ConfigServer Exploit Scanner – external perl script to run upon detection of a match

Print Friendly, PDF & Email

One very useful option recently added to CXS is –script

For example, I am currently using something like:

/usr/sbin/cxs –report /var/log/cxs.scan –logfile /var/log/cxs.log –mail reports@myhost.co.uk –vir -I /etc/cxs/cxs.ignore –options mMOfSGChednWZDR –script /root/cxswatchscript.sh –xtra /etc/cxs/cxs.xtra -Z –sum -F 200000 -C /var/clamd -T 10 -B –allusers

the script defined above, /root/cxswatchscript.sh, receives 4 arguments from CXS

$1 = filename
$2 = option triggered
$3 = message reported
$4 = account name

As I wasn’t sure if I could get away with running a perl script directly, I use cxswatchscript.sh as a wrapper. cxswatchscript.sh contains:

#!/bin/bash
# CXS Watch Action Script
# Arguments passed:
# $1 = filename
# $2 = option triggered
# $3 = message reported
# $4 = account name
/usr/local/bin/perl /root/cxswatchscript.pl "$1" "$2" "$3" "$4"

 

Then cxswatchscript.pl contains:

# Thi script is run from CXS when a match is found
# Steve Sant stephensant@gmail.com
# CXS Watch Action Script
# Arguments passed:
# $0 = filename
# $1 = option triggered
# $2 = message reported
# $3 = account name
 
if ($#ARGV != 3 ) {
	exit;
} else {
	$cxs_file=$ARGV[0];
	$cxs_message=$ARGV[2];
	$cxs_user=$ARGV[3];
}
 
# Suspend if Remote Shell infection found
 
if ($cxs_message =~ m/(ClamAV.*Shell)|(Fingerprint.*Shell)/) {
	$user2sus = '/var/cpanel/suspended/'.$cxs_user;
	if (! -e $user2sus) {
		system '/scripts/suspendacct', $cxs_user;
	}
}
 
# CHMOD 000 if the file is suspicious
 
if ($cxs_message =~ m/(ClamAV)|(Fingerprint)/) {
 
	if (-e $cxs_file) {
		system '/bin/chmod', 000, "$cxs_file";
	}
}

The reason I don’t use the “Option Triggered” argument (the second one) is that ClamAV also picks up some javasript viruses, and while these things might technically be a virus, they don’t pose a threat to the server, and I wouldn’t want to suspend a user account based on finding one. The perl script allows us to be far more selective in the conditions that lead to a suspension.

 

 

Tags: ,

No comments yet.

Leave a Reply

Bot test * Time limit is exhausted. Please reload the CAPTCHA.