Page 7 of 8
Re: STICKY rules for CXS.XTRA regs.
Posted: 24 Apr 2014, 06:43
by dieter
Hi Sergio,
I will remember in the future. Thank you it works, found a couple of sites infected with this, all Joomla sites.
Thank you,
Dieter
Re: STICKY rules for CXS.XTRA regs.
Posted: 17 May 2014, 10:40
by azednet
Hello,
How can i block file with this script:
Code: Select all
<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Re: STICKY rules for CXS.XTRA regs.
Posted: 17 May 2014, 14:54
by Sergio
azednet wrote:Hello,
How can i block file with this script:
Code: Select all
<script type="text/javascript">
<!--
window.location = "http://"
//-->
</script>
Thank you
Please use a regular post in the forum and I will help you there, sticky is only for CXS rules that you want to share with the community.
Re: STICKY rules for CXS.XTRA regs.
Posted: 30 Jun 2014, 15:21
by kam1lo
Hi Guys, this is my first post. The following are some regs I have been using, don't know if some have been already posted:
regphp:quarantine:Pz48P3BocA0KIyMjIyMjIyMjIyMjIyMj
regphp:quarantine:FcxOCoAgEAXQq7QIrFJXtCs6i4Rad6gjzV9r
regphp:quarantine:PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp
file:quarantine:NUEVONORTE.zip
regall:quarantine:El Banco fuerte de mexico
regphp:quarantine:p1wis Unzip
regall:quarantine:Hacked by DeathAngeL01
regall:quarantine:MUS4LLAT
regall:quarantine:Hacked By Virus Attacker
regall:quarantine:TeaM Pak Cyber Experts
regphp:quarantine:Pz48P3BocCAkX0Y9X19GSUxFX187JF9YPSdQenU4UG9CMmNDQTBaNGdoWmpOM
regall:quarantine:Hacked By BL4CK C0D3
regall:quarantine:Falleg Gassrini
regall:quarantine:Fallaga\.tounes
regphp:quarantine:PD9waHAKCiR0ZXN0YSA9ICRfUE9TVFsndmVpbyddOwppZ
regphp:quarantine:cmkzFgtlkq0ZkWbOeSxlzjQNfL3bLJBATyVHaO8755
regphp:quarantine:serr gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprafr
regall:quarantine:FleZxi
regall:quarantine:leadapi\.net
regall:quarantine:www\.365online\.com\/online365\/spring\/authentication
regall:quarantine:www\.bankofireland\.com
regphp:quarantine:SteelaxXx
regphp:quarantine:Hacked By ReZK2ll Team
regphp:quarantine:9age02ptak
regphp:quarantine:vsztequlskbcu0xrxbs3voiz1t7p8pdzts82n40k32nsxlxfj09qsz5dz9plzyk45
regphp:quarantine:vfgg4s6d46g4s64bxqlmqjkshmcjbqjbslmaihwqbcqfblqbvlqjbsufuoqbjfb
regphp:quarantine:langkilleyou
file:quarantine:paypal.security.zip
regphp:quarantine:JOKER7
regphp:quarantine:ArHaCk
regphp:quarantine:wireresult2014
regphp:quarantine:Ly9OSU5mZTlBZkx0bC9IZUZVZGM3OXJnL0RZbjRVaklHU1Y
regphp:quarantine:www\.companiadab\.com\.ar
regphp:quarantine:jxbpqr2b\.php
regphp:quarantine:dt8kf6553cww8\.cloudfront\.net
regphp:quarantine:dan video ke mana saja dan membaginya dengan mudah
Best regards!
Re: STICKY rules for CXS.XTRA regs.
Posted: 21 Jul 2014, 16:43
by kam1lo
regall:quarantine:FJ3HjoNctlNfpXT9WAzIVnfdFjnnzKRSBpODVkJ
Re: STICKY rules for CXS.XTRA regs.
Posted: 14 Aug 2014, 11:50
by azednet
regall:quarantine:store\.apple\.com
regall:quarantine:apple\.com\/WebObjects
regall:quarantine:Done\.php\?cmd\=Complete\&Dispatch\=
regall:quarantine:bendiouafa@gmail\.com
regall:quarantine:
rezrozrez@gmail.com
regall:quarantine:
mizox@th3pro.com
regall:quarantine:paypal\.fr\.connect\.fr
regall:quarantine:paypal\.com\/fr\/webapps
regall:quarantine:\.lcl\.fr
regall:quarantine:Gu3ssWho
regall:quarantine:InjecT0r Mailer
regall:quarantine:bnpparibas\.net
regall:quarantine:First Bank of Nigeria
regall:quarantine:\/BNPparibas
regall:quarantine:\/bnpparibas
regall:quarantine:credit-agricole
regall:quarantine:banque-populaire
regall:quarantine:creditmutuel\.fr
regall:quarantine:www\.creditmutuel\.fr
regall:quarantine:chase\.com
regall:quarantine:edf\.com
Re: STICKY rules for CXS.XTRA regs.
Posted: 16 Feb 2016, 09:07
by masimo
I fount very useful Patterns for simple web malware detection.
http://www.abuseat.org/findbot.pl
Code: Select all
my $scriptpat = '(Edited By GuN-Jack|die\(PHP_OS.chr\(49\).chr\(48\).chr\(43\).md5\(0987654321\)|die\(PHP_OS.chr\(49\).chr\(49\).chr\(43\).md5\(0987654321\)|social\.png|r57|c99|web shell|passthru|shell_exec|base64_decode|edoced_46esab|PHPShell|EHLO|MAIL FROM|RCPT TO|fsockopen|\$random_num\.qmail|getmxrr|\$_POST\[\'emaillist\'\]|if\(isset\(\$_POST\[\'action\'\]|BAMZ|shell_style|malsite|cgishell|Defaced|defaced|Defacer|defacer|hackmode|ini_restore|ini_get\("open_basedir"\)|runkit_function|rename_function|override_function|mail.add_x_header|\@ini_get\(\'disable_functions\'\)|open_basedir|openbasedir|\@ini_get\("safe_mode"|JIKO|fpassthru|passthru|hacker|Hacker|gmail.ru|fsockopen\(\$mx|\'mxs\.mail\.ru\'|yandex.ru|UYAP-CASTOL|KEROX|BIANG|FucKFilterCheckUnicodeEncoding|FucKFilterCheckURLEncoding|FucKFilterScanPOST|FucKFilterEngine|fake mailer|Fake mailer|Mass Mailer|MasS Mailer|ALMO5EAM|3QRAB|Own3d|eval\(\@\$_GET|TrYaG|Turbo Force|eval \( gzinflate|eval \(gzinflate|cgi shell|cgitelnet|\$_FILES\[file\]|\@copy\(\$_FILES|root\@|eval\(\(base64_decode|define\(\'SA_ROOT\'|cxjcxj|PCT4BA6ODSE|if\(isset\(\$s22\)|yb dekcah|dekcah|\@md5\(\$_POST|iskorpitx|\$__C|back connect|ccteam.ru|"passthru"|"shell_exec"|CHMOD_SHELL|EXIT_KERNEL_TO_NULL|original exploit|prepare_the_exploit|RUN_ROOTSHELL|ROOTSHELL|\@popen\(\$sendmail|\'HELO localhost\'|TELNET|Telnet|BACK-CONNECT|BACKDOOR|BACK-CONNECT BACKDOOR|AnonGhost|CGI-Telnet|webr00t|Ruby Back Connect|Connect Shell|require \'socket\'|HACKED|\@posix_getgrgid\(\@filegroup|\@posix_getpwuid\(\@fileowner|\&\#222\;\&\#199\;\&\#198\;\&\#227\;\&\#229\;|open_basedir|disable_functions|brasrer64r_rdrecordre|hacked|Hacked|\$sF\[4\]\.\$sF\[5\]\.\$sF\[9\]\.\$sF\[10\]\.|\$sF\="PCT4BA6ODSE_"|\$s21\=strtolower|6ODSE_"\;|Windows-1251|\@eval\(\$_POST\[|h4cker|Kur-SaD|\'Fil\'\.\'esM\'\.\'an\'|echo PHP_OS\.|\$testa != ""|\@PHP_OS|\$_POST\[\'veio\'\]|file_put_contents\(\'1\.txt\'|\$GLOBALS\["\%x61|\\\40\\\x65\\\166\\\x61\\\154\\\x28\\\163\\\x74\\\162\\\x5f\\\162\\\x65\\\160\\\x6c\\\141\\\x63\\\145|md5decrypter\.com|rednoize\.com|hashcracking\.info|milw0rm\.com|hashcrack\.com|function_exists\(\'shell_exec\'\)|Sh3ll Upl04d3r|Sh3ll Uploader|S F N S A W|\$\{\$\{"GLOBALS"\}|\$i59\="Euc\<v\#|\$contenttype \= \$_POST\[|eval\(base64|killall|1\.sh|\/usr\/bin\/uname -a|FilesMan|unserialize\(base64_decode|eval \( base64|eval \(base64|eval\(unescape|eval\(@gzinflate|gzinflate\(base64|str_rot13\(\@base64|str_rot13\(base64|gzinflate\(\@str_rot13|\/\.\*\/e|gzuncompress\(base64|substr\(\$c, \$a, \$b|\\\x47LOB|\\\x47LO\\\x42|\\\x47L\\\x4f\\\x42|\\\x47\\\x4c\\\x4f\\\x42|eval\("\?\>"\.base64_decode|\|imsU\||\!msiU|host\=base64|exif \= exif_|"\?Q\?|decrypt\(base64|Shell by|die\(PHP_OS|shell_exec\(base64_decode|\$_F\=|edoced_46esab|\$_D\=strrev|\]\)\)\;\}\}eval|\\\x65\\\x76\\\x61\\\x6c\\\x28|"e"\."va"\."l|\$so64 \=|sqlr00t|qx\{pwd\}|OOO0000O0|OOO000O00|OOO000000|\/\\\r\\\n\\\r\\\n|\$baseurl \= base64_decode|\$remoteurl\,\'wp-login\.php\'|\'http\:\/\/\'\.\$_SERVER\[\'SERVER_NAME\'\]|kkmvbziu|\$opt\("\/292\/e"|\$file\=\@\$_COOKIE\[\'|phpinfo\(\)\;die|return base64_decode\(|\@imap_open\(|\@imap_list\(|\$Q0QQQ\=0|\$GLOBALS\[\'I111\'\]|base64_decode\(\$GLOBALS|eval\(x\(|\@array\(\(string\)stripslashes|function rx\(\)| IRC |BOT IRC|\$bot_password|this bot|Web Shell|Web shell|getenv\(\'SERVER_SOFTWARE\'\)|file_exists\(\'\/tmp\/mb_send_mail\'\)|unlink\(\'\/tmp\/|imap_open\(\'\/etc\/|ini_set\(\'allow_url|\'_de\'\.\'code\'|\'base\'\.\(32\*2\))';
How can use this list on csf.xtra?
Re:
Posted: 09 May 2019, 03:59
by POUSSETY
Sergio wrote: ↑19 Jan 2010, 03:35
Hostell wrote:this shouldn't be blocked.
If you have scripts to send emails that uses an URL on the header it has to be investigated, as it could send an URL that is not in your server.
Remember that CSX is to help you to check [URL=https://filezilla.software/]
FileZilla[/URL] [URL=https://www.ucbrowser.pro/]
UC Browser[/URL] [URL=https://downloader.vip/rufus/]
Rufus[/URL] what is being uploaded in your server, if one of your customers upload a file with this regex on it, CSX will tell you what is the code that your customer is uploading.
...unless you have a very specific and particular reason for doing so. AOL uses dynamic IPs so if an AOL user is connecting via one IP, their IP will be different the next time they connect to the internet.
Re: STICKY rules for CXS.XTRA regs.
Posted: 14 Jan 2021, 13:51
by sahostking
Here are some MD5sum fiels we added yesterday. Mostly uploaded mailer scripts trying to spam from server but a few were also wordpress hacking scripts.
The filenames were wpz-load.php, mindex.php, ROOT.php, and many weird russian filenames I can't remember.
md5sum:quarantine:0b138d902d6aea94ff386a702e196227
md5sum:quarantine:00370fe2625ddfaff69972320296b792
md5sum:quarantine:3b09023aa05a20746f0e111d1f351714
md5sum:quarantine:d155e4254360930947eaa930e7b3fe68
md5sum:quarantine:e8160c3d5cdf41b219386e0113135d84
md5sum:quarantine:8afb8c2a3c85d166a4b08154337cbe16
md5sum:quarantine:99e252c0e973269f385e6210f30361b2
md5sum:quarantine:dda85aa4e63663f952632dfdfac9f307
md5sum:quarantine:af3bb40eeb61118e5c20b434884e3aa2
md5sum:quarantine:ec67354d5987728a270b73bddc905eb5
md5sum:quarantine:84b5297945a9729b4e6f5b558ea09274
md5sum:quarantine:78de4929a4511a5152253fe3d1cbbaf1
md5sum:quarantine:459d36d4cd71da2ec02b84b6bc8858f2
md5sum:quarantine:01bfc72bad9a1dd527248007211ef6bc
md5sum:quarantine:813395e1f9f704dea3231b72611d0b2b
md5sum:quarantine:b59a54651e053cd9b9140206c044a6e1
md5sum:quarantine:230c50b9f7877639104e7a77b789fdcf
md5sum:quarantine:34cdcb358e1c8a01a2e3a45d6f265757
md5sum:quarantine:729c74190531e7d53ad23cec7c5ae537
md5sum:quarantine:0e15000002c053ffbb11dba0eb5f67ca
md5sum:quarantine:b758ce270902b240e5603ae0513f3590
Re: STICKY rules for CXS.XTRA regs.
Posted: 22 Feb 2021, 18:25
by sahostking
Noticed tons of files with kindex.php and windex.php and wikindex.php plus many more. Created a list and here are the md5sum and regex. Add and try out if you like.
# Added 22/02/2021
regall:quarantine:Pwnd By NekoBot!
md5sum:quarantine:e421e55e907fcbafe575c918214140b8
md5sum:quarantine:4355572862fbfdcb7556498c4c9c55e4
md5sum:quarantine:691f3bacc38f9278da2f5e45d980f98b
md5sum:quarantine:d2b4f7e95b4eeefbfc334892d92818e2
md5sum:quarantine:1deecd7d7050a1ad6f3b3af1be2d223c
md5sum:quarantine:55a15524d45fc633e7f8d8b588bbf99d
md5sum:quarantine:ada1a326a4882bab08578965b9b7c1dd
md5sum:quarantine:4e33b378adac268b715e959098e261e2
md5sum:quarantine:83da2a9a25ff7396920431fee93ab7ce
md5sum:quarantine:b58dd7ae1673d2494e7f0d591f8e6421
md5sum:quarantine:cce7cd9264b2c1727e182fe2de66d228
md5sum:quarantine:b13f6856bc91719af1b99a8f140779ca
md5sum:quarantine:2cbbce6d0a74a84dafb57bb4dea8d0b4
md5sum:quarantine:5e862050b652a48ca5c964c62f9e371f
md5sum:quarantine:cc1904aa390111674fb4971b3d76f5e1
md5sum:quarantine:ceabb1f560d8ecc1b632a6652ba203c1
md5sum:quarantine:89fe05a03ac989d82b94950b27c54272
md5sum:quarantine:2169c149f823d31ed957d28b3f671cc5
md5sum:quarantine:af9ee83266da8c5471eb114b4ae3d7e3
md5sum:quarantine:1d27be528a0fee2c252ccb1ec580bd0a
md5sum:quarantine:4aaca39bdf53ebb4c0aa5916cb3ba848
md5sum:quarantine:3d0dad7513d97e2b3fb0b4edbee39faa
md5sum:quarantine:0e25b641770351f7bcef8ad71a30ab8d
md5sum:quarantine:0415485af31ce4bf0392978dc0bcfad3
md5sum:quarantine:55c8026b355d4bc4652c0e170509c9a9
md5sum:quarantine:50830742c86b8d21a254cf55a9d18597
md5sum:quarantine:35c8189b34d3ea3647618d3efe224ef0
md5sum:quarantine:8948e161fd9aa2f39266110defce44f8
md5sum:quarantine:7195bcbf17bd67a352ce86214b35e32e
md5sum:quarantine:00a8d6fd55b88120e0c42592849eeaab
md5sum:quarantine:ec7006b52d9182b3be817b2829c28b42
md5sum:quarantine:b098537b08317259666d9ee7954d8c05
md5sum:quarantine:998db36ee19dff5d05264e4292627734
md5sum:quarantine:0e685630be21b28ff06d7613a92c5d3f
md5sum:quarantine:c6b812ab0d359343adfe1f986423cce5
md5sum:quarantine:b18dd3de5d013402d2aa189d216d1c80
md5sum:quarantine:c701a09f4664980126842d7d5285ac4d
md5sum:quarantine:5fcd0b6228020d5b68deac33e2253f26
md5sum:quarantine:957d5b81d1a30ceb3642fac1e80607ad
md5sum:quarantine:6692af1930477d42edfc104684cd8d05
md5sum:quarantine:64a39e496d8734c07a6549d532e42c07
md5sum:quarantine:2a2f357e442cdf0814bc7fa193a58f1f
md5sum:quarantine:8333efea806fabdf414f7d937f293336
md5sum:quarantine:8cb4398001707f3f409ce8514af50b25
md5sum:quarantine:f253e6685f667bb59114b30d397645f1
md5sum:quarantine:b2edf7f9f59e68d15c02cad32160915f
md5sum:quarantine:3cc39e64e9a3cb6581389e515b02228e
md5sum:quarantine:62d7340c3dd71bd4e933a4bcf50cc58f
md5sum:quarantine:eea4c241ba4812c4c1a23ce6cc65835d
md5sum:quarantine:9c8806c7c1505baab7b6f88581d8df1f
md5sum:quarantine:d41d8cd98f00b204e9800998ecf8427e
md5sum:quarantine:0abebe6fb265e0400e6ecc5f14e7e613
md5sum:quarantine:23f20a4c10c2611b4b0f7ca3b5b5f421
md5sum:quarantine:6357660f5f47fad43ba0fa6502a0728b
md5sum:quarantine:1a65459d3004ef2da7d4ee05e88884ec
md5sum:quarantine:06280def62563374622fbd2feea42ac8
md5sum:quarantine:6e603b842c929deb7ba17c63ca4f0fbf
md5sum:quarantine:6b3aa13d9801562a0c919054685d8759
md5sum:quarantine:99b8a1c8da76864cefd6854065f6f5b3
md5sum:quarantine:847730391e865e8424f8fe562d84a72c
md5sum:quarantine:dbe39db9a73f0da00e065c8298279d95
md5sum:quarantine:21552d4d74a4bf20570742f788a7f883
md5sum:quarantine:e913a1ebefb5bd0e7bf10320dde94412
md5sum:quarantine:4de0dd3d2a7cea2ada908c8b7c92e8e7
md5sum:quarantine:aef76f150e794a1e9c4fe7dd38d66cdc