CONFIG SERVER EXPLOIT Scanner (C X S)

ConfigServer eXploit Scanner (cxs) is a new tool that performs active scanning of files as they are uploaded to the server.

The cxs also allows you to perform on-demand scanning of files, directories and user accounts for suspected exploits, viruses and suspicious resources (files, directories, symlinks, sockets). You can run scans of existing user data to see if exploits have been uploaded in the past or via methods not covered by the active scanning. It has been tuned for performance and scalability.

The active scanning of uploaded files can help prevent exploitation of an account by malware by deleting or moving suspicious files to quarantine before they become active. This includes recent exploits such as the Dark Mailer spamming script (multiple variants, including obfuscated code regardless of file name) and files uploaded with the Gumblar Virus, also the recent imgaaa.net defacement scripts. It can also prevent the uploading of PHP and perl shell scripts, commonly used to launch more malicious attacks and for sending spam.

Note: cxs is not a rootkit scanner, though it can help detect rootkits uploaded to user accounts.
Requirements:
# cPanel/WHM
# Redhat/CentOS/CloudLinux Linux v4/5/6
# Apache v2+
# ClamAV daemon process, for virus scanning
# Mod_security v2+, to enable upload script scanning (no supported for litespeed, nginx, etc. - only Apache v2+)
# Pure-ftpd, compiled with --with-uploadscript for ftp upload scanning
# csf, if you want pure-ftpd IP address blocking
Additional requirements for cxs Watch daemon:
# Kernel with inotify support, e.g. RedHat/CentOS/CloudLinux v5/6+ OS vendor kernels - required for cxs Watch daemon
# Linux::Inotify2 perl module - required for cxs Watch daemon
Note: The Virtuozzo VPS does not allow the changing of kernel parameters and may require /proc/sys/fs/inotify/max_user_watches to be increased by your provider if more inotify resources are required than is set

Active scanning can be performed on all text files:
# Actively on all file uploads within user accounts using the cxs Watch daemon regardless of how they were uploaded
# PHP upload scripts (via a mod_security or suhosin hook)
# Perl upload scripts (via a mod_security hook)
# CGI upload scripts (via a mod_security hook)
# Any other web script type that utilizes the HTML form ENCTYPE multipart/form-data (via a mod_security hook)
# Pure-ftpd
Exploit detection includes:
# Over 4500 known exploit script fingerprint matches (in addition to ClamAV detection)
# Known viruses via ClamAV
# Regular expression pattern matching to help identify unknown exploits
# Filename matching
# Suspicious file names
# Suspicious file types
# Binary executables
# Custom user specified regular expression patterns
# Comprehensive constant scanning of all user data using the cxs Watch daemon - scans all user files as soon as they are modified
# Daily check for new Exploit Fingerprints ... and more!
Included with the cxs Command Line Interface (CLI) is a web-based User Interface (UI) to help:
# Run scans
# Schedule and Edit scans via CRON
# Compose CLI scan commands
# View, Delete and Restore files from Quarantine
# View documentation
# Set and Edit default values for scans
# Edit commonly used cxs files
Check the Screen Shots::
# cxs Main Page
ConfigServer eXploit Scanner - cxs v1.00

# cxs CLI Documentation Page
ConfigServer eXploit Scanner - cxs v1.00

# cxs CRON Page
ConfigServer eXploit Scanner - cxs v1.00

# cxs Quarantine Page
ConfigServer eXploit Scanner - cxs v1.00

# cxs Scan Page
ConfigServer eXploit Scanner - cxs v1.00

Thanks and Regards,