ConfigServer Services Blog

New cxs v4.27

Changes:

  • Modified cxs Watch so that watches are updated/created if the alternative configuration file reload method is used
  • Exploit fingerprint definitions database additions
  • BETA: Added a local bayes corpus so that learning and forgetting can be implemented locally
  • BETA: Added new option –blearn [X|C] so that new files can be added to the local corpus as either an exploit (X) or as a clean file (C)
  • BETA: Added new option –bforget [X|C] so that new files can be removed from the local corpus as either an exploit (X) or as a clean file (C). Only files previously learned should be forgotten
  • BETA: Modified cxs Watch to reload the master bayes corpus on change
  • BETA: Modified cxs Watch to reload the local bayes corpus, if one exists, on change
  • BETA: When cxs is upgraded and the master bayes corpus exists, the latest master corpus will be automatically downloaded
  • BETA: New master bayes corpus generated
  • BETA: Raised bayes low/medium/high thresholds

 

Security: Chkrootkit Exploit and Fix

An exploitable security bug has been found in chkrootkit:

http://www.securityfocus.com/bid/67813

Chkrootkit has released v0.50 to fix this issue and make improvements:

http://www.chkrootkit.org/

This is our preferred procedure for compiling and creating a script to run chkrootkit:

cd /root
rm -Rfv chkrootkit-0.*
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-0.50
make sense
chmod +x chkrootkit
cd ..
echo '
cd /root/chkrootkit-0.50
./chkrootkit -q
' > /root/chkrootkit.sh
chmod +x chkrootkit.sh
chown -R root:root chkrootkit*
rm -fv chkrootkit.tar.gz

Crontab then runs /root/chkrootkit.sh on a regular basis.

New cxs v4.25

Changes:

  • Fingerprint P0452 removed as it appears some legitimate scripts are using the same obfuscation technique commonly used in exploits
  • BETA: Bayes corpus size decreased by a further 28% but with increased accuracy
  • Exploit fingerprint definitions database additions

 

New cxs v4.24

Changes:

  • BETA: Bayes corpus format improved – if you are using this feature, download the new corpus using “cxs –bget”
  • BETA: Bayes corpus memory footprint decreased by a further 20%
  • BETA: Bayes corpus loading speed improvements

 

New cxs v4.23

Changes:

  • Improvements to the main decoder regex
  • Improvements to decoder string extraction
  • Fixed formatting of –qlocal documentation
  • BETA: New Bayes corpus generated – if you are using thie feature, download the new corpus using “cxs –bget”
  • BETA: Bayes corpus size decreased by 25% but with increased accuracy
  • Exploit fingerprint definitions database additions

New cxs v4.22

Changes:

  • Added option –qlocal which provides quarantine support when using mod_ruid2 by storing quarantined files within a users account. See documentation for more information and caveats
  • BETA: Bayes learning improvements (speed, memory)
  • BETA: Bayes reporting improvements (speed, memory)
  • BETA: New Bayes corpus generated – if you are using thie feature, download the new corpus using “cxs –bget”
  • Improvements to PHP decoded script scanning efficiency

 

New cxs v4.21

Changes:

  • BETA: Bayes corpus loading speed improved by 100%
  • BETA: Bayes corpus memory footprint decreased by 20%
  • BETA: Increased minimum score size for Bayes reporting to help reduce false-positives

 

New cxs v4.20

Changes:

  • New option –[no]bayes (currently in BETA). Naive Bayesian probabability scanning of script files. This option uses an enhanced Naive Bayes algorithm to report a probability that a scanned script is an exploit. This is achieved through a trained corpus (database). See the cxs documentation for more details.
  • Additions to main decoder regex
  • Exploit fingerprint definitions database additions

 

New csf v7.03

Changes:

  • Added new option DROP_UID_LOGGING which allows UID logging to be disabled for outgoing connections. This option is enabled by default and can be disabled on OS’s that do not support –log-uid
  • Preupgrade copy of csf.conf now created in /var/lib/csf/backup/ for use with the csf –profile option
  • Updates to sanity.txt for new options
  • Modified DSHIELD blocklist URL from feeds.dshield.org/block.txt to www.dshield.org/block.txt for new and existing installs