cxs

Changes:
– Improvements to cxs Watch daemon ignore/xtra and new update reloading without restart
– Switched to using Sys::Hostname in cxs Watch daemon
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions

Changes:
– Switched to using Sys::Hostname to determine hostname as CloudLinux restricts access to /proc/sys/kernel/hostname for some reason

Changes:
– Modified POD and UI to show full rather than abbreviated commands
– Added new option –template [file]. When using –mail [email] a standard email format is used. To customise this format an email template file can be used instead. You can now use this to email the Linux owner of the affected script under certain circumstances. See the cxs Documentation for more information
– Added new advanced PHP decoder for –decode ([D])
– Improvements to advanced PHP decoders to –decode ([D])
– Fixed PHP decoder issue that could restrict decoder depth under certain circumstances
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions

Changes:
– NOTE: If you are using the cxs ModSecurity hook and ModSecurity v2.6, you must now specify the ModSecurity configuration setting SecTmpDir. If you have not set SecTmpDir in your ModSecurity configuration, then you need to add the following on its own line before or after the ModSecurity cxs line: “SecTmpDir /tmp” and then restart httpd. The file you need to add this to, if not already present, on a cPanel server is: /usr/local/apache/conf/modsec2.user.conf
– Unless specified, –qoptions now defaults to [Mv] when –quarantine [dir] is used. Any existing installations using –quarantine [dir] will now have –qoptions [Mv] enabled, unless otherwise specified on the command line or in cxs.defaults
– Added undocumented feature –YSKIPREG to ignore inbuilt regex matching when using –options [m], –xtra [file] contents will still match
– Added undocumented feature –YSKIPMD5 to ignore inbuilt fingerprint matching when using –options [M], –xtra [file]

Changes:
– Improvements to string detection in –decode ([D])
– Added new advanced PHP decoder for –decode ([D])
– Removed a false-positive fingerprint detection
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions

Changes:
– Added new advanced PHP decoder for –decode ([D])
– Improvements made to md5sum ignore procedure
– Fixed problem when using md5sum ignore within archives

Changes:
– Improvements to –decode ([D]) variable detection
– Added new advanced PHP decoder for –decode ([D])
– Exploit fingerprint definitions database additions

Changes:
– Additional reasons for scan skipping added for –debug output
– Reload ignore file in cxs watch parent as well as children for rate limit warning
– New feature added –Wrateignore [secs]. To help prevent excessive resource usage, cxs Watch will ignore files for [secs] seconds if the rate limit warning is issued. Scanning will then resume. Set this to 0 to disable the ignore feature. This option is set to 300 (i.e. 5 mins) for new installations

Changes:
– Removed extraneous / in the cgi email notification for the “Web upload script URL”
– Added cxs Watch logging for Inotify IN_Q_OVERFLOW events with a recommendation to increase /proc/sys/fs/inotify/max_queued_events if this occurs
– Added file check before invoking Inotify to confirm it exists to avoid spurious errors on VPS servers
– Allow files as well as directories in –Wadd [file]
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions

Changes:
– Improvements to hidden script file detection
– Added formatting to cgi and ftp email reports
– Added new fields to the cgi email report
– Change POD Examples section to use full command line options
– Improvements to ignoring any files based on md5sum (including those identified as exectuables, viruses, etc)
– Remove extraneous spaces from ignore and xtra md5sum entries
– Improvements to –MD5 so that all reported files displays the md5sum
– Changed the way md5sum values are displayed if –MD5 is used
– Improvements to the main decoder regex
– Exploit fingerprint definitions database additions