ConfigServer Community Forum

Hi Jonathan,
yesterday a hacker managed to ftp to a compromised password on a customer and uploaded a few modified files that he downloaded previously.

All the files are java scripts with the extension .JS, I have checked the code and added the code to the xtra file, using REGALL but CXS is not checking the .js files and the files are not quarantined.

What is the best approach to check .js files?

This is an excerpt of the code injected on the file:
passtemp();}}} function passtemp(){document.write("<script src=

And here is the rule added in the xtra file:
regall:passtemp\(\)\}\}\} function passtemp\(\)\{document\.write\("\<script src\=

Any idea on how to add this is welcome.

Regards,

Sergio

You would have to add --deep to any scan as .js files are not server-side scripts so won't be scanned otherwise.

Thanks for the reply, but that didn't work as well.

I am running the scan from the GUI, DEEP option is selected and doesn't catch the files infected.

Then I would suggest running from the command line and add --debug to the command and see if the file is being ignored for some reason.

If you still cannot find a reason and are sure that you have the entry in your --xtra [file] correctly specified, then feel free to log a ticket with access details and full information about the file you are scanning and we'll have a look for you.