ConfigServer Community Forum

Perfect thanx

A method used to hide shells that I have come across. Always worth investigating!

regall:eval\(\"\?\>\"\.gzuncompress\(base64_decode

Can someone create a clean list using all the tips above.
Thinking would be a good idea to build this over time with all our input.

Many thanks,
Jim

How can pervent users to run c99 and r57 shells?

tvcnet wrote:Can someone create a clean list using all the tips above.
Thinking would be a good idea to build this over time with all our input.

Many thanks,
Jim

Hello tvcnet,
I will more than glad to do it. Also, I will post a guideline on the first post on how the tips have to be submitted in order to do the job more easily.

Regards,

Sergio

That's a good question on r57.

We do hackrepair for clients and 90% of the time hacked web sites have r57 shell script installed. Something to specific block that would be a good thing.

Thanks,
Jim

tvcnet wrote:That's a good question on r57.

We do hackrepair for clients and 90% of the time hacked web sites have r57 shell script installed. Something to specific block that would be a good thing.

Thanks,
Jim

If I could have an extract of the script, there could be something that we can add to the CXS file.

cxs already detects a large number of variants of c99 and r57 exploit scripts with multiple regex's.

If you are in need of set of hacks files to test CSF send me a private message.

I tried posting the link here but the Admin appears to have deleted the post.

Best Wishes,
Jim

How might this hack be implemented into xtra please?

I ran another scanning program and the result was:

What it searched:
/<script.+?src\s*=\s*['\"]?(ht|f)tp.+?>(.*?<\/script>)?/

What if found on a page:
[removed by Moderator]

Ideas on how to write that?

Thanks,
Jim