New hack script format (cxs may need update)

Post Reply
tvcnet
Junior Member
Posts: 38
Joined: 30 Sep 2009, 00:01

New hack script format (cxs may need update)

Post by tvcnet »

Hi folks,
I've just started observing a relatively new format for the gzinflate/base64 hacks, now starting with:
<?php $D=strrev('edoced_46esab');$s=gzinflate

Here is a picture snippet of a hack I observed this past week, which CXS does not pick up as a hack (when it should have).
It's a pretty egregious web orb / filesman type hack which CXS should have caught:
http://tvcnet.net/images/tutorials/2011-10-02_1008.png

You folks need anything further from me to improve CXS in catching these from now on?

You'll find a discussion on this script which CXS missed here. Search on page for: gzinflate($D('7X1te9s2suh3
http://ksforum.inboxrevenge.com/viewtop ... 5&start=15


-Jim
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: New hack script format (cxs may need update)

Post by Sergio »

If you have the file of this script, you can contribute and send it to ConfigServer using the option --wttw to send it, then CXS will include this on the next update.

Read the documentation.txt for more details.

Sergio
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: New hack script format (cxs may need update)

Post by chirpy »

That is probably too complex an encoding method for cxs to easily decode. However, if you find exploits using such a method that cxs does not detect, then submit them to us as explained by Sergio above.
Post Reply