CXS reporting symlink -- no option in crontab

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
gvard
Junior Member
Posts: 39
Joined: 16 Feb 2008, 19:42

CXS reporting symlink -- no option in crontab

Post by gvard »

Hello,

In my daily scan I use the following crontab:

/usr/sbin/cxs -mail ###@#####.## --exp --novir -o mMOSGchdnD -Z --sum -T 5 -all --ignore /etc/cxs/cxs.ignore

for some reason in more than a dozen servers I received today about 50-200 hits per server with the following reason:

Code: Select all

# Regular expression match = [symlink\s*\(]:
'/home/USERNAME/public_html/cp2/libraries/pear/archive_tar/Archive_Tar.php'
I don't have symlinks ( L ) in my crontab, why was I notified about this? Has this happened to other users also today?
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: CXS reporting symlink -- no option in crontab

Post by Sergio »

This is not telling that you have a symlink, what is telling is that inside the file Archive_Tar.php, there is a line that is calling a symlink.
gvard
Junior Member
Posts: 39
Joined: 16 Feb 2008, 19:42

Re: CXS reporting symlink -- no option in crontab

Post by gvard »

Hello,

There are a many legitimate scripts that have this on the, for example:

com_joomlaupdate:

Code: Select all

              // Create the symlink - only possible within PHP context. There's no support built in the FTP protocol, so no postproc use is possible here :(
                if( !AKFactory::get('kickstart.setup.dryrun','0') )
                        @symlink($data, $this->fileHeader->realFile);

Archive_Tar.php which is a common Joomla! package -> http://api.joomla.org/1.5/Archive_Tar/_ ... r.php.html

Code: Select all

  if (!@symlink($v_header['link'], $v_header['filename'])) {
                  $this->_error('Unable to extract symbolic link {'
                                .$v_header['filename'].'}');
                  return false;
              }

Akeeba Backup (a famous CMS backup software)


Those 3 programs alone produce hundreds of hits on my servers with false positives. I would like to know how to remove that specific check from my daily scanning cronjob, it prevents us from checking the logs on a daily basis.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: CXS reporting symlink -- no option in crontab

Post by Sergio »

If you know it is a false positive, then add the file:
/home/USERNAME/public_html/cp2/libraries/pear/archive_tar/Archive_Tar.php
to the ignore list.

Sergio
gvard
Junior Member
Posts: 39
Joined: 16 Feb 2008, 19:42

Re: CXS reporting symlink -- no option in crontab

Post by gvard »

I cannot add each one of these false positives in /etc/cxs/cxs.ignore, because:

1) There are many usernames
2) They use different file locations
3) They keep adding them daily (and cxswatch blocks them).

One simple question for the authors: How can I ignore "symlink" alerts?
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: CXS reporting symlink -- no option in crontab

Post by Sergio »

In the mean time, add the MD5 of the file on the ignore list not all the occurrences of the same file.

If the symlink is there is for a reason, one of my servers once had a script with symlinks that stoled all the database passwords.

May be the forum will not be the best way to get a fast answer from the authors, opening a ticket will be much easier.

Sergio
webicom
Junior Member
Posts: 15
Joined: 02 Feb 2009, 22:09

Re: CXS reporting symlink -- no option in crontab

Post by webicom »

Did you manage to solve this issue? I would also like to know how to completely disable symlink hits while scaning with cronjob?
Post Reply