ChangeLog: v1.30 - Added new option --script [script] which runs an external script whenever a match is detected against a file. See documentation for more information Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.29 - Significant improvements to --decode [file] Increased LWP timeout to cater for servers with slow connections to the license server Added total Viruses and Fingerprint Matches to the --mail Subject Added total Fingerprint Matches to the --summary Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.28 - If ftp is disabled in cPanel do not start pure-uploadscript New --options [E]. This option will match scripts that send out email using sendmail, exim or via SMTP. This option requires that --options [m] is also specified Improvement to --decode [file] variable detection Improvements to various eval() regex matches Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.27 - Fixed issue introduced in v1.26 that prevented ignoring of hdir and hfile options in an ignore file v1.26 - Allow the use of --background (-B) in cxsftp.sh Skip processing a home directory of / when using --all Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.25 - Improved handling of --decode failures Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.24 - Improvements to --decode [file] Add the cxs command line to a report even if the scan report is empty Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.23 - Fixed a false-positive detection of c/c++ source files Added filename legend to View option UI in Other Files For single or multiple user scans, Symlinks within the homedir will now be ignored Removed [\;\|\`\\] regex checks from the [f] and [d] --options, as it appears to be of little value (you could always add back such a check using a similar regex entry in an xtra file) Modified hidden text in image file check to only report if the text is script code Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.22 - Fixed --options [D] output not going to a --report [file] Improvement to --decode [file] variable detection Exploit fingerprint definitions database additions v1.21 - Added UID check to ensure updates are only performed by root (UID=0) New --options [D]. This is an experimental option that puts any PHP scripts containing an eval() function that decodes base64 and rot13 data through the (experimental) --decode [file] option during a scan. This will then highlight the decoded result if it hits any regex, fingerprint or virus scan matches Added eval(str_rot13 to --decode [file] Fixed --decode [file] not scanning final decoded result with regex definitions and fingerprints Improvements to --decode [file] detection and processing Modified pure-uploadscript init file to cope with multiple pure-ftpd pids on restart and to stop pure-ftpd more cleanly Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.20 - Improvements to regex definitions database Added new ignore options for sym:, psym: and hsym: to allow ignoring of symlinks Modified --generate to add sym: for symlinks to ignore file All UI user selections modified to be dropdown lists Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.19 - Fixed bug preventing csf from blocking FTP IP addresses when --block used Added failure message from csf to FTP email if deny fails Added new exploit scanning option W to be used with --option (must be explicitly added to the options list - the same way as the C option). The W option will chmod all world writable directories found to 755. Use this option with care as it could prevent web scripts from functioning on non-suPHP or non-SUEXEC enabled systems v1.18 - Scanning speedup when using --voptions Improvements to --decode performance and effectiveness New optimised fingerprint database. This new database, though with fewer entries, is better targetted at detecting relevant exploits that ClamAV misses (the majority!) Changed "Match for fingerprint of an exploit" to "Known exploit = [Fingerprint Match]" Changed "Match for regular expression (regex)" to "Regular expression match = [regex]" v1.17 - Fixed email " (Hits:nn)" not totalling all accounts hits v1.16 - Removed spurious "set to skip" message text Added " (Hits:nn)" to the Subject line of email reports Added new option --ulist [file] for use with the --all option to perform scans of only those users listed in [file] Regex scanning improvements Disable default deep scanning on FTP and web script uploads to help avoid false-positives. If you want to continue deep scanning add --deep to cxsftp.sh and/or cxscgi.sh Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.15 - Added breakout if --decode [file] depth is > 250 to prevent looping Fixed problem with quarantine UI to cope with a trailing slash on the --quarantine [dir] statement Improved detection of the quarantine directory in UI Added DNS lookups on FTP IP address reports Allow the use of floating point numbers with --throttle [num] Added "Ignore" option for FTP quarantines files to Quarantine UI to add a file: ignore statement to a relevant ignore file if configured Added new options --jumpfrom [user] and --jumpto [user] for use with the --all option to perform scans of only those user between the two points, both of which are inclusive Added jumpfrom and jumpto to UI resource choice Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.14 - Added new experimental options --decode [file] and --depth [num]. See the perldoc documentation for more information Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.13 - Modified FrontPage extensions check to be case-insensitive Use of --all --mail [email] and --nosummary will now only report suspicious accounts instead of all accounts. --report [file] will still contain the full report Updated cxs perldoc help Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.12 - New option (-X, --xtra [file]) to allow custom regular expression matches and filenames that cxs will additionally scan for Exploit fingerprint definitions database additions v1.11 - Modified hidden image text file to exclude most FrontPage extensions files Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.10 - Added new check to suspicious file routine to detect text files hiding as image files Made file extension checks case-insensitive Exploit fingerprint definitions database additions v1.09 - Improved licensing code tolerance on network failure for web and ftp scanning on servers that are behind NAT Exploit regex definitions database additions Exploit fingerprint definitions database additions Ftp and web scanning speedups v1.08 - Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.07 - Exploit regex definitions database additions Exploit fingerprint definitions database additions v1.06 - Fixed issue with pure-uploadscript restart on cron job cxs upgrade Exploit fingerprint definitions database additions v1.05 - Improved UI detection of the quarantine directory in cxsftp.sh and cxscgi.sh if used v1.04 - Fixed duplicate virus scan on script files with regex matches Exploit fingerprint definitions database additions v1.03 - Added quotes around the $1 parameter in cxscgi.sh and cxsftp.sh to cope with files with spaces in their names. Existing scripts will be fixed on upgrade v1.02 - Added initial FreeBSD (v7.2) support - currently no UI cron job support has been implemented, jobs will have to be added to /etc/crontab manually on FreeBSD Fixed UI quarantine restore to always use correct uid and gid Exploit fingerprint definitions database additions Added some more examples to the POD and reference the examples in cxsftp.sh and cxscgi.sh v1.01 - Added new exploit scanning option M to be used with --option (enabled by default) and --voption. The M option scans a fingerprint lookup table of over 4500 known exploit scripts. If you cron jobs or have modified cxsftp.sh or cxscgi.sh that use an --options list, you might want to add M to the list to use this new feature Digest::MD5 added to required perl modules Added extra check in UI where alternative clamdsock is ticked but none entered in the textbox Exploit regex definitions database additions Don't show user in quarantine UI if empty v1.00 - Initial release