ConfigServer Services Blog

New csf v2.36

Changes:

  • Added runlevel check to Security Check
  • Added nobody cron check to Security Check
  • Added melange server check to Security Check
  • Modified the regex for the php.ini disable_functions check
  • Added timing function to lfd that logs how long each stage takes. This can be enabled by editing lfd.pl and setting $timing=1 – this can help in tracking down performance issues with lfd

chkrootkit v0.47 released

chkrootkit 0.47 is now available!  This version includes:  * chkproc.c    - some bug fixes, thanks to Lantz Moore    - use of getpriority() to identify LKMs, thanks to      Yjesus(unhide) and Slider/Flimbo (skdet)    - new rootkit detected:       - Enye LKM  * chkrootkit    - new test:       - crontab    - new rootkits/worms detected:       - Enye LKM       - Lupper.Worm       - shv5    - more ports added to the bindshell test    - some minor bug fixeschkrootkit is a tool to locally check for signs of a rootkit.  Moreinformation about chkrootkit and rootkits can be found athttp://www.chkrootkit.org/.

New MailScanner Script v2.46

Changes:

  • Modified installer script to change the exim system_filter to an empty file (/etc/antivirus.empty) instead of periodically emptying /etc/antivirus.exim
  • Modified installer script to check for existence, ownership and permissions on the spool directories on upgrade
  • Modified installer script to cleanly stop and start MailScanner without Failed messages
  • Latest MailSCanner v4.56.8
  • Modified installer script to offer second option for new installations to skip forced perl module installation
  • Fixed bug in the MailScanner distribution where the MailScanner.conf update script isn’t chmod executable

New rkhunter v1.2.9

The rkhunter developer has finally released a long awaited update:

  • This release added support for RHEL WS/AS/ES 3 Taroon update 8, Fedora Core 5, and SuSE 10. Checks were added for packet capturing applications and processes using deleted files. The netstat check was enabled for AIX and the backdoor check was enabled for SunOS. Logfile specification and checks were added.

http://rkhunter.sourceforge.net/Unfortunately, it looks like they still don’t support the most popular OS’s md5sums, i.e. RHEv4/CentOSv4To upgrade:

/bin/rm -Rf rkhunter*wget http://surfnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gztar -xzf rkhunter-*cd rkhunter-*./installer.sh cd ../bin/rm -Rf rkhunter*rkhunter –updaterkhunter -c –skip-keypress

New csf v2.35

Changes:

  • Added specific exclusion for proftpd in lfd.pl process tracking
  • Fixed bug with GLOBAL_LF being ignored

New csf v2.34

New feature:

  • Added a new option (beta for now) PT_SMTP. This option will check for outgoing connections to port 25, ecluding root, exim and mailman. The purpose of the feature is to log SMTP connections if you believe you have a spammer on the server who is bypassing exim to send out spam emails – this is traditionally a very difficult form of spam to track down. The option currently logs relevant process information to lfd.log to avoid an email alert flood.

Serious cPanel Security Problem

A major security flaw has been found and is being actively exploited in cPanel. The exploit gives an authenticated user (i.e. someone who has access to a cPanel account) an escalation that gives them root access. cPanel have fixed the hole and most people will have been secured overnight. To be sure I would suggest everyone runs a forced upcp update on their servers:

/scripts/upcp –force

Some links:http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.htmlhttp://forums.cpanel.net/showthread.php?t=58090

New csf v2.33

Changes:

  • Code modification to allow csf+lfd to run without erroring on cPanel DNS-Only installations
  • Added forced error checking on SMTP blocking iptables commands
  • Added check in csf and lfd for duplicate settings in csf.conf

New csf v2.32

Changes:

  • Added new option SMTP_ALLOWLOCAL to allow local connections to port 25 for web scripts, etc, if SMTP_BLOCK is enabled
  • Added check to csf startup to fail if “WHM > Tweak Security > SMTP Tweak” is enabled otherwise it can break SMTP traffic completely. The SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used instead