Page 1 of 1
add Fingerprint for new PHP shell
Posted: 01 Apr 2015, 20:05
by seco
Hi
Can i add new Fingerprint not included in cxs scanner so any one will upload that shell will be quarantined as others
thanks in advance.
Re: add Fingerprint for new PHP shell
Posted: 04 Apr 2015, 21:50
by Sarah
You can add your own fingerprints to an "extra" file that you can configure cxs to use when scanning. See the information in the documentation for the --xtra option, as well as the information in the file /etc/cxs/cxs.xtra.example.
If you want to create a fingerprint for the file, information is in the cxs documentation under the option --MD5.
For example, if you have a file called exploit.php that you want to add to the fingerprints, do the following:
You'll get something like this:
Code: Select all
28f2623f836e5376bbd81782fda1be29 exploit.php
Add the following to /etc/cxs/cxs.xtra:
Code: Select all
md5sum:28f2623f836e5376bbd81782fda1be29
And make sure that you add this to your command line in the cxs script files that you are using for scanning (cxsftp.sh, cxscgi.sh, cxswatch.sh):
(Note: anytime you modify the file cxswatch.sh, you must restart cxswatch to apply the change.)
Any file that matches this fingerprint will be treated like any other fingerprint match, so if you have configured cxs to quarantine fingerprint matches it will be quarantined.
If you want to force cxs to quarantine some other type of match in cxs.xtra, add quarantine: before the match, i.e.:
Regards,
Sarah
Re: add Fingerprint for new PHP shell
Posted: 05 Apr 2015, 19:58
by seco
you answer is really insanely awesome like the product
really awesome !!
i'll try it
thanks in advance.
Re: add Fingerprint for new PHP shell
Posted: 05 Apr 2015, 20:16
by seco
one last question
now if any changes made to the file so it can now uploaded so is there any other effective method to identify the file ?
Re: add Fingerprint for new PHP shell
Posted: 06 Apr 2015, 17:34
by Sarah
You'd probably need to construct a regular expression that will match on something that is consistent in the file even if the file changes, and use the "regall:" keyword instead of md5sum.
Re: add Fingerprint for new PHP shell
Posted: 17 Feb 2016, 12:31
by etienne009
Hi
I am having a problem adding a Fingerprint. Many of the sites on the server got defaced, see example:
http://www.desaielectrical.co.za/
I have added the md5sum result to cxs.xtra
Now I am trying to run a manual scan just on that folder to see if the problem files gets quarantined, but the results of the scan show no fingerprints found. I am using this command. Please let me know what I am doing wrong: /usr/sbin/cxs /home/desaiele --report /root/desaiele.log --mail root --virusscan --voptions fmMhexT --quarantine /home/quarantine --qoptions Mv --xtra /etc/cxs/cxs.xtra --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRP
Re: add Fingerprint for new PHP shell
Posted: 26 Apr 2016, 14:22
by seguridad
Hi,
I have the same problem. My command is:
/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --exploitscan --nofallback --filemax 10000 --html --options mMOefSGchxdnwZRD --qoptions Mv --quarantine /home/quarantine/ --sizemax 500000 --www --summary --sversionscan --virusscan --mail
monitoreo@caracashosting.com --Wloglevel 1 --report /var/log/cxs.scan --logfile /var/log/cxs.log -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra --user xxxxx
And not move the files Fingerprint add in the cxs.xtra