STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
68 posts Page 5 of 7
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


OsCommerce is still getting hot, lot of hackers are trying to inject malicious code via "/admin/categories.php", now they are trying to inject R57SHELL scripts and CXS is blocking them.

My recommendation is to have CXS up to date, today we have ver 4.53.

Regards,

Sergio
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


Morfeus (bad bot) is trying to find a file that is used to hack a server, the name of the file: soapCaller.bs

I have added this rule to the sticky.

Regards,

Sergio
adnan
Junior Member
Posts: 30
Joined: 30 Apr 2008, 20:53


Hello ,

My scanner stop when I use your extra rules :
Code: Select all
Scanning /home/dfhcoi:
Trailing \ in regex m/facebook\.com\/crazytaxi\/ at /usr/sbin/cxs line 232. 
Any Idea ?
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


Thanks for pointing this out, I left a "/" at the end of that line, please delete it.

That rule has to be set as:
regall:facebook\.com\/crazytaxi
adnan
Junior Member
Posts: 30
Joined: 30 Apr 2008, 20:53


Also this rule has problem too :
Trailing \ in regex m/\/r57\.gen\.tr\/ at /usr/sbin/cxs line 232.

Thank you
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


Also, the last "/" is giving you a regex problem, it is ok to delete that character as well. It is weird but in my server I have that lines and they work, any way, it could be deleted.

Change that rule and set it as:
regex m/\/r57\.gen\.tr
Sergio
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


Another set of rules for CSF.XTRA
regall:dailymotion\.com
regall:i54\.tinypic\.com\/w83o6t\.jpg
regall:i52\.tinypic\.com\/311ukqb\.jpg
regall:sibersavunma\.com
Sergio
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


After checking a lot of files that tried to exploit my server, I found that most of them tried to use the hash "63a9f0ea7bb98050796b649e85481845", so, I have added a new regall to the sticky:
Code: Select all
regall:63a9f0ea7bb98050796b649e85481845
this is the hash code for "root" any file that is uploaded to the server with this in it has to be quarantined.

Sergio
caisc
Junior Member
Posts: 20
Joined: 03 Oct 2011, 07:38


Sergio Thanks for all those rules,

can you plz explain me a bit that what does this rule do -
regall:mail\.Ru:94\.100\.176\.20

Actually there is a forum site on our server and everyday several email ids like xxxxxxxx@mail.ru register on that forum, their registration mails get queued up in the mail queue manager and i have to delete them everyday. Seems like those mail ids are fake OR they are just registering on the forum just to spam.

if you can explain to me that what does this rule do - regall:mail\.Ru:94\.100\.176\.20, it might help me.

Thanks
Sergio
Junior Member
Posts: 1369
Joined: 12 Dec 2006, 14:56


That rule will search on all the files that are uploaded to the server that there is no line that contains that phrase, if the phrase exist, then the file is quarantined by CXS.

This is not what you want to use, there is a better approach using MODSECURITY, unfortunately there is no support for MODSECURITY rules here in this forums, but you can write in my thread at CPanel and I will help you there, http://forums.cpanel.net/f185/modsecuri ... 47745.html

Sergio
68 posts Page 5 of 7