STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
camelothosting
Junior Member
Posts: 23
Joined: 12 Aug 2008, 15:34

Post by camelothosting »

Perfect thanx
robotronik
Junior Member
Posts: 13
Joined: 10 Jul 2009, 20:24

Post by robotronik »

A method used to hide shells that I have come across. :) Always worth investigating!

regall:eval\(\"\?\>\"\.gzuncompress\(base64_decode
tvcnet
Junior Member
Posts: 38
Joined: 30 Sep 2009, 00:01

Post by tvcnet »

Can someone create a clean list using all the tips above.
Thinking would be a good idea to build this over time with all our input.

Many thanks,
Jim
gozargah
Junior Member
Posts: 5
Joined: 15 Apr 2010, 21:06

Post by gozargah »

How can pervent users to run c99 and r57 shells?
Sergio
Junior Member
Posts: 1427
Joined: 12 Dec 2006, 14:56

Post by Sergio »

tvcnet wrote:Can someone create a clean list using all the tips above.
Thinking would be a good idea to build this over time with all our input.

Many thanks,
Jim
Hello tvcnet,
I will more than glad to do it. Also, I will post a guideline on the first post on how the tips have to be submitted in order to do the job more easily.

Regards,

Sergio
tvcnet
Junior Member
Posts: 38
Joined: 30 Sep 2009, 00:01

Post by tvcnet »

That's a good question on r57.

We do hackrepair for clients and 90% of the time hacked web sites have r57 shell script installed. Something to specific block that would be a good thing.

Thanks,
Jim
Sergio
Junior Member
Posts: 1427
Joined: 12 Dec 2006, 14:56

Post by Sergio »

tvcnet wrote:That's a good question on r57.

We do hackrepair for clients and 90% of the time hacked web sites have r57 shell script installed. Something to specific block that would be a good thing.

Thanks,
Jim
If I could have an extract of the script, there could be something that we can add to the CXS file.
ForumAdmin
Moderator
Posts: 1478
Joined: 01 Oct 2008, 09:24

Post by ForumAdmin »

cxs already detects a large number of variants of c99 and r57 exploit scripts with multiple regex's.
tvcnet
Junior Member
Posts: 38
Joined: 30 Sep 2009, 00:01

Post by tvcnet »

If you are in need of set of hacks files to test CSF send me a private message.

I tried posting the link here but the Admin appears to have deleted the post.

Best Wishes,
Jim
tvcnet
Junior Member
Posts: 38
Joined: 30 Sep 2009, 00:01

CSX didn't catch this hack

Post by tvcnet »

How might this hack be implemented into xtra please?

I ran another scanning program and the result was:

What it searched:
/<script.+?src\s*=\s*['\"]?(ht|f)tp.+?>(.*?<\/script>)?/

What if found on a page:
[removed by Moderator]

Ideas on how to write that?

Thanks,
Jim
Post Reply