Page 1 of 7

STICKY rules for CXS.XTRA regs.

Posted: 08 Jan 2010, 14:57
by Sergio
List of useful CXS regs commands, use it at your own risk.

If you see one that doesn't fit in your box, feel free to delete it before installing them in your CXS.XTRA file.

IMPORTANT:
Every time you include a new rule in your cxs.xtra file, run a scan on one (not all) account, so you can check if the rules are working.

file:proxy.idx
file:proxy.txt
file:replyto.tmp
file:soapCaller.bs
file:WPd0s.sh.txt
regall:\.50webs\.com
regall:\.akamai\.net
regall:\.cn:8080
regall:\.ru:8080
regall:\/ccteam\.ru
regall:\/r57\.gen\.tr
regall:aol\.com:205\.188\.109\.56
regall:bankofamerica\.com
regall:c999shvars
regall:ccteam\.ru
regall:dailymotion\.com
regall:sibersavunma\.com
regall:dm\.cgi
regall:facebook\.com\/crazytaxi
regall:fileorkut="http
regall:Hi, \[random min=1 max=1 lang=lat case=uc\]\[random min=4 max=8 lang=lat case=lc\]
regall:http:\/\/ruoo\.info
regall:hxftp_time_detection\.htm
regall:Hxxtozn1erii
regall:i52\.tinypic\.com\/311ukqb\.jpg
regall:i54\.tinypic\.com\/w83o6t\.jpg
regall:iframe src="http:\/\/dianagar\.cz\.cc
regall:jL\.chura\.pl
regall:Kernel attack (Krad\.c) PT2
regall:mail\.Ru:94\.100\.176\.20
regall:MAILBASE=\.\/upload\/m\.txt
regall:r57shell
regall:script type="text\/javascript" src="\(ht\|f\)tp.
regall:test@test\.aol
regall:void\.ru
regall:wellsfargo\.com
regall:windows-guru\.com
regall:yahoo\.Com:68\.142\.202\.247
regall:youngsexyparties\.com
regphp:'echo "`uname -a`";echo "`id`";\/bin\/sh'
regphp:\$mrd = trim\(file_get_contents\("m"\)\);
regphp:elseif\(function_exists\("shell_exec"
regphp:eval\("\?>"\.gzuncompress\(base64_decode
regphp:header\("Location: http
regphp:shellcode
# EVAL CODES:
regphp:%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F
regphp:ec371748dc2da624b35a4f8f685dd122
regphp:FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1ClVJ3Z
regphp:JGNvZGVsb2NrX2NvZGU9I1B6NDhQM0JvY0EwS2NtVnhkV2x5W1Nn
regphp:R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs
regall:\/\/img[a-z][a-z][a-z]\.net\/t\.php
regall:63a9f0ea7bb98050796b649e85481845
regphp:Use this function to check in witch domain zones user comes
regall:function check\_wordpress
regall:array\(52\,123\,107\,122\,97\,120\,124\,40\,123\,122\,107\,54\,108\,103\,107\,125\,101\,109\,102\,124\,38\,107\,103

# NEW REGALL AS 2013-05-28 by PeterElsner
regall:quarantine:\$_POST\[\(chr\(112\)\.chr\(49\)\)

# NEW REGALLs AS 2014-01-27 by qchost
regall:quarantine:second stage dropper
regall:quarantine:killall -9
Do you have a RegEX that you want to share?
Open a new post and set the subject "NEW RegEX rule" and fill the post with your RegEX, if you have more than one, write all of them in your post.

Enjoy.

Posted: 12 Jan 2010, 11:52
by Hostell
regall:header\("Location: http
this shouldn't be blocked.

Posted: 14 Jan 2010, 10:57
by AgileHosting
Nor should things like this:

Code: Select all

regall:aol.com:205.188.109.56
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.

Posted: 19 Jan 2010, 03:31
by Sergio
AgileHosting wrote:Nor should things like this:

Code: Select all

regall:aol.com:205.188.109.56
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.
Well, all this definitions are to check a file that contains that characters in it, not to block any AOL IP.

There is an exploit that sends spam, the name of the file is DA.CGI, this script calls a lot of other files and inside this files you find this AOL Address. So, if you have in your server a file that contains this expresion, it has to be investigated, then you decide to delete or not.

Posted: 19 Jan 2010, 03:35
by Sergio
Hostell wrote:this shouldn't be blocked.
If you have scripts to send emails that uses an URL on the header it has to be investigated, as it could send an URL that is not in your server.

Remember that CSX is to help you to check what is being uploaded in your server, if one of your customers upload a file with this regex on it, CSX will tell you what is the code that your customer is uploading.

Posted: 22 Jan 2010, 10:11
by chirpy
Sergio, you have to escape your regex's correctly otherwise you will get a lot of false-positives, or they won't work. In particular you need to escape dots and brackets, e.g.:

regall:\.ru\:8080
regall:MAILBASE=\./upload/m\.txt

Posted: 23 Jan 2010, 06:03
by Sergio
chirpy wrote:Sergio, you have to escape your regex's correctly otherwise you will get a lot of false-positives, or they won't work. In particular you need to escape dots and brackets, e.g.:

regall:\.ru\:8080
regall:MAILBASE=\./upload/m\.txt
Thanks Chirpy, I will do that.

Posted: 30 Jan 2010, 18:50
by Ahmed00
Thanks Sergio i will try it

that could be used in the CSF.XTRA file
you mean cxs.xtra
:)

Posted: 31 Jan 2010, 16:44
by camelothosting
What would be the bestway to add this to the extras file


we need to have the following scanned for

$mrd = trim(file_get_contents("m"));

Posted: 07 Feb 2010, 09:50
by chirpy
camelothosting wrote:$mrd = trim(file_get_contents("m"));
regphp:\$mrd = trim\(file_get_contents\(\"m\"\)\)\;