Page 4 of 8

Posted: 21 Apr 2010, 19:08
by tvcnet
This actually worked:
regall:Undefined index: pin

with result:
# Regular expression match = [Undefined index: pin]:
'/home/webhost/public_html/images/ucon/error_log'

Posted: 21 Apr 2010, 20:10
by Sergio
tvcnet wrote:This actually worked:
regall:Undefined index: pin

with result:
# Regular expression match = [Undefined index: pin]:
'/home/webhost/public_html/images/ucon/error_log'
Sorry to tell you this, but the "error_log" file is going to be set as positive as what you are looking for is an error logged there, but that is not an exploit nor a script exploiting something, you are just searching for a chain of characters.

Posted: 21 Apr 2010, 20:44
by tvcnet
Got it.
Wouldn't that chain of characters have to be:
Undefined index: pin
?

Which as far as I can tell would only be found in this specific error log file used for this specific type of phishing script.

Thanks,
Jim

Posted: 22 Apr 2010, 13:55
by Sergio
tvcnet wrote:Got it.
Wouldn't that chain of characters have to be:
Undefined index: pin
?

Which as far as I can tell would only be found in this specific error log file used for this specific type of phishing script.

Thanks,
Jim
Do this, enter into your server as root and type the following:
less /usr/local/apache/log/error_log* | grep "Undefined index: pin"
this will show you how many times this error has been logged.

Just tell me what you see.

Posted: 17 Jul 2010, 20:42
by Sergio
New regalls for the CSX XTRA file:
regall:test@test\.aol
Regards,

Sergio

Re: Set a Sticky for CSF.XTRA regs.

Posted: 16 Sep 2010, 17:46
by monethart22
Sergio...Thanks for the stuffs and chirpy as well. I tried them and got it fixed!

Re: Set a Sticky for CSF.XTRA regs.

Posted: 21 Sep 2010, 17:00
by Sergio
I am including a new regall that you should add to your CXS as soon as you can:
%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F
this is part of an EVAL.

The following is what the code means:
document.write('<iframe src="http://
As you can see, this is very dangerous as the URL could be anything.

Sergio.

Re: Set a Sticky for CSF.XTRA regs.

Posted: 16 Dec 2010, 01:37
by Sergio
OsCommerce is getting hit with hacks to a file called "categories.php", most of the time the hacker is saving this file with a Trojan Virus or with another malicious code.

I have added a few new regall rules on the first post.

Sergio

Re: Set a Sticky for CSF.XTRA regs.

Posted: 16 Dec 2010, 02:04
by tvcnet
Excellent! Thank you. -Jim

TYPOS in last rule.

Posted: 16 Dec 2010, 18:43
by Sergio
Sorry,
by mistake I didn't write one of the rules as it should be.

WRONG RULE:
regall:facebook\.com/crazytaxi/

FIXED RULE:
regall:facebook\.com\/crazytaxi\/

In the first post is already fixed.

Please note, if you have wrote as it is in the wrong rule, your CXS will not work.