135 lines
6.0 KiB
Plaintext
135 lines
6.0 KiB
Plaintext
Exploit Scanning Reference
|
|
==========================
|
|
|
|
m = Regular expression match = [regex]
|
|
|
|
cxs has a regular expression lookup table which it uses to identify suspicious
|
|
files. These regex patterns look for two types of text constructs. Firstly,
|
|
those of known exploits (a fingerprint approach). Secondly, generic text
|
|
constructs found in common between many types of exploit (a heuristic
|
|
approach). For example, one of the regex patterns looks for the use of base64
|
|
encoded data in PHP scripts. This method of obfuscation is typically used by
|
|
exploits to hide their true purpose. If this regex is matched from the text
|
|
in a file, then that file will be reported as suspicious. You can ignore
|
|
specific regex patterns using an ignore file and the match: prefix.
|
|
|
|
M = Known exploit = [Fingerprint Match]
|
|
|
|
cxs uses a lookup table of over 4500 exploit script fingerprints and matches
|
|
scripts that have an identical fingerprint value.
|
|
|
|
O = socket
|
|
|
|
A socket is typically used to transfer data between two separate processes. You
|
|
would not normally expect to find a socket within a web hosting account and its
|
|
presence is therefore regarded here as suspicious.
|
|
|
|
L = Symlink to [symlink]
|
|
|
|
A symlink, or symbolic link, is a special type of file that provides a
|
|
reference to another file or directory. These are usually used for convenience
|
|
by the OS and server administrators to reorder the file system. For example, on
|
|
a cPanel server symlinks are used in the user mail accounts structure for their
|
|
imap implementation. You would not normally expect to find a symlink within a
|
|
web hosting account web root to files outside of that account (e.g. to system
|
|
files) and its presence is therefore regarded here as suspicious. Symlinks to
|
|
files within an account are ignored.
|
|
|
|
f = suspicious file
|
|
|
|
cxs will report file suspicious files, e.g. image files that contain script
|
|
code or C/C++ files. The former should not normally exists and you don't
|
|
usually see C/C++ files in standard web hosting accounts.
|
|
|
|
S = SUID file
|
|
|
|
Files with SUID, or set user ID, permissions allow users to run an executable
|
|
with the permissions of the executable's owner. Typically, this permission is
|
|
used on files to provide elevated privileges on a server to a user executing
|
|
such a file. You would not normally expect to find a file with SUID permissions
|
|
within a web hosting account and its presence is therefore regarded here as
|
|
suspicious.
|
|
|
|
G = GUID file
|
|
|
|
Files with GUID, or set group ID, permissions allow users to run an executable
|
|
with the permissions of the executable's owner. Typically, this permission is
|
|
used on files to provide elevated privileges on a server to a user executing
|
|
such a file. You would not normally expect to find a file with SUID permissions
|
|
within a web hosting account and its presence is therefore regarded here as
|
|
suspicious.
|
|
|
|
c = core dump file
|
|
|
|
A core dump file is a special system file generated by some executables.
|
|
Typically, they are generated when an executable hits a fatal error during
|
|
execution. At best, such files indicate a problem with the executable involved
|
|
and consumes considerable disk space. At worst, core dump files have been used
|
|
to gain elevated user privileges and exploit a server.
|
|
|
|
C = core dump file deleted
|
|
|
|
This option will automatically delete core dump files as described above.
|
|
|
|
h = suspected exploit file
|
|
|
|
cxs uses a lookup table of file names and file types which are commonly used by
|
|
exploits. For example, you would not normally expect to find a file named httpd
|
|
within a web hosting account and indeed a common exploit uses that name in an
|
|
attempt to appear innocuous.
|
|
|
|
e = Linux binary or executable file
|
|
|
|
A linux binary or executable file is one that will run on a linux OS (ELF -
|
|
Executable and Linking Format). Typically, such files within user accounts are
|
|
exploits that run as daemon processes mimicking system processes to remain
|
|
hidden. You would not normally expect to find a linux binary file within a web
|
|
hosting account and its presence is therefore regarded here as suspicious.
|
|
|
|
x = Windows binary or executable file
|
|
|
|
While a windows binary file cannot be executed on a linux OS, you would not
|
|
normally expect to find one within a web hosting account and its presence could
|
|
indicate a Trojan file and so is regarded here as suspicious.
|
|
|
|
d = suspicious directory name
|
|
|
|
cxs will report directory names that contain non-standard ASCII characters.
|
|
Such directory can often be used in such a way as to appear hidden to the
|
|
end-user. An example would be a directory called /.../ or / ../ which might
|
|
appear innocuous but often such directories contain exploits.
|
|
|
|
n = hidden directory owned by nobody user
|
|
|
|
A directory with a leading dot (e.g. /.hidden/) will often not be apparent in
|
|
many FTP client applications. One that is owned by the nobody user account has
|
|
likely been created by a web script running under the nobody user account
|
|
(typically a PHP script where suPHP is not enabled). Such directories are
|
|
suspicious in their nature of attempting to be hidden and so are reported.
|
|
|
|
w = world writable directory
|
|
|
|
In a shared web hosting environment a directory that is world writable can
|
|
typically be read and written to by any user on the server. Such directories
|
|
should be avoided, especially in web roots, as it can allow exploits to spread
|
|
between user accounts.
|
|
|
|
T = script file
|
|
|
|
This is a special option to identify scripts. It attempts to identify PHP,
|
|
Perl, and other shebang ($!) script files such as shell scripts. You may not
|
|
want to allow scripts to be uploaded through upload forms, or to be present in
|
|
certain directories that you scan (e.g. /tmp or /dev/shm) so this option is
|
|
available to detect them.
|
|
|
|
E = Email script match
|
|
|
|
This indicates that the script sends out email. This can be useful if you are
|
|
trying to identify emails within an account that send out email.
|
|
|
|
s = Script version check [OLD/OK/UNKNOWN] [SCRIPTNAME INSTALLED <>= LATEST]
|
|
|
|
This option will search for common web script installations and report if older
|
|
than the latest version on record. Using old versions of software often poses a
|
|
serious security risk and users should be encouraged to keep them up to date.
|