STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

OsCommerce is still getting hot, lot of hackers are trying to inject malicious code via "/admin/categories.php", now they are trying to inject R57SHELL scripts and CXS is blocking them.

My recommendation is to have CXS up to date, today we have ver 4.53.

Regards,

Sergio
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

New Rule added to sticky.

Post by Sergio »

Morfeus (bad bot) is trying to find a file that is used to hack a server, the name of the file: soapCaller.bs

I have added this rule to the sticky.

Regards,

Sergio
adnan
Junior Member
Posts: 30
Joined: 30 Apr 2008, 20:53

Re: STICKY rules for CXS.XTRA regs.

Post by adnan »

Hello ,

My scanner stop when I use your extra rules :

Code: Select all

Scanning /home/dfhcoi:
Trailing \ in regex m/facebook\.com\/crazytaxi\/ at /usr/sbin/cxs line 232. 
Any Idea ?
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

Thanks for pointing this out, I left a "/" at the end of that line, please delete it.

That rule has to be set as:
regall:facebook\.com\/crazytaxi
adnan
Junior Member
Posts: 30
Joined: 30 Apr 2008, 20:53

Re: STICKY rules for CXS.XTRA regs.

Post by adnan »

Also this rule has problem too :
Trailing \ in regex m/\/r57\.gen\.tr\/ at /usr/sbin/cxs line 232.

Thank you
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

Also, the last "/" is giving you a regex problem, it is ok to delete that character as well. It is weird but in my server I have that lines and they work, any way, it could be deleted.

Change that rule and set it as:
regex m/\/r57\.gen\.tr
Sergio
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

Another set of rules for CSF.XTRA
regall:dailymotion\.com
regall:i54\.tinypic\.com\/w83o6t\.jpg
regall:i52\.tinypic\.com\/311ukqb\.jpg
regall:sibersavunma\.com
Sergio
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

After checking a lot of files that tried to exploit my server, I found that most of them tried to use the hash "63a9f0ea7bb98050796b649e85481845", so, I have added a new regall to the sticky:

Code: Select all

regall:63a9f0ea7bb98050796b649e85481845
this is the hash code for "root" any file that is uploaded to the server with this in it has to be quarantined.

Sergio
caisc
Junior Member
Posts: 21
Joined: 03 Oct 2011, 07:38

Re: STICKY rules for CXS.XTRA regs.

Post by caisc »

Sergio Thanks for all those rules,

can you plz explain me a bit that what does this rule do -
regall:mail\.Ru:94\.100\.176\.20

Actually there is a forum site on our server and everyday several email ids like xxxxxxxx@mail.ru register on that forum, their registration mails get queued up in the mail queue manager and i have to delete them everyday. Seems like those mail ids are fake OR they are just registering on the forum just to spam.

if you can explain to me that what does this rule do - regall:mail\.Ru:94\.100\.176\.20, it might help me.

Thanks
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: STICKY rules for CXS.XTRA regs.

Post by Sergio »

That rule will search on all the files that are uploaded to the server that there is no line that contains that phrase, if the phrase exist, then the file is quarantined by CXS.

This is not what you want to use, there is a better approach using MODSECURITY, unfortunately there is no support for MODSECURITY rules here in this forums, but you can write in my thread at CPanel and I will help you there, http://forums.cpanel.net/f185/modsecuri ... 47745.html

Sergio
Post Reply