Hi
Can i add new Fingerprint not included in cxs scanner so any one will upload that shell will be quarantined as others
thanks in advance.
add Fingerprint for new PHP shell
Re: add Fingerprint for new PHP shell
You can add your own fingerprints to an "extra" file that you can configure cxs to use when scanning. See the information in the documentation for the --xtra option, as well as the information in the file /etc/cxs/cxs.xtra.example.
If you want to create a fingerprint for the file, information is in the cxs documentation under the option --MD5.
For example, if you have a file called exploit.php that you want to add to the fingerprints, do the following:
You'll get something like this:
Add the following to /etc/cxs/cxs.xtra:
And make sure that you add this to your command line in the cxs script files that you are using for scanning (cxsftp.sh, cxscgi.sh, cxswatch.sh):
(Note: anytime you modify the file cxswatch.sh, you must restart cxswatch to apply the change.)
Any file that matches this fingerprint will be treated like any other fingerprint match, so if you have configured cxs to quarantine fingerprint matches it will be quarantined.
If you want to force cxs to quarantine some other type of match in cxs.xtra, add quarantine: before the match, i.e.:
Regards,
Sarah
If you want to create a fingerprint for the file, information is in the cxs documentation under the option --MD5.
For example, if you have a file called exploit.php that you want to add to the fingerprints, do the following:
Code: Select all
md5sum exploit.phpCode: Select all
28f2623f836e5376bbd81782fda1be29 exploit.phpCode: Select all
md5sum:28f2623f836e5376bbd81782fda1be29Code: Select all
--xtra /etc/cxs/cxs.xtraAny file that matches this fingerprint will be treated like any other fingerprint match, so if you have configured cxs to quarantine fingerprint matches it will be quarantined.
If you want to force cxs to quarantine some other type of match in cxs.xtra, add quarantine: before the match, i.e.:
Code: Select all
regfile:quarantine:\.pl$Sarah
Re: add Fingerprint for new PHP shell
you answer is really insanely awesome like the product
really awesome !!
i'll try it
thanks in advance.
really awesome !!
i'll try it
thanks in advance.
Re: add Fingerprint for new PHP shell
one last question
now if any changes made to the file so it can now uploaded so is there any other effective method to identify the file ?
now if any changes made to the file so it can now uploaded so is there any other effective method to identify the file ?
Re: add Fingerprint for new PHP shell
You'd probably need to construct a regular expression that will match on something that is consistent in the file even if the file changes, and use the "regall:" keyword instead of md5sum.
-
etienne009
- Junior Member
- Posts: 1
- Joined: 17 Feb 2016, 12:21
Re: add Fingerprint for new PHP shell
Hi
I am having a problem adding a Fingerprint. Many of the sites on the server got defaced, see example:
http://www.desaielectrical.co.za/
I have added the md5sum result to cxs.xtra
Now I am trying to run a manual scan just on that folder to see if the problem files gets quarantined, but the results of the scan show no fingerprints found. I am using this command. Please let me know what I am doing wrong: /usr/sbin/cxs /home/desaiele --report /root/desaiele.log --mail root --virusscan --voptions fmMhexT --quarantine /home/quarantine --qoptions Mv --xtra /etc/cxs/cxs.xtra --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRP
I am having a problem adding a Fingerprint. Many of the sites on the server got defaced, see example:
http://www.desaielectrical.co.za/
I have added the md5sum result to cxs.xtra
Now I am trying to run a manual scan just on that folder to see if the problem files gets quarantined, but the results of the scan show no fingerprints found. I am using this command. Please let me know what I am doing wrong: /usr/sbin/cxs /home/desaiele --report /root/desaiele.log --mail root --virusscan --voptions fmMhexT --quarantine /home/quarantine --qoptions Mv --xtra /etc/cxs/cxs.xtra --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRP
Re: add Fingerprint for new PHP shell
Hi,
I have the same problem. My command is:
/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --exploitscan --nofallback --filemax 10000 --html --options mMOefSGchxdnwZRD --qoptions Mv --quarantine /home/quarantine/ --sizemax 500000 --www --summary --sversionscan --virusscan --mail monitoreo@caracashosting.com --Wloglevel 1 --report /var/log/cxs.scan --logfile /var/log/cxs.log -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra --user xxxxx
And not move the files Fingerprint add in the cxs.xtra
I have the same problem. My command is:
/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --exploitscan --nofallback --filemax 10000 --html --options mMOefSGchxdnwZRD --qoptions Mv --quarantine /home/quarantine/ --sizemax 500000 --www --summary --sversionscan --virusscan --mail monitoreo@caracashosting.com --Wloglevel 1 --report /var/log/cxs.scan --logfile /var/log/cxs.log -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra --user xxxxx
And not move the files Fingerprint add in the cxs.xtra