STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
67 posts Page 7 of 7
dieter
Junior Member
Posts: 11
Joined: 18 Mar 2011, 05:36


Hi Sergio,

I will remember in the future. Thank you it works, found a couple of sites infected with this, all Joomla sites.

Thank you,

Dieter
azednet
Junior Member
Posts: 8
Joined: 31 Jan 2014, 18:23


Hello,

How can i block file with this script:

Code: Select all
<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


azednet wrote:
Hello,

How can i block file with this script:

Code: Select all
<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Please use a regular post in the forum and I will help you there, sticky is only for CXS rules that you want to share with the community.
kam1lo
Junior Member
Posts: 2
Joined: 30 Jun 2014, 14:48


Hi Guys, this is my first post. The following are some regs I have been using, don't know if some have been already posted:

regphp:quarantine:Pz48P3BocA0KIyMjIyMjIyMjIyMjIyMj
regphp:quarantine:FcxOCoAgEAXQq7QIrFJXtCs6i4Rad6gjzV9r
regphp:quarantine:PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp
file:quarantine:NUEVONORTE.zip
regall:quarantine:El Banco fuerte de mexico
regphp:quarantine:p1wis Unzip
regall:quarantine:Hacked by DeathAngeL01
regall:quarantine:MUS4LLAT
regall:quarantine:Hacked By Virus Attacker
regall:quarantine:TeaM Pak Cyber Experts
regphp:quarantine:Pz48P3BocCAkX0Y9X19GSUxFX187JF9YPSdQenU4UG9CMmNDQTBaNGdoWmpOM
regall:quarantine:Hacked By BL4CK C0D3
regall:quarantine:Falleg Gassrini
regall:quarantine:Fallaga\.tounes
regphp:quarantine:PD9waHAKCiR0ZXN0YSA9ICRfUE9TVFsndmVpbyddOwppZ
regphp:quarantine:cmkzFgtlkq0ZkWbOeSxlzjQNfL3bLJBATyVHaO8755
regphp:quarantine:serr gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprafr
regall:quarantine:FleZxi
regall:quarantine:leadapi\.net
regall:quarantine:www\.365online\.com\/online365\/spring\/authentication
regall:quarantine:www\.bankofireland\.com
regphp:quarantine:SteelaxXx
regphp:quarantine:Hacked By ReZK2ll Team
regphp:quarantine:9age02ptak
regphp:quarantine:vsztequlskbcu0xrxbs3voiz1t7p8pdzts82n40k32nsxlxfj09qsz5dz9plzyk45
regphp:quarantine:vfgg4s6d46g4s64bxqlmqjkshmcjbqjbslmaihwqbcqfblqbvlqjbsufuoqbjfb
regphp:quarantine:langkilleyou
file:quarantine:paypal.security.zip
regphp:quarantine:JOKER7
regphp:quarantine:ArHaCk
regphp:quarantine:wireresult2014
regphp:quarantine:Ly9OSU5mZTlBZkx0bC9IZUZVZGM3OXJnL0RZbjRVaklHU1Y
regphp:quarantine:www\.companiadab\.com\.ar
regphp:quarantine:jxbpqr2b\.php
regphp:quarantine:dt8kf6553cww8\.cloudfront\.net
regphp:quarantine:dan video ke mana saja dan membaginya dengan mudah

Best regards!
kam1lo
Junior Member
Posts: 2
Joined: 30 Jun 2014, 14:48


regall:quarantine:FJ3HjoNctlNfpXT9WAzIVnfdFjnnzKRSBpODVkJ
azednet
Junior Member
Posts: 8
Joined: 31 Jan 2014, 18:23


regall:quarantine:store\.apple\.com
regall:quarantine:apple\.com\/WebObjects
regall:quarantine:Done\.php\?cmd\=Complete\&Dispatch\=
regall:quarantine:bendiouafa@gmail\.com
regall:quarantine:rezrozrez@gmail.com
regall:quarantine:mizox@th3pro.com
regall:quarantine:paypal\.fr\.connect\.fr
regall:quarantine:paypal\.com\/fr\/webapps
regall:quarantine:\.lcl\.fr
regall:quarantine:Gu3ssWho
regall:quarantine:InjecT0r Mailer
regall:quarantine:bnpparibas\.net
regall:quarantine:First Bank of Nigeria
regall:quarantine:\/BNPparibas
regall:quarantine:\/bnpparibas
regall:quarantine:credit-agricole
regall:quarantine:banque-populaire
regall:quarantine:creditmutuel\.fr
regall:quarantine:www\.creditmutuel\.fr
regall:quarantine:chase\.com
regall:quarantine:edf\.com
masimo
Junior Member
Posts: 3
Joined: 16 Feb 2016, 09:05


I fount very useful Patterns for simple web malware detection.

http://www.abuseat.org/findbot.pl
Code: Select all
my $scriptpat = '(Edited By GuN-Jack|die\(PHP_OS.chr\(49\).chr\(48\).chr\(43\).md5\(0987654321\)|die\(PHP_OS.chr\(49\).chr\(49\).chr\(43\).md5\(0987654321\)|social\.png|r57|c99|web shell|passthru|shell_exec|base64_decode|edoced_46esab|PHPShell|EHLO|MAIL FROM|RCPT TO|fsockopen|\$random_num\.qmail|getmxrr|\$_POST\[\'emaillist\'\]|if\(isset\(\$_POST\[\'action\'\]|BAMZ|shell_style|malsite|cgishell|Defaced|defaced|Defacer|defacer|hackmode|ini_restore|ini_get\("open_basedir"\)|runkit_function|rename_function|override_function|mail.add_x_header|\@ini_get\(\'disable_functions\'\)|open_basedir|openbasedir|\@ini_get\("safe_mode"|JIKO|fpassthru|passthru|hacker|Hacker|gmail.ru|fsockopen\(\$mx|\'mxs\.mail\.ru\'|yandex.ru|UYAP-CASTOL|KEROX|BIANG|FucKFilterCheckUnicodeEncoding|FucKFilterCheckURLEncoding|FucKFilterScanPOST|FucKFilterEngine|fake mailer|Fake mailer|Mass Mailer|MasS Mailer|ALMO5EAM|3QRAB|Own3d|eval\(\@\$_GET|TrYaG|Turbo Force|eval \( gzinflate|eval \(gzinflate|cgi shell|cgitelnet|\$_FILES\[file\]|\@copy\(\$_FILES|root\@|eval\(\(base64_decode|define\(\'SA_ROOT\'|cxjcxj|PCT4BA6ODSE|if\(isset\(\$s22\)|yb dekcah|dekcah|\@md5\(\$_POST|iskorpitx|\$__C|back connect|ccteam.ru|"passthru"|"shell_exec"|CHMOD_SHELL|EXIT_KERNEL_TO_NULL|original exploit|prepare_the_exploit|RUN_ROOTSHELL|ROOTSHELL|\@popen\(\$sendmail|\'HELO localhost\'|TELNET|Telnet|BACK-CONNECT|BACKDOOR|BACK-CONNECT BACKDOOR|AnonGhost|CGI-Telnet|webr00t|Ruby Back Connect|Connect Shell|require \'socket\'|HACKED|\@posix_getgrgid\(\@filegroup|\@posix_getpwuid\(\@fileowner|\&\#222\;\&\#199\;\&\#198\;\&\#227\;\&\#229\;|open_basedir|disable_functions|brasrer64r_rdrecordre|hacked|Hacked|\$sF\[4\]\.\$sF\[5\]\.\$sF\[9\]\.\$sF\[10\]\.|\$sF\="PCT4BA6ODSE_"|\$s21\=strtolower|6ODSE_"\;|Windows-1251|\@eval\(\$_POST\[|h4cker|Kur-SaD|\'Fil\'\.\'esM\'\.\'an\'|echo PHP_OS\.|\$testa != ""|\@PHP_OS|\$_POST\[\'veio\'\]|file_put_contents\(\'1\.txt\'|\$GLOBALS\["\%x61|\\\40\\\x65\\\166\\\x61\\\154\\\x28\\\163\\\x74\\\162\\\x5f\\\162\\\x65\\\160\\\x6c\\\141\\\x63\\\145|md5decrypter\.com|rednoize\.com|hashcracking\.info|milw0rm\.com|hashcrack\.com|function_exists\(\'shell_exec\'\)|Sh3ll Upl04d3r|Sh3ll Uploader|S F N S A W|\$\{\$\{"GLOBALS"\}|\$i59\="Euc\<v\#|\$contenttype \= \$_POST\[|eval\(base64|killall|1\.sh|\/usr\/bin\/uname -a|FilesMan|unserialize\(base64_decode|eval \( base64|eval \(base64|eval\(unescape|eval\(@gzinflate|gzinflate\(base64|str_rot13\(\@base64|str_rot13\(base64|gzinflate\(\@str_rot13|\/\.\*\/e|gzuncompress\(base64|substr\(\$c, \$a, \$b|\\\x47LOB|\\\x47LO\\\x42|\\\x47L\\\x4f\\\x42|\\\x47\\\x4c\\\x4f\\\x42|eval\("\?\>"\.base64_decode|\|imsU\||\!msiU|host\=base64|exif \= exif_|"\?Q\?|decrypt\(base64|Shell by|die\(PHP_OS|shell_exec\(base64_decode|\$_F\=|edoced_46esab|\$_D\=strrev|\]\)\)\;\}\}eval|\\\x65\\\x76\\\x61\\\x6c\\\x28|"e"\."va"\."l|\$so64 \=|sqlr00t|qx\{pwd\}|OOO0000O0|OOO000O00|OOO000000|\/\\\r\\\n\\\r\\\n|\$baseurl \= base64_decode|\$remoteurl\,\'wp-login\.php\'|\'http\:\/\/\'\.\$_SERVER\[\'SERVER_NAME\'\]|kkmvbziu|\$opt\("\/292\/e"|\$file\=\@\$_COOKIE\[\'|phpinfo\(\)\;die|return base64_decode\(|\@imap_open\(|\@imap_list\(|\$Q0QQQ\=0|\$GLOBALS\[\'I111\'\]|base64_decode\(\$GLOBALS|eval\(x\(|\@array\(\(string\)stripslashes|function rx\(\)| IRC |BOT IRC|\$bot_password|this bot|Web Shell|Web shell|getenv\(\'SERVER_SOFTWARE\'\)|file_exists\(\'\/tmp\/mb_send_mail\'\)|unlink\(\'\/tmp\/|imap_open\(\'\/etc\/|ini_set\(\'allow_url|\'_de\'\.\'code\'|\'base\'\.\(32\*2\))';
How can use this list on csf.xtra?
67 posts Page 7 of 7