cxs

New cxs v2.88

Changes:
– Include gzdecode() detection for PHP scripts
– Switched from using LWP to HTTP::Tiny to reduce memory footprint and reliance on the LWP perl module. The HTTP::Tiny module is included in the distribution, so no further action is necessary
– Modified cxs watch daemon to use POSIX::setsid()
– Modified cxs quarantine routine to reduce memory footprint
– Modified loading of Pod::Usage only if necessary to reduce memory footprint
– Modified cxs watch to not fail startup if new watch resource disappears before completion
– Exploit fingerprint definitions database additions

New cxs v2.87

Changes:
– Improvements to the main decoder regex
– Reverted to using temporary files during PHP file decoding due to a major bug in PHP v5.4.* which produces “Ran out of opcode space!” in interactive mode
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions

WHM/cPanel v11.36 in RELEASE

cPanel v11.36 has now entered the RELEASE tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:
curl -s configserver.com/free/csupdate | perl
You should take care to read through the output to ensure that all the upgrades have worked as expected.

New cxs v2.86

Changes:
– Improvements to installer on initial fresh cPanel v11.36 installations
– Added a 20 second timeout for running –Wsymlink [script] and switched from using system call to open3
– Added a 20 second timeout for running –script [script] and improve output printing from [script]
– Modified –options [u] to include more suspicious locations
– Exploit fingerprint definitions database additions

WHM/cPanel v11.36

cPanel v11.36 has now entered the CURRENT tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:

curl -s configserver.com/free/csupdate | perl

You should take care to read through the output to ensure that all the upgrades have worked as expected.

New cxs v2.85

Changes:
– Moved suspicious script location detection to its own option within: –options [u], –doptions [u], –voptions [u] and –qoptions [u] The option is included in the default setting for –options [options]. If you specify a list in any of these options and want to include this in them, then you need to add [u] to the list of options
– Separate dangerous quarantine options in the UI

New cxs v2.84

Changes:
– New feature: cxs watch daemon Symlink attack detection. This option will try and detect a symlink attack against the server. If –Wsymlinkmax [num] symlinks are created with one directory within –Wsymlinksec [secs] seconds then –Wsymlink [script] will be run. An example is provided for this script in /etc/cxs/symlinkdisable.example.pl
– Enable –Wsymlink /etc/cxs/symlinkdisable.example.pl on new installs in /etc/cxs/cxswatch.sh for email notifications
– Detect as suspicious, scripts found within /images/ and /upload(s)/ directories
– Fixed –Wadd [file] not working correctly in cxs watch
– Fixed –www not being adhered to for new users while cxs watch running
– Modified –www location on DA servers to the domains/ subdirectory of users account for cxs watch daemon and single user scans
– Improvements to file ownership detection in cxs watch. If a file is owned by “nobody” cxs will compare user home directories in /etc/passwd to the file location to try and determine a unique owner
– Fixed UI saving default “smtp” setting incorrectly (again)

New convenient update method for ConfigServer scripts

We have released a new method to force an update of all of our main scripts (on cPanel servers only):
cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:

curl -s configserver.com/free/csupdate | perl

You should take care to read through the output to ensure that all the upgrades have worked as expected.

New cxs v2.83

Changes:
– Updated to use the new cPanel 11.36+ integrated perl binary if exists
– Fixed UI saving default “smtp” setting incorrectly
– Modified –www location on DA servers to the domains/ subdirectory of users account as public_html/ is ignored as it is a symlink

New cxs v2.82

Changes:
– Added new advanced PHP decoder
– Impovements to detection of PHP script file type
– Added new functionality to –xtra [file] to force quarantine of a file with a matching regex if using –quarantine[dir]. See documentation or the latest /etc/cxs/cxs.xtra.example for information
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions