Maran XSS Filter

Posted on 23.12.2009 by Emil

In these days, many spammers are visiting our websites trying to spam our comments pages with robots or even trying to attack the server using SQL injection or javascript xss attacks or trying to upload files in our servers from attackers servers.

The best prevention method is to filter all REQUEST from outside, checking all POSTs and GETs sent to your website. Another thing is to check all variables used on you web , these shound be only in some chars range. For example, if you use for ids integers, this should be always a number.

Most of this attackers are using a russian script called c99.php which is saved into a txt file.

Download Link: maranxssfilter.zip

All the files has been moved in code.google.com Project Hosting. From now on, You can follow and see the changes and new versions on code.google.com

See here example of xss scripts used by hackerz in last 6 months, trying to hack our sites. If you search on google about c99 OR r57shell you'll find a lot of results and a lot of hosts having this file hidden in some folders.

http://144.206.186.112:2666/index.html
http://201.16.248.189/manual/howto/01.txt
http://208.98.22.241/id.txt
http://208.98.22.241/id.txt???
http://212.227.74.68/catalog/fx29id.txt
http://59.120.216.117/cmd?
http://74.208.173.138:5553/index.html
http://adieloliveira.xpg.com.br/chegado.txt
http://alwaysdollar.com/portal/frameset/html/inc/elang/db.txt??
http://anthony-campbell.com/public/cfg??
http://badmintonblog.net/blog/personal/MADONGCMD.txt
http://boomboombooty.com/galleries/bendovervideo1/1.txt
http://brush.com/cmd2?
http://carina.lukas-consulting.at/tst.txt??
http://casaducaraio2.webs.com/phpbot.txt
http://chr.es.kr/02.txt
http://ciudad.latinol.com/botitos/id.txt
http://cocina.sur.es/editor/Idflp.txt?
http://controleremoto.net/htmlarea/alb.txt
http://domicorp.com/pxwcr/id1.txt?
http://educadoramg.com.br/enviador.txt
http://fotocartoes.iespana.es/envio01.txt
http://gumansin.com/id.txt??
http://hoffsons.narod.ru/index.htm?
http://indoirc.go.ro/idscan.txt
http://m4nn3r.by.ru/c99.txt
http://man.43i.net/index.htm?
http://masterpule.100webspace.net/id1.txt
http://mixcom.ru/pic/main.jpg???
http://mypregnancy.orgfree.com/index.html
http://othteam2.t35.com/idv6.txt
http://owned-nets.blogspot.com/2009/04/crim-net.html?Please_Click_on_my_google_a
http://pedrada.tempsite.ws/envio01.txt?
http://rsh.kiev.ua/images/idfx1.txt
http://sites.google.com/site/mv10mv20/Home/envio01.txt
http://uliene.gomes.sites.uol.com.br/envio01.txt
http://w7ed.by.ru/c99.txt
http://web-defence.ru/shel/%5Bc%5D/Crank.txt
http://wuweizhou.com/cmd/c99.txt
http://www.4-floor.com/css/z1
http://www.aercoppo.it//assets/snippets/reflect/fx29id1.txt
http://www.aerothaiunion.com/sik.txt
http://www.aptd.ru/files/id.txt
http://www.attic-art.de//kontakt/rox.txt
http://www.babarico.xpg.com.br/INBOX/orkut_login_arquivos/cmdscan.txt
http://www.bcefc.ca/help/Bots/Bots/enviador.txt
http://www.bcefc.ca/help/Bots/Bots/enviador.txt?
http://www.brun-sylvain.fr/idv6.txt
http://www.caleva.info/img/prodIMG/small/id.txt
http://www.comedi.org/wiki/MoinMoin/BafomuSowujod/FahijyaTokec?action=AttachFile
http://www.csjh.tpc.edu.tw/~sw/board/idbr.txt??
http://www.die-grenzreiter.com/content/download/fx29id.txt
http://www.ecobook.or.kr/ecobook/data/ecobook/1132295039/copyright.txt
http://www.educadoramg.com.br/env.txt
http://www.euro-international-shipping.com/r57.txt
http://www.evilc0der.com/c99.txt
http://www.fatemg.edu.br/portal/buggsbunny??
http://www.geocities.com/doni_they/idv6.txt???
http://www.hhdance.com//components/tirid.txt
http://www.insulco.be/Nl/Pdf/cache/p.txt
http://www.isomassage.de/web//moduls/tirid.txt
http://www.j-vision.co.kr/company/hotel/index.php/bo.do?
http://www.karnatakajesuits.net/apps/ccmail/data/readme.txt????
http://www.latinintel-tc.com/pages/fx29id.txt
http://www.laurent-camping-cars.com//administrator/components/drivid.txt
http://www.lazar.ru/manager/processors/copyright.txt
http://www.louangefm.fr//administrator/components/tirid.txt
http://www.microscopeforcomputer.net//components/com_virtuemart/smile.gif
http://www.msn-historicos.com/inbox.txt
http://www.mundotibia.com/a.txt
http://www.mykr.net/bbs/data/id/copyright.txt
http://www.nw.or.kr/bbs/icon/v6.txt
http://www.oliceo.fr/components/chi.txt??
http://www.peb.com.ua/ua/pid.txt
http://www.pierrerene.pl/env.txt
http://www.privc0de.com/c99.txt
http://www.projectsuper.ru/robots.txt??
http://www.ptp.dk/typo3/typo3conf/ext/rtehtmlarea/htmlarea/plugins/RemoveFormat/
http://www.samgler.com/minibb/dummy/id?
http://www.sancalogero.net/portal/upload/drivid.txt
http://www.superhoxt.xpg.com.br/teste.txt?
http://www.systemahacker.com/c99.txt
http://www.tokgorizont.com.ua/edit/editor/images/smiley/msn/id.txt
http://www.viparenda.ru/includes/images/alba.txt?
http://www.wizard.com.br/fx29id.txt
http://www.yak.com.pl/id1.txt
http://xexelento.freehostia.com/priv8/ids/fx29id1.txt
http://xoomer.virgilio.it/zigmacoy/inc.txt

I recomend to include this script in your webs to prevent attacks.


XSS attacks Examples.

Updates:

02.07.2009- Check page extension(one page extension allowed). V1.01
03.06.2009- History of xss attacks from last 6 months.
07.12.2008- none. V1.0

Other resources:
http://kallahar.com/smallprojects/php_xss_filter_function.php
http://kohanaphp.nl/tutorials/xss
http://www.codewalkers.com/c/a/Miscellaneous-Code/PHP-Input-Filter/
http://www.milw0rm.com/
https://forum.antichat.ru/printthread.php?t=82668
http://www.phpclasses.org/browse/package/2189.html
http://ha.ckers.org/xss.html