OsCommerce is still getting hot, lot of hackers are trying to inject malicious code via "/admin/categories.php", now they are trying to inject R57SHELL scripts and CXS is blocking them.
My recommendation is to have CXS up to date, today we have ver 4.53.
Regards,
Sergio
STICKY rules for CXS.XTRA regs.
New Rule added to sticky.
Morfeus (bad bot) is trying to find a file that is used to hack a server, the name of the file: soapCaller.bs
I have added this rule to the sticky.
Regards,
Sergio
I have added this rule to the sticky.
Regards,
Sergio
Re: STICKY rules for CXS.XTRA regs.
Hello ,
My scanner stop when I use your extra rules :
Any Idea ?
My scanner stop when I use your extra rules :
Code: Select all
Scanning /home/dfhcoi:
Trailing \ in regex m/facebook\.com\/crazytaxi\/ at /usr/sbin/cxs line 232. Re: STICKY rules for CXS.XTRA regs.
Thanks for pointing this out, I left a "/" at the end of that line, please delete it.
That rule has to be set as:
That rule has to be set as:
regall:facebook\.com\/crazytaxi
Re: STICKY rules for CXS.XTRA regs.
Also this rule has problem too :
Trailing \ in regex m/\/r57\.gen\.tr\/ at /usr/sbin/cxs line 232.
Thank you
Trailing \ in regex m/\/r57\.gen\.tr\/ at /usr/sbin/cxs line 232.
Thank you
Re: STICKY rules for CXS.XTRA regs.
Also, the last "/" is giving you a regex problem, it is ok to delete that character as well. It is weird but in my server I have that lines and they work, any way, it could be deleted.
Change that rule and set it as:
Change that rule and set it as:
Sergioregex m/\/r57\.gen\.tr
Re: STICKY rules for CXS.XTRA regs.
Another set of rules for CSF.XTRA
Sergioregall:dailymotion\.com
regall:i54\.tinypic\.com\/w83o6t\.jpg
regall:i52\.tinypic\.com\/311ukqb\.jpg
regall:sibersavunma\.com
Re: STICKY rules for CXS.XTRA regs.
After checking a lot of files that tried to exploit my server, I found that most of them tried to use the hash "63a9f0ea7bb98050796b649e85481845", so, I have added a new regall to the sticky:
this is the hash code for "root" any file that is uploaded to the server with this in it has to be quarantined.
Sergio
Code: Select all
regall:63a9f0ea7bb98050796b649e85481845Sergio
Re: STICKY rules for CXS.XTRA regs.
Sergio Thanks for all those rules,
can you plz explain me a bit that what does this rule do -
regall:mail\.Ru:94\.100\.176\.20
Actually there is a forum site on our server and everyday several email ids like xxxxxxxx@mail.ru register on that forum, their registration mails get queued up in the mail queue manager and i have to delete them everyday. Seems like those mail ids are fake OR they are just registering on the forum just to spam.
if you can explain to me that what does this rule do - regall:mail\.Ru:94\.100\.176\.20, it might help me.
Thanks
can you plz explain me a bit that what does this rule do -
regall:mail\.Ru:94\.100\.176\.20
Actually there is a forum site on our server and everyday several email ids like xxxxxxxx@mail.ru register on that forum, their registration mails get queued up in the mail queue manager and i have to delete them everyday. Seems like those mail ids are fake OR they are just registering on the forum just to spam.
if you can explain to me that what does this rule do - regall:mail\.Ru:94\.100\.176\.20, it might help me.
Thanks
Re: STICKY rules for CXS.XTRA regs.
That rule will search on all the files that are uploaded to the server that there is no line that contains that phrase, if the phrase exist, then the file is quarantined by CXS.
This is not what you want to use, there is a better approach using MODSECURITY, unfortunately there is no support for MODSECURITY rules here in this forums, but you can write in my thread at CPanel and I will help you there, http://forums.cpanel.net/f185/modsecuri ... 47745.html
Sergio
This is not what you want to use, there is a better approach using MODSECURITY, unfortunately there is no support for MODSECURITY rules here in this forums, but you can write in my thread at CPanel and I will help you there, http://forums.cpanel.net/f185/modsecuri ... 47745.html
Sergio