New cxs v1.21

Changes:

  • Added UID check to ensure updates are only performed by root (UID=0)
  • New –options [D]. This is an experimental option that puts any PHP scripts containing an eval() function that decodes base64 and rot13 data through the (experimental) –decode [file] option during a scan. This will then highlight the decoded result if it hits any regex, fingerprint or virus scan matches
  • Added eval(str_rot13 to –decode [file]
  • Fixed –decode [file] not scanning final decoded result with regex definitions and fingerprints
  • Improvements to –decode [file] detection and processing
  • Modified pure-uploadscript init file to cope with multiple pure-ftpd pids on restart and to stop pure-ftpd more cleanly
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New cxs v1.20

Changes:

  • Improvements to regex definitions database
  • Added new ignore options for sym:, psym: and hsym: to allow ignoring of symlinks
  • Modified –generate to add sym: for symlinks to ignore file
  • All UI user selections modified to be dropdown lists
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New cxs v1.19

Changes:

  • Fixed bug preventing csf from blocking FTP IP addresses when –block used
  • Added failure message from csf to FTP email if deny fails
  • Added new exploit scanning option W to be used with –option (must be explicitly added to the options list – the same way as the C option). The W option will chmod all world writable directories found to 755. Use this option with care as it could prevent web scripts from functioning on non-suPHP or non-SUEXEC enabled systems

New cxs v1.18

Changes:

  • Scanning speedup when using –voptions
  • Improvements to –decode performance and effectiveness
  • New optimised fingerprint database. This new database, though with fewer entries, is better targetted at detecting relevant exploits that ClamAV misses (the majority!)
  • Changed “Match for fingerprint of an exploit” to “Known exploit = [Fingerprint Match]”
  • Changed “Match for regular expression (regex)” to “Regular expression match = [regex]”

New cxs v1.16

Changes:

  • Removed spurious “set to skip” message text
  • Added ” (Hits:nn)” to the Subject line of email reports
  • Added new option –ulist [file] for use with the –all option to perform scans of only those users listed in [file]
  • Regex scanning improvements
  • Disable default deep scanning on FTP and web script uploads to help avoid false-positives. If you want to continue deep scanning add –deep to cxsftp.sh and/or cxscgi.sh
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New cxs v1.15

Changes:

  • Added breakout if –decode [file] depth is > 250 to prevent looping
  • Fixed problem with quarantine UI to cope with a trailing slash on the –quarantine [dir] statement
  • Improved detection of the quarantine directory in UI
  • Added DNS lookups on FTP IP address reports
  • Allow the use of floating point numbers with –throttle [num]
  • Added “Ignore” option for FTP quarantines files to Quarantine UI to add a file: ignore statement to a relevant ignore file if configured
  • Added new options –jumpfrom [user] and –jumpto [user] for use with the –all option to perform scans of only those user between the two points, both of which are inclusive
  • Added jumpfrom and jumpto to UI resource choice
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New cxs v1.13

Changes:

  • Modified FrontPage extensions check to be case-insensitive
  • Use of –all –mail [email] and –nosummary will now only report suspicious accounts instead of all accounts. –report [file] will still contain the full report
  • Updated cxs perldoc help
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions