX. Anyone running cxs on a DirectAdmin server should
upgrade to this release immediately
Add check for successful open of admin.list on DA servers to avoid a
segfault, which could lead to a buffer overflow
v2.42 - Fixed problem where dir: ignores where not being fully implemented in
single file scans
Fixed problem where dir: and hdir: ignores where not being fully
implemented by the cxs Watch daemon when auto-reloading an ignore file
Exploit fingerprint definitions database additions
v2.41 - Developed another new advanced PHP decoder for --decode ([D])
Fixed advanced decoder output formatting when using --decode [file]
Exploit regex definitions database additions
v2.40 - Modifications to cxs Watch daemon so that it no longer needs to
completely restart if changes to --xtra [file] are detected
Added detection and decoding of Hex encoding to advanced PHP decoders
Exploit fingerprint definitions database additions
v2.39 - Memory management and speedup improvements for cxs Watch Daemon
Improvements to advanced PHP decoders to --decode ([D])
Corrected cxs POD to read --upgrade instead of --update
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.38 - Added more advanced PHP decoders to --decode ([D])
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.37 - cxs Watch - report error if unable to increase
/proc/sys/fs/inotify/max_user_watches
Further improvements to --timemax [secs] reports
Further improvements to error reporting during scans
Exploit fingerprint definitions database additions
v2.36 - cxs Watch will now restart if a change to a specific --xtra [file] is
made. This triggers a full restart of cxs Watch
Improvements to --timemax [secs]
Improvements to error reporting during scans
Added more advanced PHP decoders to --decode ([D])
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.35 - Added new option --timemax [secs]. Scan timeout per file in seconds to
prevent looping. Default is 30 seconds
Additional logging on cxs watch startup to show the progress of user
account inotify setup
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.34 - Modifications to the UI
Updates to the failure detection of the quarantine procedure
New option --force. If --force is not used then cxs will refuse to
scan within restricted directories: /usr /var /bin /lib /lib64 /boot
Modified daily update check to only restart cxs Watch if updates are
actually new
Modified cxs Watch to no longer require a /scripts/postwwwacct entry
(which is now ignored) as it now monitors /var/cpanel/users/ for new
users on cPanel servers
Exploit fingerprint definitions database additions
v2.33 - Redesigned cxs UI, included functions for controlling cxs Watch
Added TERM logging to the cxs Watch daemon to signify termination
v2.32 - Added init script for cxswatch daemon on cPanel servers. This is
instead of using /etc/rc.local to start the daemon and can also be
used to stop/start/restart/status the daemon. See the cxs
documentation for more information
Added entry to chkserv.d on cPanel servers so that cPanel will monitor
the cxswatch daemon using tailwatchd. See the cxs documentation for
more information
v2.31 - Fixed issue with tarball and zip file contents checking
Further improvements to the Fingerprint matching system
Exploit fingerprint definitions database additions
v2.30 - Significant speedups for pattern matching
Improvements to the Fingerprint matching system which includes
speedups and additional identification methods
Fixed error message for scanning an non-existent file
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.29 - Fixed problem with quarantine file naming convention causing duplicate
file names under certain circumstances and failing to quarantine the
second instance
Fixed spurious Cpanel::Version::gettree() warning in cPanel error log
Exploit regex definitions database additions
v2.28 - Fixed problem with cxs Watch daemon restart introduced in v2.2.27. You
will have to manually restart any running cxs Watch daemon after this
upgrade
If BSD::Resource perl module is installed, double the configured
process stack size to help avoid Segmentation Faults
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.27 - New --options [P]. This option will search standard web application
configuration files for MySQL database passwords. It will then attempt
to login via FTP on localhost with the username of the account being
processed and the detected password (it will attempt up to two
password hits per configuration file). If the login is successful, the
option will trigger a match. See CLI documentation for more info
Separated and highlighted advanced Exploit Scan options in the UI that
can affect user data and/or produce false-positives in the vain hope
it will stop some people just ticking everything and then wondering
where their files have gone
Added Net::FTP to the perl module requirements (this is a core perl
module so should already be installed)
New options --uidmin [uid] and --uidmax [uid] for the GENERIC install
when used with --allusers. These have no effect on cPanel and DA
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.26 - Added new option for --xtra [file]: regfile: which is a regular
expression match for a file or directory name
Added new CLI option --smtp. This will send emails generated by --mail
[email] via localhost SMTP instead of sendmail
Added MIME::Base64 and Net::SMTP to the perl module requirements (both
are core perl modules so should already be installed)
v2.25 - Fix for UI version processing issue
v2.24 - Allow binary submissions via --wttw
Improvements to --decode ([D]) option
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.23 - Improved cxs Watch daemon scanning to include moved files to detect
files uploaded by the cPanel File Manager
Fixed bug where --cleanlog [file] was not logging the filename for
cxsftp.sh scanning
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.22 - Exploit regex definitions database correction
v2.21 - Speedups to --decode ([D]) option
Improvements to decode regex
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.20 - Fixed issue with MD5 setting via UI when saving to defaults
Improvements to regex validation to any specified --ignore or --xtra
files
Improvements to decode regex
Improvements to --decode ([D]) option
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.19 - Added regex validation to any specified --ignore or --xtra files
Added quarantine failure reason to messages
Improvements to --decode ([D]) option to no longer use temporary files
If [Fingerprint Match] found also perform a Virus Scan
Automatically ignore --quarantine [dir] during scans
Improvements to fingerprint matching
Added new option --MD5 to display a matched file md5sum. See docs for
more information
Added new option md5sum: to --ignore [file]. See docs for more
information
Added new option md5sum: to --xtra [file]. See docs for more
information
Added new option "Ignore MD5" to cxs Quarantine UI for ftp, web and
scan entries
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.18 - Further improvements to Filetype detection
v2.17 - Added hdir:/quarantine_clamavconnector to the csf.ignore.example file
Improvements to php script detection where extension is not .php
Filetype detection speedups
Filetype differentiation between MS-DOS and MS Windows executables
Added new option --Wrefresh. To keep the cxs Watch daemon up to date,
it will restart every 7 days by default. To change this interval, you
can set B<--Wrefresh [days]>
Improvements to the decode regex
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.16 - Further improvements to the check for PHP code hidden in GIF image
files for "hidden script file", regex matching and decode scanning
v2.14 - Improvements to the check for PHP code hidden in GIF image files for
"hidden script file", regex matching and decode scanning
Add link to the Changelog when cxs is upgraded
If an ignore file us used with cxs Watch daemon and the ignore file is
modified, cxs Watch will reload the ignore file and restart the child
processes. However, after making a large number of changes to the
ignore file or if adding puser: or user: to the ignore file, the cxs
Watch daemon should be manually restarted
Improved cxs Watch logging when suspicious file found and --Wloglevel
set to 0
Exploit fingerprint definitions database additions
v2.13 - During cxs Watch startup default to the POSIX locale to avoid error
message ambiguity for intotify from the kernel
Improvements to --decode ([D]) option
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.12 - Improvements to --decode ([D]) option
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.11 - Further SECURITY improvements to Quarantine functionality
All cxs users should upgrade to this release immediately
v2.10 - Fixed a SECURITY BUG in Quarantine file restore which could result in
root privilege escalation. The destination restore file must not now
exist before restoring will work. Our thanks to Jeff Petersen for
reporting this issue
All cxs users should upgrade to this release immediately
v2.09 - New --options [R]. It will trigger a match for the inbuilt regex used
by --options [D] when decoding PHP encoded (base64, etc) scripts
Improvements to --decode ([D]) option so that both the last and the
penultimate decode level are both scanned
Added improved code for dropping privileges to the "nobody" user while
running the interactive php interpreter as root
Ensure Quarantine only works on files
Updated UI text for options
Removed duplicated regex definitions from the database now that
--options [R] has been added. Be sure to add R to your --options lists
if you specify them if you still want to trap these.
v2.08 - Removed code that dropped privileges to the "nobody" user while
running the interactive php interpreter as it broke subsequent
scanning at depth
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v2.07 - Improvements to --decode ([D]) option
New Feature - Added daily check for new Exploit Fingerprints. If cxs
is scheduled to check for a new version daily, an additional check for
new Exploit Fingerprints released since the last cxs version is
performed. These will be downloaded and used on subsequent scans
Exploit fingerprint definitions database additions
v2.06 - Fixed bug in application type detection introduced in v2.04 which
restricted script specific regex detection from working correctly
Exploit fingerprint definitions database additions
v2.04 - Added Quarantine UI option to block FTP IP addresses in csf
Fixed Quarantine UI display problems
Added option --tscripts [list] which is a comma separated list of
scripts that --options [T] will detect if you want to restrict which
types are checked
Exploit fingerprint definitions database additions
v2.03 - Improvements to --decode [file] - don't process ignore file
Speedups for --options [D]
Speedups for cxs Watch daemon startup
Fixes to cxs Watch daemon when processing new and --Wadd [file]
directories where --ignore [file] and --filemax [num] were not
applied
Improvements to hdir, hfile and hsym processing for --ignore [file]
Adjustments to --Wloglevel [num]
Improvements to FTP IP detection
v2.02 - Fixed bugs in --decode [file] output report and improved content of
the report
Exploit fingerprint definitions database additions
v2.01 - Modified --decode [file] and --options [D] to drop privileges to the
"nobody" user while running the interactive php interpreter and
on the ownership of the decoded file while processing it
v2.00 - Added new scanning option: cxs Watch. This is an alternative to ftp
and web script upload scanning. The cxs Watch daemon uses a separate
process to watch entire user accounts for new and modified files and
scans them immediately. The scanning children use up significantly
fewer resources than the ftp and web script upload scanning methods.
This new feature requires:
Redhat/CentOS v5+ (i.e. a kernel that supports inotify)
Linux::Inotify2 Perl module
Systems that do not meet these requirements can continue to use the
ftp and web script upload scanning methods. See the documentation for
more information about this new option under --Wstart
--options [D] now enabled by default to improve exploit detection
rates (default options:mMOLfSGchexdnwZD)
Updated POD documentation, including a new RECOMMENDATIONS section
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.56 - Reinstated the Scan Report header for the --all option lost in v1.55
Added new option --www to only scan within the public_html/ directory
when using --allusers or --user [user]
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.55 - Modified FTP IP Address lookup code to only read the last 64K of the
relevant log file, improving lookup speed and resource usage
Made /etc/init.d/pure-uploadscript LSB compliant
Exploit fingerprint definitions database additions
v1.54 - Added a note to the CGI alert email for ModSecurity false-positives
where the request body is inspected before Apache has a chance to
determine whether the called script exists (i.e. a 404)
Added new option --wttw [file] which is available for submitting text
exploits (i.e. PHP, Perl, Shell) to ConfigServer if cxs fails to
detect it. The file is sent as an attachment via email. Please be sure
to read the documentation before using this option
Exploit fingerprint definitions database additions
v1.53 - Sort File::Find directory traversal/files alphabetically
Multiple scanning performance and resource usage improvements
--voptions [M] removed as it serves no function
Added text for --options [M] (Known exploit) where we have it
Improvements to relative path file/directory scanning
Exploit fingerprint definitions database additions
v1.52 - Ignore SIGPIPE when using --decode (--options [D]) while running
interactive php interpreter, which caused scans to abort
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.51 - Sort Quarantine UI users
If --quarantine or --delete fails (e.g. an immutable file), report
failure to do so. Failure to quarantine will no longer attempt removal
of the original file
Only "View" quarantine files in UI if they are text files
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.50 - Fixed a problem with the use of File::Copy and the quarantine system
where files that are moved across file systems do not retain the
correct permissions
v1.49 - Display complete cxs command options at the top of reports, not just
the CLI command (i.e. include defaults and cxs.default entries)
Added a "View Quarantine" button at the bottom of the "View Quarantine
User" UI page to return to the quarantine view
Added default clamd rpm and apt-get socket location detection
(/var/run/clamav/clamd.sock and /var/run/clamav/clamd.ctl)
DirectAdmin development work (not currently supported)
(RedHat Enterprise v3+/CentOS v3+/Debian v5+)
Added code for future multiple license servers
Fixed a problem with the use of File::Copy and the quarantine system
where files that are moved across file systems do not retain the
correct ownership
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.48 - Modified FTP scanning to honour hfile: ignore file entries
Fixed problem with --qoptions [] sending all scan result matches to
quarantine after a single legitimate match was found, regardless of
the --qoptions [] specified
v1.47 - Fixed problem with UI upgrade sleeping before upgrading (as introduced
for cron jobs). Upgrading to this version will still sleep through the
UI, but subsequent versions should be fine. Instead of using the UI,
using the CLI will avoid this problem for this upgrade, i.e.: cxs -U
v1.46 - Restore from quarantine in UI now preserves file ownership of the
restored file
Prefill UI Quarantine directory if set in cxs.defaults
Added new option to Quarantine UI to bulk Restore files in the same
way as bulk Delete works
Exploit fingerprint definitions database additions
v1.45 - Added new option --qoptions [mMOLfSGchexdnwTEv]. By default
--quarantine [dir]> will move all file matches. If --qoptions [] is
also used then only the selected file types will be moved
Added --qoptions [mMOLfSGchexdnwTEv] to UI
Improvements to --decode ([D]) option
Added --upgrade timer to sleep for up to 1800 seconds when running as
a cron job to avoid overloading the license server
Added the the --jumpfrom [user] and --jumpto [user] options to the UI
Exploit fingerprint definitions database additions
v1.44 - Added Quarantine option to UI
Modified the --jumpfrom [user], --jumpto [user] options so a special
value can be used for the from and to [user] using a single letter
then a plus sign to scan those users whose name begins with the letter
specified (not case sensitive). Again, this is inclusive. For example,
to scan all accounts beginning with k through to g use:
--jumpfrom k+ --jumpto g+
Improvements to --decode ([D]) option
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.43 - Improvements to --decode ([D]) option. If the final decode depth
results in a php Parse error, the previous depth is scanned instead.
This improves the likelihood of a successful decode and scan
Improvements to --decode ([D]) option. Decode PHP scripts in memory
using the interactive php interpreter instead of using temporary files
Improvements to --decode ([D]) option. Add timeout to php interpreter
to avoid decoding hangs
Exploit fingerprint definitions database additions
v1.42 - Suppress error output from Archive::Zip
v1.41 - Enabled option --options [Z] by default for scanning within compressed
archives
Suppress error output from Archive::Tar
Exploit fingerprint definitions database additions
v1.40 - Improved detection of ruby and c exploits
Added the ability to use --quarantine and --delete when performing a
manual or scheduled scan. However, since the likelihood of a
false-positive is relatively high, this is not recommended without
care and understanding of the implications
Added test for existence of --quarantine [dir]. If it does not exist
an error will be shown and the scan will continue with the quarantine
directive disabled
New --options [Z]. This option decompresses archives (i.e. zip, tar,
tar.gz and tar.bz2 files) and scans each file within the archive
using the same options provided to the original scan
Added --options [Z] to WHM UI
Updated perl modules requirements to now include: Archive::Zip and
Archive::Tar
Cater for single quotes in cron jobs in the WHM UI
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.39 - Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.38 - Improvements to --decode ([D]) option
Added [D] option to WHM UI
Fixed typo in WHM UI
More detailed message for when --filemax reached in a directory
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.37 - Fixed bug in --options [D] when running under a non-root account
Modified --script [script] execution to prevent stray output from
[script] when --quiet used
Added retry timeout in WHM UI for checking www.configserver.com for
new version information (to avoid repeated hangs when unreachable)
Included additional instructions in install.txt to install additional
unofficial ClamAV databases from Sanesecurity
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.36 - Significant Improvements to --decode ([D]) option
Added verbose switch to example cPanel Account Suspend perl script
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.35 - Optimised fingerprint definitions database
Removed fingerprint definitions database false-positive
v1.34 - Fixed licensing issue with v1.33
v1.33 - Updated example cPanel Account Suspend perl script to be verbose
cxs startup speedups
Add support to --script to pass the username when using --user [user]
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.32 - Include an example cPanel Account Suspend perl script for use with
--script /etc/cxs/cpanelsuspend.pl
Exploit fingerprint definitions database additions
v1.31 - Always exit if ftp/cgi user is listed in a specified ignore file
Disable pure-uploadscript if /etc/cxs/ftpddisable exists (in addition
to /etc/ftpddisable)
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.30 - Added new option --script [script] which runs an external script
whenever a match is detected against a file. See documentation for
more information
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.29 - Significant improvements to --decode [file]
Increased LWP timeout to cater for servers with slow connections to
the license server
Added total Viruses and Fingerprint Matches to the --mail Subject
Added total Fingerprint Matches to the --summary
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.28 - If ftp is disabled in cPanel do not start pure-uploadscript
New --options [E]. This option will match scripts that send out email
using sendmail, exim or via SMTP. This option requires that --options
[m] is also specified
Improvement to --decode [file] variable detection
Improvements to various eval() regex matches
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.27 - Fixed issue introduced in v1.26 that prevented ignoring of hdir and
hfile options in an ignore file
v1.26 - Allow the use of --background (-B) in cxsftp.sh
Skip processing a home directory of / when using --all
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.25 - Improved handling of --decode failures
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.24 - Improvements to --decode [file]
Add the cxs command line to a report even if the scan report is empty
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.23 - Fixed a false-positive detection of c/c++ source files
Added filename legend to View option UI in Other Files
For single or multiple user scans, Symlinks within the homedir will
now be ignored
Removed [\;\|\`\\] regex checks from the [f] and [d] --options, as it
appears to be of little value (you could always add back such a check
using a similar regex entry in an xtra file)
Modified hidden text in image file check to only report if the text is
script code
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.22 - Fixed --options [D] output not going to a --report [file]
Improvement to --decode [file] variable detection
Exploit fingerprint definitions database additions
v1.21 - Added UID check to ensure updates are only performed by root (UID=0)
New --options [D]. This is an experimental option that puts any PHP
scripts containing an eval() function that decodes base64 and rot13
data through the (experimental) --decode [file] option during a scan.
This will then highlight the decoded result if it hits any regex,
fingerprint or virus scan matches
Added eval(str_rot13 to --decode [file]
Fixed --decode [file] not scanning final decoded result with regex
definitions and fingerprints
Improvements to --decode [file] detection and processing
Modified pure-uploadscript init file to cope with multiple pure-ftpd
pids on restart and to stop pure-ftpd more cleanly
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.20 - Improvements to regex definitions database
Added new ignore options for sym:, psym: and hsym: to allow ignoring
of symlinks
Modified --generate to add sym: for symlinks to ignore file
All UI user selections modified to be dropdown lists
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.19 - Fixed bug preventing csf from blocking FTP IP addresses when --block
used
Added failure message from csf to FTP email if deny fails
Added new exploit scanning option W to be used with --option (must be
explicitly added to the options list - the same way as the C option).
The W option will chmod all world writable directories found to 755.
Use this option with care as it could prevent web scripts from
functioning on non-suPHP or non-SUEXEC enabled systems
v1.18 - Scanning speedup when using --voptions
Improvements to --decode performance and effectiveness
New optimised fingerprint database. This new database, though with
fewer entries, is better targetted at detecting relevant exploits that
ClamAV misses (the majority!)
Changed "Match for fingerprint of an exploit" to
"Known exploit = [Fingerprint Match]"
Changed "Match for regular expression (regex)" to
"Regular expression match = [regex]"
v1.17 - Fixed email " (Hits:nn)" not totalling all accounts hits
v1.16 - Removed spurious "set to skip" message text
Added " (Hits:nn)" to the Subject line of email reports
Added new option --ulist [file] for use with the --all option to
perform scans of only those users listed in [file]
Regex scanning improvements
Disable default deep scanning on FTP and web script uploads to help
avoid false-positives. If you want to continue deep scanning add
--deep to cxsftp.sh and/or cxscgi.sh
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.15 - Added breakout if --decode [file] depth is > 250 to prevent looping
Fixed problem with quarantine UI to cope with a trailing slash on the
--quarantine [dir] statement
Improved detection of the quarantine directory in UI
Added DNS lookups on FTP IP address reports
Allow the use of floating point numbers with --throttle [num]
Added "Ignore" option for FTP quarantines files to Quarantine UI to
add a file: ignore statement to a relevant ignore file if configured
Added new options --jumpfrom [user] and --jumpto [user] for use with
the --all option to perform scans of only those user between the two
points, both of which are inclusive
Added jumpfrom and jumpto to UI resource choice
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.14 - Added new experimental options --decode [file] and --depth [num]. See
the perldoc documentation for more information
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.13 - Modified FrontPage extensions check to be case-insensitive
Use of --all --mail [email] and --nosummary will now only report
suspicious accounts instead of all accounts. --report [file] will
still contain the full report
Updated cxs perldoc help
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.12 - New option (-X, --xtra [file]) to allow custom regular expression
matches and filenames that cxs will additionally scan for
Exploit fingerprint definitions database additions
v1.11 - Modified hidden image text file to exclude most FrontPage extensions
files
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.10 - Added new check to suspicious file routine to detect text files hiding
as image files
Made file extension checks case-insensitive
Exploit fingerprint definitions database additions
v1.09 - Improved licensing code tolerance on network failure for web and ftp
scanning on servers that are behind NAT
Exploit regex definitions database additions
Exploit fingerprint definitions database additions
Ftp and web scanning speedups
v1.08 - Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.07 - Exploit regex definitions database additions
Exploit fingerprint definitions database additions
v1.06 - Fixed issue with pure-uploadscript restart on cron job cxs upgrade
Exploit fingerprint definitions database additions
v1.05 - Improved UI detection of the quarantine directory in cxsftp.sh and
cxscgi.sh if used
v1.04 - Fixed duplicate virus scan on script files with regex matches
Exploit fingerprint definitions database additions
v1.03 - Added quotes around the $1 parameter in cxscgi.sh and cxsftp.sh to
cope with files with spaces in their names. Existing scripts will be
fixed on upgrade
v1.02 - Added initial FreeBSD (v7.2) support - currently no UI cron job
support has been implemented, jobs will have to be added to
/etc/crontab manually on FreeBSD
Fixed UI quarantine restore to always use correct uid and gid
Exploit fingerprint definitions database additions
Added some more examples to the POD and reference the examples in
cxsftp.sh and cxscgi.sh
v1.01 - Added new exploit scanning option M to be used with --option (enabled
by default) and --voption. The M option scans a fingerprint lookup
table of over 4500 known exploit scripts. If you cron jobs or have
modified cxsftp.sh or cxscgi.sh that use an --options list, you might
want to add M to the list to use this new feature
Digest::MD5 added to required perl modules
Added extra check in UI where alternative clamdsock is ticked but none
entered in the textbox
Exploit regex definitions database additions
Don't show user in quarantine UI if empty
v1.00 - Initial release
Reference in New Issue View Git Blame Copy Permalink