ConfigServer Services Blog

ConfigServer eXploit Scanner (cxs) – Released!

ConfigServer eXploit Scanner (cxs) is a new tool from us that performs active scanning of files as they are uploaded to the server.

Active scanning is performed on all text files uploaded through:

  • PHP upload scripts (via a mod_security or suhosin hook)
  • Perl upload scripts (via a mod_security hook)
  • CGI upload scripts (via a mod_security hook)
  • Any other script type that utilizes the HTML form ENCTYPE multipart/form-data (via a mod_security hook)
  • Pure-ftpd

The active scanning of uploaded files can help prevent exploitation of an account by malware by deleting or moving suspicious files to quarantine before they become active. This includes recent exploits such as the Dark Mailer spamming script and the Gumblar Virus.

cxs also allows you to perform on-demand scanning of files, directories and user accounts for suspected exploits, viruses and suspicious resources (files, directories, symlinks, sockets). It has been tuned for performance and scalability.

Included with the cxs Command Line Interface (CLI) is a web-based User Interface (UI) to help:

  • Run scans
  • Schedule and Edit scans via CRON
  • Compose CLI scan commands
  • View, Delete and Restore files from Quarantine
  • View documentation
  • Set and Edit default values for scans
  • Edit commonly used cxs files

cxs is currently a cPanel only product.More information, pricing and ordering available here:http://www.configserver.com/cp/cxs.html

New csf v4.78

Changes:

  • Modified DA installation to overcome permissions problems on some systems preventing the UI from working

Beta Testers for ConfigServer eXploit Scanner (cxs) product

We are looking for volunteer Beta Testers for a new product that we have in development:ConfigServer eXploit Scanner (cxs) is a new tool from us that performs active scanning of files as they are uploaded to the server:

  • PHP/Perl/CGI upload scripts (using a mod_security hook)
  • pure-ftpd

The active scanning of uploaded files can help prevent exploitation of an account by malware by deleting or moving to quarantine suspicious files before they become active. Apart from this option (to delete files) the product is non-destructive.cxs also allows you to perform on-demand scanning of files, directories and user accounts for suspected exploits, viruses and suspicious resources (files, directories, symlinks, sockets). Note: cxs is not a rootkit scannercxs is a commercial product that will be sold and licensed on a per server basis. Unlike competing products, it will strictly be a one-time per server license purchase with updates for the life of the product, all at a reasonable price :)This is now closed – thanks to all who are participating and we hope for a release of this product soon.

New csf v4.77

Changes:

  • Expanded dovecot regex matching
  • Fixed the generic installation to install regex.custom.pm

New csf v4.76

Changes:

  • Added check for FrontPage extensions to Server Check as they should be considered a security risk as they were EOL in 2006
  • Added support for the impending cPanel v11.25 Security Tokens feature

New cmm v1.13

Changes:

  • Added new option “Manage Mail Hourly Limits” to modify per domain outgoing email limit

New csf v4.75

Changes:

  • Added a [block] section to the Login Failure alert.txt template. This new report template will be copied to /etc/csf/alert.txt.new on existing installations, rename it to alert.txt to use it
  • Modified existing lfd alerts to use currently used tags instead of appending block information to the IP address (alert.txt modified as above)
  • Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for email sent via a local IP addresses, separating the trigger from RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf for more information
  • Added Relay Tracking to Direct Admin running exim. See RT_* and SMTPRELAY_LOG in csf.conf for more information
  • Added csf.mignore to allow ignoring of specified usernames or local IP addresses from RT_LOCALRELAY_ALERT
  • Modified csf UI to use a single dropdown for all lfd ignore files
  • Added proftpd regex matching for “UseReverseDNS on” in proftpd config

New csf v4.74

Changes:

  • Removed FUSER from csf.conf as it is no longer used
  • Added UNZIP to csf.conf which is required for Country Code to CIDR functions
  • Modified the Country Code allow/deny/allow_filter feature to generate CC CIDRs from the Maxmind GeoLite Country database instead of using iplocationtools.com. Note: GeoLite is much more accurate that the previous zones used. This also means that there are usually more CIDRs for each CC which adds to the burden of using this feature

The latest version of Archive::Zip (v1.29) breaks MailScanner

If you receive the following error while attempting to start MailScanner:

Bareword “Cwd::getcwd” not allowed while “strict subs” in use at /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 552. Compilation failed in require at /usr/mailscanner/lib/MailScanner/Message.pm line 48. BEGIN failed–compilation aborted at /usr/mailscanner/lib/MailScanner/Message.pm line 48. Compilation failed in require at /usr/mailscanner/bin/MailScanner line 107. BEGIN failed–compilation aborted at /usr/mailscanner/bin/MailScanner line 107.

then it’s likely Archive::Zip has upgraded to v1.29, which causes this problem.Edit (1st July 2009 08:20): The author of Archive::Zip has now released a bugfix for this issue and you can easily fix the issue with:

/scripts/perlinstaller –force Archive::Zip

Check that it installs v1.30 of the perl module, then restart MailScannerNote that if the cpan mirror you are using is stuck on v1.29 and will not update to 1.30, you will need to manually upgrade Archive::Zip:

wget http://search.cpan.org/CPAN/authors/id/A/AD/ADAMK/Archive-Zip-1.30.tar.gztar -xzf Archive-Zip-1.30.tar.gzcd Archive-Zip-1.30perl Makefile.PLmakemake install

New csf v4.73

Changes:

  • Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR’s to prevent module failures
  • New feature – LF_CPANEL_ALERT. Send an email alert if anyone accesses WHM via root. An IP address will be reported again 1 hour after the last tracked access (or if lfd is restarted)