Page 7 of 7

Re: STICKY rules for CXS.XTRA regs.

Posted: 24 Apr 2014, 06:43
by dieter
Hi Sergio,

I will remember in the future. Thank you it works, found a couple of sites infected with this, all Joomla sites.

Thank you,

Dieter

Re: STICKY rules for CXS.XTRA regs.

Posted: 17 May 2014, 10:40
by azednet
Hello,

How can i block file with this script:

Code: Select all

<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you

Re: STICKY rules for CXS.XTRA regs.

Posted: 17 May 2014, 14:54
by Sergio
azednet wrote:Hello,

How can i block file with this script:

Code: Select all

<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Please use a regular post in the forum and I will help you there, sticky is only for CXS rules that you want to share with the community.

Re: STICKY rules for CXS.XTRA regs.

Posted: 30 Jun 2014, 15:21
by kam1lo
Hi Guys, this is my first post. The following are some regs I have been using, don't know if some have been already posted:

regphp:quarantine:Pz48P3BocA0KIyMjIyMjIyMjIyMjIyMj
regphp:quarantine:FcxOCoAgEAXQq7QIrFJXtCs6i4Rad6gjzV9r
regphp:quarantine:PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp
file:quarantine:NUEVONORTE.zip
regall:quarantine:El Banco fuerte de mexico
regphp:quarantine:p1wis Unzip
regall:quarantine:Hacked by DeathAngeL01
regall:quarantine:MUS4LLAT
regall:quarantine:Hacked By Virus Attacker
regall:quarantine:TeaM Pak Cyber Experts
regphp:quarantine:Pz48P3BocCAkX0Y9X19GSUxFX187JF9YPSdQenU4UG9CMmNDQTBaNGdoWmpOM
regall:quarantine:Hacked By BL4CK C0D3
regall:quarantine:Falleg Gassrini
regall:quarantine:Fallaga\.tounes
regphp:quarantine:PD9waHAKCiR0ZXN0YSA9ICRfUE9TVFsndmVpbyddOwppZ
regphp:quarantine:cmkzFgtlkq0ZkWbOeSxlzjQNfL3bLJBATyVHaO8755
regphp:quarantine:serr gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprafr
regall:quarantine:FleZxi
regall:quarantine:leadapi\.net
regall:quarantine:www\.365online\.com\/online365\/spring\/authentication
regall:quarantine:www\.bankofireland\.com
regphp:quarantine:SteelaxXx
regphp:quarantine:Hacked By ReZK2ll Team
regphp:quarantine:9age02ptak
regphp:quarantine:vsztequlskbcu0xrxbs3voiz1t7p8pdzts82n40k32nsxlxfj09qsz5dz9plzyk45
regphp:quarantine:vfgg4s6d46g4s64bxqlmqjkshmcjbqjbslmaihwqbcqfblqbvlqjbsufuoqbjfb
regphp:quarantine:langkilleyou
file:quarantine:paypal.security.zip
regphp:quarantine:JOKER7
regphp:quarantine:ArHaCk
regphp:quarantine:wireresult2014
regphp:quarantine:Ly9OSU5mZTlBZkx0bC9IZUZVZGM3OXJnL0RZbjRVaklHU1Y
regphp:quarantine:www\.companiadab\.com\.ar
regphp:quarantine:jxbpqr2b\.php
regphp:quarantine:dt8kf6553cww8\.cloudfront\.net
regphp:quarantine:dan video ke mana saja dan membaginya dengan mudah

Best regards!

Re: STICKY rules for CXS.XTRA regs.

Posted: 21 Jul 2014, 16:43
by kam1lo
regall:quarantine:FJ3HjoNctlNfpXT9WAzIVnfdFjnnzKRSBpODVkJ

Re: STICKY rules for CXS.XTRA regs.

Posted: 14 Aug 2014, 11:50
by azednet
regall:quarantine:store\.apple\.com
regall:quarantine:apple\.com\/WebObjects
regall:quarantine:Done\.php\?cmd\=Complete\&Dispatch\=
regall:quarantine:bendiouafa@gmail\.com
regall:quarantine:rezrozrez@gmail.com
regall:quarantine:mizox@th3pro.com
regall:quarantine:paypal\.fr\.connect\.fr
regall:quarantine:paypal\.com\/fr\/webapps
regall:quarantine:\.lcl\.fr
regall:quarantine:Gu3ssWho
regall:quarantine:InjecT0r Mailer
regall:quarantine:bnpparibas\.net
regall:quarantine:First Bank of Nigeria
regall:quarantine:\/BNPparibas
regall:quarantine:\/bnpparibas
regall:quarantine:credit-agricole
regall:quarantine:banque-populaire
regall:quarantine:creditmutuel\.fr
regall:quarantine:www\.creditmutuel\.fr
regall:quarantine:chase\.com
regall:quarantine:edf\.com

Re: STICKY rules for CXS.XTRA regs.

Posted: 16 Feb 2016, 09:07
by masimo
I fount very useful Patterns for simple web malware detection.

http://www.abuseat.org/findbot.pl

Code: Select all

my $scriptpat = '(Edited By GuN-Jack|die\(PHP_OS.chr\(49\).chr\(48\).chr\(43\).md5\(0987654321\)|die\(PHP_OS.chr\(49\).chr\(49\).chr\(43\).md5\(0987654321\)|social\.png|r57|c99|web shell|passthru|shell_exec|base64_decode|edoced_46esab|PHPShell|EHLO|MAIL FROM|RCPT TO|fsockopen|\$random_num\.qmail|getmxrr|\$_POST\[\'emaillist\'\]|if\(isset\(\$_POST\[\'action\'\]|BAMZ|shell_style|malsite|cgishell|Defaced|defaced|Defacer|defacer|hackmode|ini_restore|ini_get\("open_basedir"\)|runkit_function|rename_function|override_function|mail.add_x_header|\@ini_get\(\'disable_functions\'\)|open_basedir|openbasedir|\@ini_get\("safe_mode"|JIKO|fpassthru|passthru|hacker|Hacker|gmail.ru|fsockopen\(\$mx|\'mxs\.mail\.ru\'|yandex.ru|UYAP-CASTOL|KEROX|BIANG|FucKFilterCheckUnicodeEncoding|FucKFilterCheckURLEncoding|FucKFilterScanPOST|FucKFilterEngine|fake mailer|Fake mailer|Mass Mailer|MasS Mailer|ALMO5EAM|3QRAB|Own3d|eval\(\@\$_GET|TrYaG|Turbo Force|eval \( gzinflate|eval \(gzinflate|cgi shell|cgitelnet|\$_FILES\[file\]|\@copy\(\$_FILES|root\@|eval\(\(base64_decode|define\(\'SA_ROOT\'|cxjcxj|PCT4BA6ODSE|if\(isset\(\$s22\)|yb dekcah|dekcah|\@md5\(\$_POST|iskorpitx|\$__C|back connect|ccteam.ru|"passthru"|"shell_exec"|CHMOD_SHELL|EXIT_KERNEL_TO_NULL|original exploit|prepare_the_exploit|RUN_ROOTSHELL|ROOTSHELL|\@popen\(\$sendmail|\'HELO localhost\'|TELNET|Telnet|BACK-CONNECT|BACKDOOR|BACK-CONNECT BACKDOOR|AnonGhost|CGI-Telnet|webr00t|Ruby Back Connect|Connect Shell|require \'socket\'|HACKED|\@posix_getgrgid\(\@filegroup|\@posix_getpwuid\(\@fileowner|\&\#222\;\&\#199\;\&\#198\;\&\#227\;\&\#229\;|open_basedir|disable_functions|brasrer64r_rdrecordre|hacked|Hacked|\$sF\[4\]\.\$sF\[5\]\.\$sF\[9\]\.\$sF\[10\]\.|\$sF\="PCT4BA6ODSE_"|\$s21\=strtolower|6ODSE_"\;|Windows-1251|\@eval\(\$_POST\[|h4cker|Kur-SaD|\'Fil\'\.\'esM\'\.\'an\'|echo PHP_OS\.|\$testa != ""|\@PHP_OS|\$_POST\[\'veio\'\]|file_put_contents\(\'1\.txt\'|\$GLOBALS\["\%x61|\\\40\\\x65\\\166\\\x61\\\154\\\x28\\\163\\\x74\\\162\\\x5f\\\162\\\x65\\\160\\\x6c\\\141\\\x63\\\145|md5decrypter\.com|rednoize\.com|hashcracking\.info|milw0rm\.com|hashcrack\.com|function_exists\(\'shell_exec\'\)|Sh3ll Upl04d3r|Sh3ll Uploader|S F N S A W|\$\{\$\{"GLOBALS"\}|\$i59\="Euc\<v\#|\$contenttype \= \$_POST\[|eval\(base64|killall|1\.sh|\/usr\/bin\/uname -a|FilesMan|unserialize\(base64_decode|eval \( base64|eval \(base64|eval\(unescape|eval\(@gzinflate|gzinflate\(base64|str_rot13\(\@base64|str_rot13\(base64|gzinflate\(\@str_rot13|\/\.\*\/e|gzuncompress\(base64|substr\(\$c, \$a, \$b|\\\x47LOB|\\\x47LO\\\x42|\\\x47L\\\x4f\\\x42|\\\x47\\\x4c\\\x4f\\\x42|eval\("\?\>"\.base64_decode|\|imsU\||\!msiU|host\=base64|exif \= exif_|"\?Q\?|decrypt\(base64|Shell by|die\(PHP_OS|shell_exec\(base64_decode|\$_F\=|edoced_46esab|\$_D\=strrev|\]\)\)\;\}\}eval|\\\x65\\\x76\\\x61\\\x6c\\\x28|"e"\."va"\."l|\$so64 \=|sqlr00t|qx\{pwd\}|OOO0000O0|OOO000O00|OOO000000|\/\\\r\\\n\\\r\\\n|\$baseurl \= base64_decode|\$remoteurl\,\'wp-login\.php\'|\'http\:\/\/\'\.\$_SERVER\[\'SERVER_NAME\'\]|kkmvbziu|\$opt\("\/292\/e"|\$file\=\@\$_COOKIE\[\'|phpinfo\(\)\;die|return base64_decode\(|\@imap_open\(|\@imap_list\(|\$Q0QQQ\=0|\$GLOBALS\[\'I111\'\]|base64_decode\(\$GLOBALS|eval\(x\(|\@array\(\(string\)stripslashes|function rx\(\)| IRC |BOT IRC|\$bot_password|this bot|Web Shell|Web shell|getenv\(\'SERVER_SOFTWARE\'\)|file_exists\(\'\/tmp\/mb_send_mail\'\)|unlink\(\'\/tmp\/|imap_open\(\'\/etc\/|ini_set\(\'allow_url|\'_de\'\.\'code\'|\'base\'\.\(32\*2\))';
How can use this list on csf.xtra?

Re:

Posted: 09 May 2019, 03:59
by POUSSETY
Sergio wrote: 19 Jan 2010, 03:35
Hostell wrote:this shouldn't be blocked.
If you have scripts to send emails that uses an URL on the header it has to be investigated, as it could send an URL that is not in your server.

Remember that CSX is to help you to check [URL=https://filezilla.software/]FileZilla[/URL] [URL=https://www.ucbrowser.pro/]UC Browser[/URL] [URL=https://downloader.vip/rufus/]Rufus[/URL] what is being uploaded in your server, if one of your customers upload a file with this regex on it, CSX will tell you what is the code that your customer is uploading.
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.