STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
dieter
Junior Member
Posts: 11
Joined: 18 Mar 2011, 05:36

Re: STICKY rules for CXS.XTRA regs.

Post by dieter »

Hi Sergio,

I will remember in the future. Thank you it works, found a couple of sites infected with this, all Joomla sites.

Thank you,

Dieter
azednet
Junior Member
Posts: 9
Joined: 31 Jan 2014, 18:23

Re: STICKY rules for CXS.XTRA regs.

Post by azednet »

Hello,

How can i block file with this script:

Code: Select all

<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Sergio
Junior Member
Posts: 1435
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

azednet wrote:Hello,

How can i block file with this script:

Code: Select all

<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Please use a regular post in the forum and I will help you there, sticky is only for CXS rules that you want to share with the community.
kam1lo
Junior Member
Posts: 2
Joined: 30 Jun 2014, 14:48

Re: STICKY rules for CXS.XTRA regs.

Post by kam1lo »

Hi Guys, this is my first post. The following are some regs I have been using, don't know if some have been already posted:

regphp:quarantine:Pz48P3BocA0KIyMjIyMjIyMjIyMjIyMj
regphp:quarantine:FcxOCoAgEAXQq7QIrFJXtCs6i4Rad6gjzV9r
regphp:quarantine:PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp
file:quarantine:NUEVONORTE.zip
regall:quarantine:El Banco fuerte de mexico
regphp:quarantine:p1wis Unzip
regall:quarantine:Hacked by DeathAngeL01
regall:quarantine:MUS4LLAT
regall:quarantine:Hacked By Virus Attacker
regall:quarantine:TeaM Pak Cyber Experts
regphp:quarantine:Pz48P3BocCAkX0Y9X19GSUxFX187JF9YPSdQenU4UG9CMmNDQTBaNGdoWmpOM
regall:quarantine:Hacked By BL4CK C0D3
regall:quarantine:Falleg Gassrini
regall:quarantine:Fallaga\.tounes
regphp:quarantine:PD9waHAKCiR0ZXN0YSA9ICRfUE9TVFsndmVpbyddOwppZ
regphp:quarantine:cmkzFgtlkq0ZkWbOeSxlzjQNfL3bLJBATyVHaO8755
regphp:quarantine:serr gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprafr
regall:quarantine:FleZxi
regall:quarantine:leadapi\.net
regall:quarantine:www\.365online\.com\/online365\/spring\/authentication
regall:quarantine:www\.bankofireland\.com
regphp:quarantine:SteelaxXx
regphp:quarantine:Hacked By ReZK2ll Team
regphp:quarantine:9age02ptak
regphp:quarantine:vsztequlskbcu0xrxbs3voiz1t7p8pdzts82n40k32nsxlxfj09qsz5dz9plzyk45
regphp:quarantine:vfgg4s6d46g4s64bxqlmqjkshmcjbqjbslmaihwqbcqfblqbvlqjbsufuoqbjfb
regphp:quarantine:langkilleyou
file:quarantine:paypal.security.zip
regphp:quarantine:JOKER7
regphp:quarantine:ArHaCk
regphp:quarantine:wireresult2014
regphp:quarantine:Ly9OSU5mZTlBZkx0bC9IZUZVZGM3OXJnL0RZbjRVaklHU1Y
regphp:quarantine:www\.companiadab\.com\.ar
regphp:quarantine:jxbpqr2b\.php
regphp:quarantine:dt8kf6553cww8\.cloudfront\.net
regphp:quarantine:dan video ke mana saja dan membaginya dengan mudah

Best regards!
kam1lo
Junior Member
Posts: 2
Joined: 30 Jun 2014, 14:48

Re: STICKY rules for CXS.XTRA regs.

Post by kam1lo »

regall:quarantine:FJ3HjoNctlNfpXT9WAzIVnfdFjnnzKRSBpODVkJ
azednet
Junior Member
Posts: 9
Joined: 31 Jan 2014, 18:23

Re: STICKY rules for CXS.XTRA regs.

Post by azednet »

regall:quarantine:store\.apple\.com
regall:quarantine:apple\.com\/WebObjects
regall:quarantine:Done\.php\?cmd\=Complete\&Dispatch\=
regall:quarantine:bendiouafa@gmail\.com
regall:quarantine:rezrozrez@gmail.com
regall:quarantine:mizox@th3pro.com
regall:quarantine:paypal\.fr\.connect\.fr
regall:quarantine:paypal\.com\/fr\/webapps
regall:quarantine:\.lcl\.fr
regall:quarantine:Gu3ssWho
regall:quarantine:InjecT0r Mailer
regall:quarantine:bnpparibas\.net
regall:quarantine:First Bank of Nigeria
regall:quarantine:\/BNPparibas
regall:quarantine:\/bnpparibas
regall:quarantine:credit-agricole
regall:quarantine:banque-populaire
regall:quarantine:creditmutuel\.fr
regall:quarantine:www\.creditmutuel\.fr
regall:quarantine:chase\.com
regall:quarantine:edf\.com
masimo
Junior Member
Posts: 3
Joined: 16 Feb 2016, 09:05

Re: STICKY rules for CXS.XTRA regs.

Post by masimo »

I fount very useful Patterns for simple web malware detection.

http://www.abuseat.org/findbot.pl

Code: Select all

my $scriptpat = '(Edited By GuN-Jack|die\(PHP_OS.chr\(49\).chr\(48\).chr\(43\).md5\(0987654321\)|die\(PHP_OS.chr\(49\).chr\(49\).chr\(43\).md5\(0987654321\)|social\.png|r57|c99|web shell|passthru|shell_exec|base64_decode|edoced_46esab|PHPShell|EHLO|MAIL FROM|RCPT TO|fsockopen|\$random_num\.qmail|getmxrr|\$_POST\[\'emaillist\'\]|if\(isset\(\$_POST\[\'action\'\]|BAMZ|shell_style|malsite|cgishell|Defaced|defaced|Defacer|defacer|hackmode|ini_restore|ini_get\("open_basedir"\)|runkit_function|rename_function|override_function|mail.add_x_header|\@ini_get\(\'disable_functions\'\)|open_basedir|openbasedir|\@ini_get\("safe_mode"|JIKO|fpassthru|passthru|hacker|Hacker|gmail.ru|fsockopen\(\$mx|\'mxs\.mail\.ru\'|yandex.ru|UYAP-CASTOL|KEROX|BIANG|FucKFilterCheckUnicodeEncoding|FucKFilterCheckURLEncoding|FucKFilterScanPOST|FucKFilterEngine|fake mailer|Fake mailer|Mass Mailer|MasS Mailer|ALMO5EAM|3QRAB|Own3d|eval\(\@\$_GET|TrYaG|Turbo Force|eval \( gzinflate|eval \(gzinflate|cgi shell|cgitelnet|\$_FILES\[file\]|\@copy\(\$_FILES|root\@|eval\(\(base64_decode|define\(\'SA_ROOT\'|cxjcxj|PCT4BA6ODSE|if\(isset\(\$s22\)|yb dekcah|dekcah|\@md5\(\$_POST|iskorpitx|\$__C|back connect|ccteam.ru|"passthru"|"shell_exec"|CHMOD_SHELL|EXIT_KERNEL_TO_NULL|original exploit|prepare_the_exploit|RUN_ROOTSHELL|ROOTSHELL|\@popen\(\$sendmail|\'HELO localhost\'|TELNET|Telnet|BACK-CONNECT|BACKDOOR|BACK-CONNECT BACKDOOR|AnonGhost|CGI-Telnet|webr00t|Ruby Back Connect|Connect Shell|require \'socket\'|HACKED|\@posix_getgrgid\(\@filegroup|\@posix_getpwuid\(\@fileowner|\&\#222\;\&\#199\;\&\#198\;\&\#227\;\&\#229\;|open_basedir|disable_functions|brasrer64r_rdrecordre|hacked|Hacked|\$sF\[4\]\.\$sF\[5\]\.\$sF\[9\]\.\$sF\[10\]\.|\$sF\="PCT4BA6ODSE_"|\$s21\=strtolower|6ODSE_"\;|Windows-1251|\@eval\(\$_POST\[|h4cker|Kur-SaD|\'Fil\'\.\'esM\'\.\'an\'|echo PHP_OS\.|\$testa != ""|\@PHP_OS|\$_POST\[\'veio\'\]|file_put_contents\(\'1\.txt\'|\$GLOBALS\["\%x61|\\\40\\\x65\\\166\\\x61\\\154\\\x28\\\163\\\x74\\\162\\\x5f\\\162\\\x65\\\160\\\x6c\\\141\\\x63\\\145|md5decrypter\.com|rednoize\.com|hashcracking\.info|milw0rm\.com|hashcrack\.com|function_exists\(\'shell_exec\'\)|Sh3ll Upl04d3r|Sh3ll Uploader|S F N S A W|\$\{\$\{"GLOBALS"\}|\$i59\="Euc\<v\#|\$contenttype \= \$_POST\[|eval\(base64|killall|1\.sh|\/usr\/bin\/uname -a|FilesMan|unserialize\(base64_decode|eval \( base64|eval \(base64|eval\(unescape|eval\(@gzinflate|gzinflate\(base64|str_rot13\(\@base64|str_rot13\(base64|gzinflate\(\@str_rot13|\/\.\*\/e|gzuncompress\(base64|substr\(\$c, \$a, \$b|\\\x47LOB|\\\x47LO\\\x42|\\\x47L\\\x4f\\\x42|\\\x47\\\x4c\\\x4f\\\x42|eval\("\?\>"\.base64_decode|\|imsU\||\!msiU|host\=base64|exif \= exif_|"\?Q\?|decrypt\(base64|Shell by|die\(PHP_OS|shell_exec\(base64_decode|\$_F\=|edoced_46esab|\$_D\=strrev|\]\)\)\;\}\}eval|\\\x65\\\x76\\\x61\\\x6c\\\x28|"e"\."va"\."l|\$so64 \=|sqlr00t|qx\{pwd\}|OOO0000O0|OOO000O00|OOO000000|\/\\\r\\\n\\\r\\\n|\$baseurl \= base64_decode|\$remoteurl\,\'wp-login\.php\'|\'http\:\/\/\'\.\$_SERVER\[\'SERVER_NAME\'\]|kkmvbziu|\$opt\("\/292\/e"|\$file\=\@\$_COOKIE\[\'|phpinfo\(\)\;die|return base64_decode\(|\@imap_open\(|\@imap_list\(|\$Q0QQQ\=0|\$GLOBALS\[\'I111\'\]|base64_decode\(\$GLOBALS|eval\(x\(|\@array\(\(string\)stripslashes|function rx\(\)| IRC |BOT IRC|\$bot_password|this bot|Web Shell|Web shell|getenv\(\'SERVER_SOFTWARE\'\)|file_exists\(\'\/tmp\/mb_send_mail\'\)|unlink\(\'\/tmp\/|imap_open\(\'\/etc\/|ini_set\(\'allow_url|\'_de\'\.\'code\'|\'base\'\.\(32\*2\))';
How can use this list on csf.xtra?
POUSSETY
Junior Member
Posts: 2
Joined: 09 May 2019, 03:53

Re:

Post by POUSSETY »

Sergio wrote: 19 Jan 2010, 03:35
Hostell wrote:this shouldn't be blocked.
If you have scripts to send emails that uses an URL on the header it has to be investigated, as it could send an URL that is not in your server.

Remember that CSX is to help you to check [URL=https://filezilla.software/]FileZilla[/URL] [URL=https://www.ucbrowser.pro/]UC Browser[/URL] [URL=https://downloader.vip/rufus/]Rufus[/URL] what is being uploaded in your server, if one of your customers upload a file with this regex on it, CSX will tell you what is the code that your customer is uploading.
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.
sahostking
Junior Member
Posts: 27
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: STICKY rules for CXS.XTRA regs.

Post by sahostking »

Here are some MD5sum fiels we added yesterday. Mostly uploaded mailer scripts trying to spam from server but a few were also wordpress hacking scripts.

The filenames were wpz-load.php, mindex.php, ROOT.php, and many weird russian filenames I can't remember.

md5sum:quarantine:0b138d902d6aea94ff386a702e196227
md5sum:quarantine:00370fe2625ddfaff69972320296b792
md5sum:quarantine:3b09023aa05a20746f0e111d1f351714
md5sum:quarantine:d155e4254360930947eaa930e7b3fe68
md5sum:quarantine:e8160c3d5cdf41b219386e0113135d84
md5sum:quarantine:8afb8c2a3c85d166a4b08154337cbe16
md5sum:quarantine:99e252c0e973269f385e6210f30361b2
md5sum:quarantine:dda85aa4e63663f952632dfdfac9f307
md5sum:quarantine:af3bb40eeb61118e5c20b434884e3aa2
md5sum:quarantine:ec67354d5987728a270b73bddc905eb5
md5sum:quarantine:84b5297945a9729b4e6f5b558ea09274
md5sum:quarantine:78de4929a4511a5152253fe3d1cbbaf1
md5sum:quarantine:459d36d4cd71da2ec02b84b6bc8858f2
md5sum:quarantine:01bfc72bad9a1dd527248007211ef6bc
md5sum:quarantine:813395e1f9f704dea3231b72611d0b2b
md5sum:quarantine:b59a54651e053cd9b9140206c044a6e1
md5sum:quarantine:230c50b9f7877639104e7a77b789fdcf
md5sum:quarantine:34cdcb358e1c8a01a2e3a45d6f265757
md5sum:quarantine:729c74190531e7d53ad23cec7c5ae537
md5sum:quarantine:0e15000002c053ffbb11dba0eb5f67ca
md5sum:quarantine:b758ce270902b240e5603ae0513f3590
Post Reply