CXS Malware Threat Detection System

All Rocksolidnet shared servers run the CXS Malware Threat Detection System to help protect our client's websites. If CXS detects that your website is housing malicious code, malware and/or viri, the suspecting files will be removed from your website and quarantined. In extreme cases, you website may be suspended.


We will also be deploying active scanning on your website(s). Many of you are unknowingly uploading exploits from your computers without knowing it.??Sound scary? It is. If you find yourself uploading a file to your website and for some reason the file does not appear to be transferred, it means our Malware Threat Detection System has detected a virus, malicious code and/or scripting. It will not permit the file. In this instance we recommend you run a full scan and clean your computer before trying again.


Review the information below to understand your results. If you see an "M" or "V" in your report contact us immediately as this means a virus or malware has been uploaded to your website.


m = Regular expression match = [regex]

cxs has a regular expression lookup table which it uses to identify suspicious
files. These regex patterns look for two types of text constructs. Firstly,
those of known exploits (a fingerprint approach). Secondly, generic text
constructs found in common between many types of exploit (a heuristic
approach). For example, one of the regex patterns looks for the use of base64
encoded data in PHP scripts. This method of obfuscation is typically used by
exploits to hide their true purpose. If this regex is matched from the text
in a file, then that file will be reported as suspicious. You can ignore
specific regex patterns using an ignore file and the match: prefix.


M = Known exploit = [Fingerprint Match]

cxs uses a lookup table of over 4500 exploit script fingerprints and matches
scripts that have an identical fingerprint value.


O = socket

A socket is typically used to transfer data between two separate processes. You
would not normally expect to find a socket within a web hosting account and its
presence is therefore regarded here as suspicious.


L = Symlink to [symlink]

A symlink, or symbolic link, is a special type of file that provides a
reference to another file or directory. These are usually used for convenience
by the OS and server administrators to reorder the file system. For example, on
a cPanel server symlinks are used in the user mail accounts structure for their
imap implementation. You would not normally expect to find a symlink within a
web hosting account web root to files outside of that account (e.g. to system
files) and its presence is therefore regarded here as suspicious. Symlinks to
files within an account are ignored.


f = suspicious file

cxs will report file suspicious files, e.g. image files that contain script
code or C/C++ files. The former should not normally exists and you don't
usually see C/C++ files in standard web hosting accounts.


S = SUID file

Files with SUID, or set user ID, permissions allow users to run an executable
with the permissions of the executable's owner. Typically, this permission is
used on files to provide elevated privileges on a server to a user executing
such a file. You would not normally expect to find a file with SUID permissions
within a web hosting account and its presence is therefore regarded here as
suspicious.


G = GUID file

Files with GUID, or set group ID, permissions allow users to run an executable
with the permissions of the executable's owner. Typically, this permission is
used on files to provide elevated privileges on a server to a user executing
such a file. You would not normally expect to find a file with SUID permissions
within a web hosting account and its presence is therefore regarded here as
suspicious.


c = core dump file

A core dump file is a special system file generated by some executables.
Typically, they are generated when an executable hits a fatal error during
execution. At best, such files indicate a problem with the executable involved
and consumes considerable disk space. At worst, core dump files have been used
to gain elevated user privileges and exploit a server.


C = core dump file deleted

This option will automatically delete core dump files as described above.


h = suspected exploit file

cxs uses a lookup table of file names and file types which are commonly used by
exploits. For example, you would not normally expect to find a file named httpd
within a web hosting account and indeed a common exploit uses that name in an
attempt to appear innocuous.


e = Linux binary or executable file

A linux binary or executable file is one that will run on a linux OS (ELF -
Executable and Linking Format). Typically, such files within user accounts are
exploits that run as daemon processes mimicking system processes to remain
hidden. You would not normally expect to find a linux binary file within a web
hosting account and its presence is therefore regarded here as suspicious.


x = Windows binary or executable file

While a windows binary file cannot be executed on a linux OS, you would not
normally expect to find one within a web hosting account and its presence could
indicate a Trojan file and so is regarded here as suspicious.


d = suspicious directory name

cxs will report directory names that contain non-standard ASCII characters.
Such directory can often be used in such a way as to appear hidden to the
end-user. An example would be a directory called /.../ or / ../ which might
appear innocuous but often such directories contain exploits.


n = hidden directory owned by nobody user

A directory with a leading dot (e.g. /.hidden/) will often not be apparent in
many FTP client applications. One that is owned by the nobody user account has
likely been created by a web script running under the nobody user account
(typically a PHP script where suPHP is not enabled). Such directories are
suspicious in their nature of attempting to be hidden and so are reported.


w = world writable directory

In a shared web hosting environment a directory that is world writable can
typically be read and written to by any user on the server. Such directories
should be avoided, especially in web roots, as it can allow exploits to spread
between user accounts.


T = script file

This is a special option to identify scripts. It attempts to identify PHP,
Perl, and other shebang ($!) script files such as shell scripts. You may not
want to allow scripts to be uploaded through upload forms, or to be present in
certain directories that you scan (e.g. /tmp or /dev/shm) so this option is
available to detect them.


E = Email script match

This indicates that the script sends out email. This can be useful if you are
trying to identify emails within an account that send out email.

?

  • 14 Users Found This Useful
Was this answer helpful?

Related Articles

What is hotlink protection?

Hotlink protection is disabling external use of your resources. For instance, if your website has...

How do I configure hotlink protection?

Login to cPanel. Locate and click on the "Hotlink Protection" icon within the "Security"...

How do I block an IP address from accessing my site?

If you wish to ban a user from accessing your website in any way, the best way to do this is to...

How do I password protect a directory?

Login to cPanel. Locate and click on the "Password Protect Directories" icon under the...