STICKY rules for CXS.XTRA regs.

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

STICKY rules for CXS.XTRA regs.

Post by Sergio »

List of useful CXS regs commands, use it at your own risk.

If you see one that doesn't fit in your box, feel free to delete it before installing them in your CXS.XTRA file.

IMPORTANT:
Every time you include a new rule in your cxs.xtra file, run a scan on one (not all) account, so you can check if the rules are working.

file:proxy.idx
file:proxy.txt
file:replyto.tmp
file:soapCaller.bs
file:WPd0s.sh.txt
regall:\.50webs\.com
regall:\.akamai\.net
regall:\.cn:8080
regall:\.ru:8080
regall:\/ccteam\.ru
regall:\/r57\.gen\.tr
regall:aol\.com:205\.188\.109\.56
regall:bankofamerica\.com
regall:c999shvars
regall:ccteam\.ru
regall:dailymotion\.com
regall:sibersavunma\.com
regall:dm\.cgi
regall:facebook\.com\/crazytaxi
regall:fileorkut="http
regall:Hi, \[random min=1 max=1 lang=lat case=uc\]\[random min=4 max=8 lang=lat case=lc\]
regall:http:\/\/ruoo\.info
regall:hxftp_time_detection\.htm
regall:Hxxtozn1erii
regall:i52\.tinypic\.com\/311ukqb\.jpg
regall:i54\.tinypic\.com\/w83o6t\.jpg
regall:iframe src="http:\/\/dianagar\.cz\.cc
regall:jL\.chura\.pl
regall:Kernel attack (Krad\.c) PT2
regall:mail\.Ru:94\.100\.176\.20
regall:MAILBASE=\.\/upload\/m\.txt
regall:r57shell
regall:script type="text\/javascript" src="\(ht\|f\)tp.
regall:test@test\.aol
regall:void\.ru
regall:wellsfargo\.com
regall:windows-guru\.com
regall:yahoo\.Com:68\.142\.202\.247
regall:youngsexyparties\.com
regphp:'echo "`uname -a`";echo "`id`";\/bin\/sh'
regphp:\$mrd = trim\(file_get_contents\("m"\)\);
regphp:elseif\(function_exists\("shell_exec"
regphp:eval\("\?>"\.gzuncompress\(base64_decode
regphp:header\("Location: http
regphp:shellcode
# EVAL CODES:
regphp:%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F
regphp:ec371748dc2da624b35a4f8f685dd122
regphp:FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1ClVJ3Z
regphp:JGNvZGVsb2NrX2NvZGU9I1B6NDhQM0JvY0EwS2NtVnhkV2x5W1Nn
regphp:R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs
regall:\/\/img[a-z][a-z][a-z]\.net\/t\.php
regall:63a9f0ea7bb98050796b649e85481845
regphp:Use this function to check in witch domain zones user comes
regall:function check\_wordpress
regall:array\(52\,123\,107\,122\,97\,120\,124\,40\,123\,122\,107\,54\,108\,103\,107\,125\,101\,109\,102\,124\,38\,107\,103

# NEW REGALL AS 2013-05-28 by PeterElsner
regall:quarantine:\$_POST\[\(chr\(112\)\.chr\(49\)\)

# NEW REGALLs AS 2014-01-27 by qchost
regall:quarantine:second stage dropper
regall:quarantine:killall -9
Do you have a RegEX that you want to share?
Open a new post and set the subject "NEW RegEX rule" and fill the post with your RegEX, if you have more than one, write all of them in your post.

Enjoy.
Last edited by Sergio on 27 Jan 2014, 13:24, edited 19 times in total.
Hostell
Junior Member
Posts: 14
Joined: 26 Jun 2008, 14:05

Post by Hostell »

regall:header\("Location: http
this shouldn't be blocked.
AgileHosting
Junior Member
Posts: 5
Joined: 31 Oct 2008, 19:56

Post by AgileHosting »

Nor should things like this:

Code: Select all

regall:aol.com:205.188.109.56
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Post by Sergio »

AgileHosting wrote:Nor should things like this:

Code: Select all

regall:aol.com:205.188.109.56
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.
Well, all this definitions are to check a file that contains that characters in it, not to block any AOL IP.

There is an exploit that sends spam, the name of the file is DA.CGI, this script calls a lot of other files and inside this files you find this AOL Address. So, if you have in your server a file that contains this expresion, it has to be investigated, then you decide to delete or not.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Post by Sergio »

Hostell wrote:this shouldn't be blocked.
If you have scripts to send emails that uses an URL on the header it has to be investigated, as it could send an URL that is not in your server.

Remember that CSX is to help you to check what is being uploaded in your server, if one of your customers upload a file with this regex on it, CSX will tell you what is the code that your customer is uploading.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Sergio, you have to escape your regex's correctly otherwise you will get a lot of false-positives, or they won't work. In particular you need to escape dots and brackets, e.g.:

regall:\.ru\:8080
regall:MAILBASE=\./upload/m\.txt
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Post by Sergio »

chirpy wrote:Sergio, you have to escape your regex's correctly otherwise you will get a lot of false-positives, or they won't work. In particular you need to escape dots and brackets, e.g.:

regall:\.ru\:8080
regall:MAILBASE=\./upload/m\.txt
Thanks Chirpy, I will do that.
Ahmed00
Junior Member
Posts: 8
Joined: 26 Jun 2008, 15:58

Post by Ahmed00 »

Thanks Sergio i will try it

that could be used in the CSF.XTRA file
you mean cxs.xtra
:)
camelothosting
Junior Member
Posts: 23
Joined: 12 Aug 2008, 15:34

Post by camelothosting »

What would be the bestway to add this to the extras file


we need to have the following scanned for

$mrd = trim(file_get_contents("m"));
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

camelothosting wrote:$mrd = trim(file_get_contents("m"));
regphp:\$mrd = trim\(file_get_contents\(\"m\"\)\)\;
Post Reply