Configuration Exploit Scanner [CXS]:
ConfigServer exploit is a new tool that performs active scanning of files that are uploaded to the server. You can perform the active scanning on the text files. Active scanning is applied on all modified files within user accounts using CXS. We can also apply active scanning on php upload script, Perl upload script, CGI upload script and any other web script. Active scanning also helps in prevents the absorption of an account by deleting or moving doubtful files to quarantine. Configuration exploit scanner is also provides a feature on demand scanning of directories, user accounts and files that are affected from suspicious resources.
How to scan files via Configuration Exploit Scanner:
The active scanning using Configuration Exploit Scanner helps to see the exploitation account that is affected by the viruses and give permission to delete or remove suspicious file from quarantine before they are active. We can also prevent the php shell scripts and Perl script that are uploading for malicious attacks.
· Log into server by SSH.
· For scan single user directory using this cxs- - user [name of single user].
· For scan all users of login directory using cxs - - allusers.
· For scan a single file:
root@server[/]# cxs xmlrpc.php
scanning /home/martin/public_html/xmlrpc.php.
How to install and scan using Configuration Exploit Scanner:
When we install Configuration Exploit Scanner in our system than first need is, you must be know about your system that your system have the right tools and configuration according to CXS.
Requirements:
· CentOS/ Redhat /Cloud Linux or Linux v4/ 5/6.
· WHM/cPanel.
· Apache v2+.
· Clam daemon process of virus scan.
· Enable to upload without scanning the script using Mod_Security v2+ [it supported only Apache v2+].
· Pure ftpd for upload scanning on ftp.
· csf.
Installing process of Configuration Exploit Scanner:
· for product installation
wget http://www.configserver.com/free/cxsinstaller.tgz.
tar-xzf cxsinstaller.tgz.
perl cxsinstaller.pl.
rm-fvcxsinsatller.*.
· for read configuration exploit scanner documentation
the UI.
# perldoc cxs.
# cxs –help.
· You can modify the file according to your requirement. This file contains the cxs commands and you can change it at any time.
Run cxs for pure-ftpd upload scanner script
/etc/cxs/cxsftp.sh.
Run cxs for web script upload scanner script.
/etc/cxs/cxscgi.sh
· To enable the web script upload scanning by Mod_Security add the following lines
SecRequest Body Access On.
SecRule Files_TMPNAMES “@inspectfile/etc/cxs/cxscgi.sh”.
“log,auditlog,deny,severity:2,id:1010101”
If you want to upload large file than need to increase the default Mod_Security size via SecRequestBodyLimit directives.
SecRequestBodyLimit 14217782.
· For pure ftpd upload scanning requires the editing in pure-ftpd.conf to add a line.
CallUploadScript yes
After that restarts the pure-upload script and pure ftpd. This process adds a new service that is /etc/init.d/pure-uploadscript in it which is run as daemon and passes upload to /etc/cxs/cxsftp.sh.
· For automatic update add the following code via cxs UI.
0 4 * * * /usr/sbin/cxs-upgrade-quiet.
· For check the php CGI and perl CGI you just need the copying the file from /etc/cxs/test.* to empty test directory. Before copying file you just need to check the permission.
ConfigServer exploit is a new tool that performs active scanning of files that are uploaded to the server. You can perform the active scanning on the text files. Active scanning is applied on all modified files within user accounts using CXS. We can also apply active scanning on php upload script, Perl upload script, CGI upload script and any other web script. Active scanning also helps in prevents the absorption of an account by deleting or moving doubtful files to quarantine. Configuration exploit scanner is also provides a feature on demand scanning of directories, user accounts and files that are affected from suspicious resources.
How to scan files via Configuration Exploit Scanner:
The active scanning using Configuration Exploit Scanner helps to see the exploitation account that is affected by the viruses and give permission to delete or remove suspicious file from quarantine before they are active. We can also prevent the php shell scripts and Perl script that are uploading for malicious attacks.
· Log into server by SSH.
· For scan single user directory using this cxs- - user [name of single user].
· For scan all users of login directory using cxs - - allusers.
· For scan a single file:
root@server[/]# cxs xmlrpc.php
scanning /home/martin/public_html/xmlrpc.php.
How to install and scan using Configuration Exploit Scanner:
When we install Configuration Exploit Scanner in our system than first need is, you must be know about your system that your system have the right tools and configuration according to CXS.
Requirements:
· CentOS/ Redhat /Cloud Linux or Linux v4/ 5/6.
· WHM/cPanel.
· Apache v2+.
· Clam daemon process of virus scan.
· Enable to upload without scanning the script using Mod_Security v2+ [it supported only Apache v2+].
· Pure ftpd for upload scanning on ftp.
· csf.
Installing process of Configuration Exploit Scanner:
· for product installation
wget http://www.configserver.com/free/cxsinstaller.tgz.
tar-xzf cxsinstaller.tgz.
perl cxsinstaller.pl.
rm-fvcxsinsatller.*.
· for read configuration exploit scanner documentation
the UI.
# perldoc cxs.
# cxs –help.
· You can modify the file according to your requirement. This file contains the cxs commands and you can change it at any time.
Run cxs for pure-ftpd upload scanner script
/etc/cxs/cxsftp.sh.
Run cxs for web script upload scanner script.
/etc/cxs/cxscgi.sh
· To enable the web script upload scanning by Mod_Security add the following lines
SecRequest Body Access On.
SecRule Files_TMPNAMES “@inspectfile/etc/cxs/cxscgi.sh”.
“log,auditlog,deny,severity:2,id:1010101”
If you want to upload large file than need to increase the default Mod_Security size via SecRequestBodyLimit directives.
SecRequestBodyLimit 14217782.
· For pure ftpd upload scanning requires the editing in pure-ftpd.conf to add a line.
CallUploadScript yes
After that restarts the pure-upload script and pure ftpd. This process adds a new service that is /etc/init.d/pure-uploadscript in it which is run as daemon and passes upload to /etc/cxs/cxsftp.sh.
· For automatic update add the following code via cxs UI.
0 4 * * * /usr/sbin/cxs-upgrade-quiet.
· For check the php CGI and perl CGI you just need the copying the file from /etc/cxs/test.* to empty test directory. Before copying file you just need to check the permission.