STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
68 posts Page 7 of 7
dieter
Junior Member
Posts: 11
Joined: 18 Mar 2011, 05:36


Hi Sergio,

I will remember in the future. Thank you it works, found a couple of sites infected with this, all Joomla sites.

Thank you,

Dieter
azednet
Junior Member
Posts: 8
Joined: 31 Jan 2014, 18:23


Hello,

How can i block file with this script:

Code: Select all
<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


azednet wrote:
Hello,

How can i block file with this script:

Code: Select all
<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Please use a regular post in the forum and I will help you there, sticky is only for CXS rules that you want to share with the community.
kam1lo
Junior Member
Posts: 2
Joined: 30 Jun 2014, 14:48


Hi Guys, this is my first post. The following are some regs I have been using, don't know if some have been already posted:

regphp:quarantine:Pz48P3BocA0KIyMjIyMjIyMjIyMjIyMj
regphp:quarantine:FcxOCoAgEAXQq7QIrFJXtCs6i4Rad6gjzV9r
regphp:quarantine:PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp
file:quarantine:NUEVONORTE.zip
regall:quarantine:El Banco fuerte de mexico
regphp:quarantine:p1wis Unzip
regall:quarantine:Hacked by DeathAngeL01
regall:quarantine:MUS4LLAT
regall:quarantine:Hacked By Virus Attacker
regall:quarantine:TeaM Pak Cyber Experts
regphp:quarantine:Pz48P3BocCAkX0Y9X19GSUxFX187JF9YPSdQenU4UG9CMmNDQTBaNGdoWmpOM
regall:quarantine:Hacked By BL4CK C0D3
regall:quarantine:Falleg Gassrini
regall:quarantine:Fallaga\.tounes
regphp:quarantine:PD9waHAKCiR0ZXN0YSA9ICRfUE9TVFsndmVpbyddOwppZ
regphp:quarantine:cmkzFgtlkq0ZkWbOeSxlzjQNfL3bLJBATyVHaO8755
regphp:quarantine:serr gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprafr
regall:quarantine:FleZxi
regall:quarantine:leadapi\.net
regall:quarantine:www\.365online\.com\/online365\/spring\/authentication
regall:quarantine:www\.bankofireland\.com
regphp:quarantine:SteelaxXx
regphp:quarantine:Hacked By ReZK2ll Team
regphp:quarantine:9age02ptak
regphp:quarantine:vsztequlskbcu0xrxbs3voiz1t7p8pdzts82n40k32nsxlxfj09qsz5dz9plzyk45
regphp:quarantine:vfgg4s6d46g4s64bxqlmqjkshmcjbqjbslmaihwqbcqfblqbvlqjbsufuoqbjfb
regphp:quarantine:langkilleyou
file:quarantine:paypal.security.zip
regphp:quarantine:JOKER7
regphp:quarantine:ArHaCk
regphp:quarantine:wireresult2014
regphp:quarantine:Ly9OSU5mZTlBZkx0bC9IZUZVZGM3OXJnL0RZbjRVaklHU1Y
regphp:quarantine:www\.companiadab\.com\.ar
regphp:quarantine:jxbpqr2b\.php
regphp:quarantine:dt8kf6553cww8\.cloudfront\.net
regphp:quarantine:dan video ke mana saja dan membaginya dengan mudah

Best regards!
kam1lo
Junior Member
Posts: 2
Joined: 30 Jun 2014, 14:48


regall:quarantine:FJ3HjoNctlNfpXT9WAzIVnfdFjnnzKRSBpODVkJ
azednet
Junior Member
Posts: 8
Joined: 31 Jan 2014, 18:23


regall:quarantine:store\.apple\.com
regall:quarantine:apple\.com\/WebObjects
regall:quarantine:Done\.php\?cmd\=Complete\&Dispatch\=
regall:quarantine:bendiouafa@gmail\.com
regall:quarantine:rezrozrez@gmail.com
regall:quarantine:mizox@th3pro.com
regall:quarantine:paypal\.fr\.connect\.fr
regall:quarantine:paypal\.com\/fr\/webapps
regall:quarantine:\.lcl\.fr
regall:quarantine:Gu3ssWho
regall:quarantine:InjecT0r Mailer
regall:quarantine:bnpparibas\.net
regall:quarantine:First Bank of Nigeria
regall:quarantine:\/BNPparibas
regall:quarantine:\/bnpparibas
regall:quarantine:credit-agricole
regall:quarantine:banque-populaire
regall:quarantine:creditmutuel\.fr
regall:quarantine:www\.creditmutuel\.fr
regall:quarantine:chase\.com
regall:quarantine:edf\.com
masimo
Junior Member
Posts: 3
Joined: 16 Feb 2016, 09:05


I fount very useful Patterns for simple web malware detection.

http://www.abuseat.org/findbot.pl
Code: Select all
my $scriptpat = '(Edited By GuN-Jack|die\(PHP_OS.chr\(49\).chr\(48\).chr\(43\).md5\(0987654321\)|die\(PHP_OS.chr\(49\).chr\(49\).chr\(43\).md5\(0987654321\)|social\.png|r57|c99|web shell|passthru|shell_exec|base64_decode|edoced_46esab|PHPShell|EHLO|MAIL FROM|RCPT TO|fsockopen|\$random_num\.qmail|getmxrr|\$_POST\[\'emaillist\'\]|if\(isset\(\$_POST\[\'action\'\]|BAMZ|shell_style|malsite|cgishell|Defaced|defaced|Defacer|defacer|hackmode|ini_restore|ini_get\("open_basedir"\)|runkit_function|rename_function|override_function|mail.add_x_header|\@ini_get\(\'disable_functions\'\)|open_basedir|openbasedir|\@ini_get\("safe_mode"|JIKO|fpassthru|passthru|hacker|Hacker|gmail.ru|fsockopen\(\$mx|\'mxs\.mail\.ru\'|yandex.ru|UYAP-CASTOL|KEROX|BIANG|FucKFilterCheckUnicodeEncoding|FucKFilterCheckURLEncoding|FucKFilterScanPOST|FucKFilterEngine|fake mailer|Fake mailer|Mass Mailer|MasS Mailer|ALMO5EAM|3QRAB|Own3d|eval\(\@\$_GET|TrYaG|Turbo Force|eval \( gzinflate|eval \(gzinflate|cgi shell|cgitelnet|\$_FILES\[file\]|\@copy\(\$_FILES|root\@|eval\(\(base64_decode|define\(\'SA_ROOT\'|cxjcxj|PCT4BA6ODSE|if\(isset\(\$s22\)|yb dekcah|dekcah|\@md5\(\$_POST|iskorpitx|\$__C|back connect|ccteam.ru|"passthru"|"shell_exec"|CHMOD_SHELL|EXIT_KERNEL_TO_NULL|original exploit|prepare_the_exploit|RUN_ROOTSHELL|ROOTSHELL|\@popen\(\$sendmail|\'HELO localhost\'|TELNET|Telnet|BACK-CONNECT|BACKDOOR|BACK-CONNECT BACKDOOR|AnonGhost|CGI-Telnet|webr00t|Ruby Back Connect|Connect Shell|require \'socket\'|HACKED|\@posix_getgrgid\(\@filegroup|\@posix_getpwuid\(\@fileowner|\&\#222\;\&\#199\;\&\#198\;\&\#227\;\&\#229\;|open_basedir|disable_functions|brasrer64r_rdrecordre|hacked|Hacked|\$sF\[4\]\.\$sF\[5\]\.\$sF\[9\]\.\$sF\[10\]\.|\$sF\="PCT4BA6ODSE_"|\$s21\=strtolower|6ODSE_"\;|Windows-1251|\@eval\(\$_POST\[|h4cker|Kur-SaD|\'Fil\'\.\'esM\'\.\'an\'|echo PHP_OS\.|\$testa != ""|\@PHP_OS|\$_POST\[\'veio\'\]|file_put_contents\(\'1\.txt\'|\$GLOBALS\["\%x61|\\\40\\\x65\\\166\\\x61\\\154\\\x28\\\163\\\x74\\\162\\\x5f\\\162\\\x65\\\160\\\x6c\\\141\\\x63\\\145|md5decrypter\.com|rednoize\.com|hashcracking\.info|milw0rm\.com|hashcrack\.com|function_exists\(\'shell_exec\'\)|Sh3ll Upl04d3r|Sh3ll Uploader|S F N S A W|\$\{\$\{"GLOBALS"\}|\$i59\="Euc\<v\#|\$contenttype \= \$_POST\[|eval\(base64|killall|1\.sh|\/usr\/bin\/uname -a|FilesMan|unserialize\(base64_decode|eval \( base64|eval \(base64|eval\(unescape|eval\(@gzinflate|gzinflate\(base64|str_rot13\(\@base64|str_rot13\(base64|gzinflate\(\@str_rot13|\/\.\*\/e|gzuncompress\(base64|substr\(\$c, \$a, \$b|\\\x47LOB|\\\x47LO\\\x42|\\\x47L\\\x4f\\\x42|\\\x47\\\x4c\\\x4f\\\x42|eval\("\?\>"\.base64_decode|\|imsU\||\!msiU|host\=base64|exif \= exif_|"\?Q\?|decrypt\(base64|Shell by|die\(PHP_OS|shell_exec\(base64_decode|\$_F\=|edoced_46esab|\$_D\=strrev|\]\)\)\;\}\}eval|\\\x65\\\x76\\\x61\\\x6c\\\x28|"e"\."va"\."l|\$so64 \=|sqlr00t|qx\{pwd\}|OOO0000O0|OOO000O00|OOO000000|\/\\\r\\\n\\\r\\\n|\$baseurl \= base64_decode|\$remoteurl\,\'wp-login\.php\'|\'http\:\/\/\'\.\$_SERVER\[\'SERVER_NAME\'\]|kkmvbziu|\$opt\("\/292\/e"|\$file\=\@\$_COOKIE\[\'|phpinfo\(\)\;die|return base64_decode\(|\@imap_open\(|\@imap_list\(|\$Q0QQQ\=0|\$GLOBALS\[\'I111\'\]|base64_decode\(\$GLOBALS|eval\(x\(|\@array\(\(string\)stripslashes|function rx\(\)| IRC |BOT IRC|\$bot_password|this bot|Web Shell|Web shell|getenv\(\'SERVER_SOFTWARE\'\)|file_exists\(\'\/tmp\/mb_send_mail\'\)|unlink\(\'\/tmp\/|imap_open\(\'\/etc\/|ini_set\(\'allow_url|\'_de\'\.\'code\'|\'base\'\.\(32\*2\))';
How can use this list on csf.xtra?

Re:

POUSSETY
Junior Member
Posts: 2
Joined: 09 May 2019, 03:53


19 Jan 2010, 03:35Sergio wrote:
Hostell wrote:
this shouldn't be blocked.
If you have scripts to send emails that uses an URL on the header it has to be investigated, as it could send an URL that is not in your server.

Remember that CSX is to help you to check [URL=https://filezilla.software/]FileZilla[/URL] [URL=https://www.ucbrowser.pro/]UC Browser[/URL] [URL=https://downloader.vip/rufus/]Rufus[/URL] what is being uploaded in your server, if one of your customers upload a file with this regex on it, CSX will tell you what is the code that your customer is uploading.
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.
68 posts Page 7 of 7