General

New cxs v9.06

Changes:

  • Added prevention routines to stop corrupt fingerprint and regex entries from being loaded
  • Reduced memory footprint when handling fingerprints
  • Reduced memory footprint of cxs Watch controlling process
  • Fixed issue with cxs installation/upgrade sometimes restarting cxs Watch whether it was running or not
  • Modified eval+use+module checks to use bundled Module::Installed::Tiny instead
  • Fixed perl memory leak when using regexes in cxs.ignore. This fix can significantly reduce the memory overhead of cxs processes, especially with cxs Watch and –allusers scans

cxs False Positives

We had a corrupt daily update of the cxs signatures that is causing problems for some users. If you are seeing a problem with detections, please do the following immediately:

rm -fv /etc/cxs/new.fp
cxs -U
service cxswatch restart

 

If you need to perform a bulk restore from quarantine due to this issue:

Depending on the location of your quarantine, the following should work:

find /home/quarantine/cxsuser/ -type f -exec cxs --qrestore {} \;

You will get messages about “Restore failed – Restore file not found” which you can ignore.
Note: The destination file must _not_ exist otherwise the restore for the file will fail.

New cxs v9.05

Changes:

  • Fixed cxs process title incorrectly using “cxswatch – database update” when running a normal scan

New cxs v9.04

Changes:

  • Fixed spurious DBI error when rescanning a quarantine directory in the UI
  • When running/viewing scans or configurations through the UI, ensure any configured quarantine directory is created if missing

New cxs v9.03

Changes:

  • Modified database reporting to a subprocess to only fork in cxs Watch

New cxs v9.02

Changes:

Fixed issue with cxswatch startup improperly triggering database statistics update

New cxs v9.01

Changes:

  • Offload database reporting to a subprocess
  • Prevent the same exploit (md5sum) being repeatedly reported through -wttw [file]

New csf v12.01

Changes:

  • Added missing DOCKER_DEVICE setting from the generic and directadmin csf.conf files
  • Ensure iptables/ip6tables mangle and raw tables are flushed on stop/start if they exist
  • CC_OLDGEOLITE set to “0” on new servers and those upgrading to v12.* for the first time. This enables MaxMind GeoLite2 by default unless already set
  • Note: The old MaxMind Geolite v1 database code will be removed in the near future, before the end of March, in favour of the v2 databases

New cxs v9.00

Changes:

  • Added new –Wnotify [system]. This option specifies which filesystem notification API to use with cxs Watch. Defaults to [inotify]
  • Added EXPERIMENTAL support for RHEL v7.* fanotify and CloudLinux v7.* File Change API (direct and via SQLite API). See the cxs documentation for information, restrictions, requirements, advantages and disadvantages of each notification system
  • Modified Universal Decoder to run an all scripts, not just PHP

New csf v12.00

Changes:

  • Added support for GeoLite2 databases from Maxmind for CC_*. These databases are significantly larger than the soon to be deprecated GeoLite ones stored in /var/lib/csf/
  • Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and CC6_LOOKUPS
  • Added new option: CC_OLDGEOLITE. This option is enabled by default to continue using the old GeoLite databases. See csf.conf for more information. This option will be removed in the near future so that all installations use the new GeoLite2 databases
  • GeoLite2 lookups now use the CSV files instead of the formatted Data files because the Perl dependencies for the MaxMind Perl modules that access the Data files are prohibitively excessive. We have developed our own fast binary search module to perform the required lookups on the CSV files for both IPv4 and IPv6
  • An advantage of the new GeoLite2 databases is that IPv6 lookups can now be done to the same level as IPv4: Country Code; Country; Region; City; ASN
  • Unified storage of GeoLite2 database to avoid duplication between CC_LOOKUPS and CC_* databases
  • Added new CC_LOOKUPS value of “4”. This option does not use the MaxMind databases directly for lookups. Instead it uses a URL-based lookup from a third-party provider at https://freegeoip.net and so avoids having to download and process the large databases. See csf.conf for more information and limitations
  • Modified CC_INTERVAL default to 14 days on new installations
  • Ensure MESSENGERV2 service will not start if using a valid cPanel account in MESSENGER_USER (must be non-cPanel account)
  • Create entry in /etc/aliases for “csf” if MESSENGERV2 is enabled on cPanel servers to reserve the account name
  • Added new feature: DOCKER support. This configures iptables rules to allow Docker containers to communicate through the host. This is currently in BETA testing. See csf.conf for more information. Thanks to Marcele for the rules
  • Removed redundant nat table check for ip6tables in Config.pm
  • Replaced all remaining bareword file handles