regall:\.akamai.netOr, you can go and check for this:
regall:wellsfargo\.com
regall:src=\"https\:the problem with the second option is that you can trigger false positives if any of your webpages are using as src a SSL page.
We will be closing our Store, Sales and Helpdesk from 17:30 Friday, 20th December 2019 to 09:00 Thursday, 2nd January 2020. No orders, support requests or sales emails will be processed between those dates.
If you purchase a license or Service Package before the closing date and require installation, please be sure to leave at least 24 hours before then for the work to be done. Otherwise, any work will be scheduled for after this period.
regall:\.akamai.netOr, you can go and check for this:
regall:wellsfargo\.com
regall:src=\"https\:the problem with the second option is that you can trigger false positives if any of your webpages are using as src a SSL page.
tvcnet wrote:Ok, though the other reporting service used this to locate the hack:Jim,
/<script.+?src\s*=\s*['\"]?(ht|f)tp.+?>(.*?<\/script>)?/
Is that something we can rewrite for this system to catch this sort of hack?
Thanks,
Jim
regall:/<script.+?src\s*=\s*['\"]?(ht|f)tp.+?>(.*?<\/script>)?/
Sergio wrote:ok, try with this:Yes, no question that will work.
this will work for sure.
regall:<script type=\"text\/javascript\" src=\"(ht|f)tp.\:and this works checking for http, https and ftp.
----------- SCAN REPORT -----------
(/usr/sbin/cxs -mail root --exp --vir -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra -o mMOLfSGchexdnwW -vo eT --sum -E
Scanning
# Regular expression match = [<script type=\"text\/javascript\" src=\"(ht|f)tp.\:]:
----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious items: 1
Viruses found: 0
Data scanned: 0.00 MB
Scan time/item: 0.002 sec
Time: 0.002 sec
tvcnet wrote:One of the common phishing installer scripts creates a log file named:I take that back regarding the scan.
error_log
(and FYI purposes other filenames in this phishing installer are
login.php, regions.zip and index.htm)
In this log file the one thing I believe could be ID's as a likely hack would be this line:
[26-Feb-2010 16:12:02] PHP Notice: Undefined index: pin in /home/xxx/public_html/images/ucon/login.php on line 7
In specific, I'm referring the the section:
Undefined index: pin
What you think about the relevance of this?
I tried this but it didn't catch it:
regall:Undefined index\: pin
-Jim
tvcnet wrote:I take that back regarding the scan.Jim,
regall:Undefined index: pin
"does" work fine though only with a deep scan.
-Jim
regall:Undefined index\: pinbut I don't think this will work, as the error that you are referring to is a log line and is not inside any php, cgi or html file. CXS only searches for strings inside files, if you set this rule, you will have a lot of positives when your CXS checks your error_log file but not the compromised one.