Page 5 of 8

Re: STICKY rules for CXS.XTRA regs.

Posted: 20 Dec 2010, 06:19
by Sergio
OsCommerce is still getting hot, lot of hackers are trying to inject malicious code via "/admin/categories.php", now they are trying to inject R57SHELL scripts and CXS is blocking them.

My recommendation is to have CXS up to date, today we have ver 4.53.

Regards,

Sergio

New Rule added to sticky.

Posted: 27 Dec 2010, 23:55
by Sergio
Morfeus (bad bot) is trying to find a file that is used to hack a server, the name of the file: soapCaller.bs

I have added this rule to the sticky.

Regards,

Sergio

Re: STICKY rules for CXS.XTRA regs.

Posted: 07 Jan 2011, 06:29
by adnan
Hello ,

My scanner stop when I use your extra rules :

Code: Select all

Scanning /home/dfhcoi:
Trailing \ in regex m/facebook\.com\/crazytaxi\/ at /usr/sbin/cxs line 232. 
Any Idea ?

Re: STICKY rules for CXS.XTRA regs.

Posted: 07 Jan 2011, 06:50
by Sergio
Thanks for pointing this out, I left a "/" at the end of that line, please delete it.

That rule has to be set as:
regall:facebook\.com\/crazytaxi

Re: STICKY rules for CXS.XTRA regs.

Posted: 07 Jan 2011, 07:16
by adnan
Also this rule has problem too :
Trailing \ in regex m/\/r57\.gen\.tr\/ at /usr/sbin/cxs line 232.

Thank you

Re: STICKY rules for CXS.XTRA regs.

Posted: 07 Jan 2011, 13:40
by Sergio
Also, the last "/" is giving you a regex problem, it is ok to delete that character as well. It is weird but in my server I have that lines and they work, any way, it could be deleted.

Change that rule and set it as:
regex m/\/r57\.gen\.tr
Sergio

Re: STICKY rules for CXS.XTRA regs.

Posted: 08 Mar 2011, 19:09
by Sergio
Another set of rules for CSF.XTRA
regall:dailymotion\.com
regall:i54\.tinypic\.com\/w83o6t\.jpg
regall:i52\.tinypic\.com\/311ukqb\.jpg
regall:sibersavunma\.com
Sergio

Re: STICKY rules for CXS.XTRA regs.

Posted: 26 Aug 2011, 15:22
by Sergio
After checking a lot of files that tried to exploit my server, I found that most of them tried to use the hash "63a9f0ea7bb98050796b649e85481845", so, I have added a new regall to the sticky:

Code: Select all

regall:63a9f0ea7bb98050796b649e85481845
this is the hash code for "root" any file that is uploaded to the server with this in it has to be quarantined.

Sergio

Re: STICKY rules for CXS.XTRA regs.

Posted: 15 Oct 2011, 21:34
by caisc
Sergio Thanks for all those rules,

can you plz explain me a bit that what does this rule do -
regall:mail\.Ru:94\.100\.176\.20

Actually there is a forum site on our server and everyday several email ids like xxxxxxxx@mail.ru register on that forum, their registration mails get queued up in the mail queue manager and i have to delete them everyday. Seems like those mail ids are fake OR they are just registering on the forum just to spam.

if you can explain to me that what does this rule do - regall:mail\.Ru:94\.100\.176\.20, it might help me.

Thanks

Re: STICKY rules for CXS.XTRA regs.

Posted: 16 Oct 2011, 04:23
by Sergio
That rule will search on all the files that are uploaded to the server that there is no line that contains that phrase, if the phrase exist, then the file is quarantined by CXS.

This is not what you want to use, there is a better approach using MODSECURITY, unfortunately there is no support for MODSECURITY rules here in this forums, but you can write in my thread at CPanel and I will help you there, http://forums.cpanel.net/f185/modsecuri ... 47745.html

Sergio