Page 1 of 1
CXS reporting symlink -- no option in crontab
Posted: 06 Jun 2013, 08:57
by gvard
Hello,
In my daily scan I use the following crontab:
/usr/sbin/cxs -mail ###@#####.## --exp --novir -o mMOSGchdnD -Z --sum -T 5 -all --ignore /etc/cxs/cxs.ignore
for some reason in more than a dozen servers I received today about 50-200 hits per server with the following reason:
Code: Select all
# Regular expression match = [symlink\s*\(]:
'/home/USERNAME/public_html/cp2/libraries/pear/archive_tar/Archive_Tar.php'
I don't have symlinks ( L ) in my crontab, why was I notified about this? Has this happened to other users also today?
Re: CXS reporting symlink -- no option in crontab
Posted: 07 Jun 2013, 07:03
by Sergio
This is not telling that you have a symlink, what is telling is that inside the file Archive_Tar.php, there is a line that is calling a symlink.
Re: CXS reporting symlink -- no option in crontab
Posted: 07 Jun 2013, 07:45
by gvard
Hello,
There are a many legitimate scripts that have this on the, for example:
com_joomlaupdate:
Code: Select all
// Create the symlink - only possible within PHP context. There's no support built in the FTP protocol, so no postproc use is possible here :(
if( !AKFactory::get('kickstart.setup.dryrun','0') )
@symlink($data, $this->fileHeader->realFile);
Archive_Tar.php which is a common Joomla! package ->
http://api.joomla.org/1.5/Archive_Tar/_ ... r.php.html
Code: Select all
if (!@symlink($v_header['link'], $v_header['filename'])) {
$this->_error('Unable to extract symbolic link {'
.$v_header['filename'].'}');
return false;
}
Akeeba Backup (a famous CMS backup software)
Those 3 programs alone produce hundreds of hits on my servers with false positives. I would like to know how to remove that specific check from my daily scanning cronjob, it prevents us from checking the logs on a daily basis.
Re: CXS reporting symlink -- no option in crontab
Posted: 07 Jun 2013, 15:10
by Sergio
If you know it is a false positive, then add the file:
/home/USERNAME/public_html/cp2/libraries/pear/archive_tar/Archive_Tar.php
to the ignore list.
Sergio
Re: CXS reporting symlink -- no option in crontab
Posted: 07 Jun 2013, 15:16
by gvard
I cannot add each one of these false positives in /etc/cxs/cxs.ignore, because:
1) There are many usernames
2) They use different file locations
3) They keep adding them daily (and cxswatch blocks them).
One simple question for the authors: How can I ignore "symlink" alerts?
Re: CXS reporting symlink -- no option in crontab
Posted: 07 Jun 2013, 15:33
by Sergio
In the mean time, add the MD5 of the file on the ignore list not all the occurrences of the same file.
If the symlink is there is for a reason, one of my servers once had a script with symlinks that stoled all the database passwords.
May be the forum will not be the best way to get a fast answer from the authors, opening a ticket will be much easier.
Sergio
Re: CXS reporting symlink -- no option in crontab
Posted: 06 Apr 2018, 12:20
by webicom
Did you manage to solve this issue? I would also like to know how to completely disable symlink hits while scaning with cronjob?