Results 1 to 3 of 3

Thread: PCI Perl.exe

  1. #1
    Join Date
    Sep 2010
    Posts
    325

    PCI Perl.exe

    I was told the below, from SecurityMetrics that this must be resolved. However, there is no cgi-bin or perl file in that path.

    > When we perform the following
    > http://www.domain.com/cgi-bin/perl in
    > the URL it pulls a 500 internal server
    > error. Please direct this to a 404 not
    > found alone; otherwise, the
    > vulnerability appears valid.
    >
    > Perl.exe When we perform the following
    > http://www.domain.com/cgi-bin/perl.exe
    > in the URL it pulls a 500 internal
    > server error. Please direct this to a
    > 404 not found alone; otherwise, the
    > vulnerability appears valid.

    They also said:

    > We do understand that it may not exist
    > but please have your site show that.
    > An internal server error does not
    > prove that the file doesn't exist. A
    > 404 not found does.

    How can I do that? I'm using PHP 5.2.9 / Apache 2.2 / Centos 4.8


    I did check the logs and see this:

    Code:
    ModSecurity: Access denied with code 500 (phase 2). Pattern match "perl" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "368"] [hostname "www.mydomain.com"] [uri "/cgi-bin/perl"] [unique_id "TXomXZPKQgIAAHSLIZAAAAAM"]
    My modsec rules are:


    Code:
    # http://www.gotroot.com/mod_security+rules
    # Gotroot.com ModSecurity rules
    # Application Security Rules for modsec 2.x
    #
    # Version: N-20061022-01
    #
    # Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rules.conf
    #
    # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
    # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
    # Redistribution is strictly prohibited in any form, including whole or in part.
    #
    # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS 
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
    # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
    # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
    # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
    # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
    # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
    # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
    # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
    # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
    # THE POSSIBILITY OF SUCH DAMAGE.
    
    #--------------------------------
    # notes
    #--------------------------------
    # Rules work with modsecurity 2.0 and above only
    
    #--------------------------------
    #start rules
    #--------------------------------
    
    #Configure for your site
    SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
    
    #Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it
    #Then post your fix eh!
    #SecRule REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'"
    
    
    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecRule HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"
    
    #deny TRACE method
    SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"
    
    #XSS insertion into headers
    SecRule REQUEST_HEADERS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"
    
    
    #Don't accept chunked encodings
    #modsecurity can not look at these, so this is a hole
    #that can bypass your rules, the rule before this one
    #should cover this, but hey paranoia is cheap
    SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
    
    #Code injection via content length
    SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
    
    ##generic recursion signatures
    SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
    SecRule REQUEST_URI "\.\./\.\./"
    #generic path recurision sig
    
    
    #generic recursion signatures
    SecRule REQUEST_URI "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"
    
    #generic bogus path sigs
    SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
    
    #Generic PHP exploit signatures
    SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
    
    #Generic PHP exploit signatures
    SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
    
    #slightly tighter rules with narrower focus
    SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
    
    #generic XSS PHP attack types
    SecRule REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'"
    SecRule REQUEST_BODY|REQUEST_URI  "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)"
    
    
    #Prevent SQL injection in cookies
    SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
    
    #Prevent command injection through cookies
    SecRule REQUEST_COOKIES "\; cmd="
    
    #Prevent SQL injection in UA
    SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
    
    # Generic filter to prevent SQL injection attacks
    # Understand that all SQL filters are very limited and are very difficult 
    # to prevent false postives and negatives.  
    # Pplease report false positives/negatives to [email protected]
    SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
    SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
    
    #Generic SQL sigs
    SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"
    
    #Generic SQL sigs
    SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
    
    #Generic SQL sigs
    SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
    SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" 
    
    #Meta character SQL injection
    SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"
    
    #Generic command line attack filter
    SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
    SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|"
    
    #Generic PHP bad functions protection
    #PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
    SecRule ARGS compress\.zlib:
    
    #Generic XSS filter
    #please report false positives
    SecRule REQUEST_URI "!/mt\.cgi" chain
    SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
    
    #XSS in referrer and UA headers
    SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
    
    #PHP Injection Attack generic signature
    SecRule REQUEST_URI  "\.php" chain
    SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
    
    #PHP Injection Attack generic signature
    SecRule REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
    
    #Generic PHP remote file inclusion attack signature
    SecRule REQUEST_URI "\.php\?" chain
    SecRule REQUEST_URI "(http|https|ftp)\:/" chain
    SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Generic PHP remote file inclusion attack signature with command
    SecRule REQUEST_URI "\.php\?" chain
    SecRule REQUEST_URI "(http|https|ftp)\:/" chain
    SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Genenric PHP body attack
    SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
    SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Generic PHP remote file injection
    SecRule REQUEST_URI "!(/do_command)" chain
    SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
    
    #script, perl, etc. code in HTTP_Referer string
    SecRule HTTP_Referer "\#\!.*/"
    
    #generic command line attack
    SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"
    
    #remote file inclusion generic attack signature
    SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
    SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
    
    #remote file inclusion generic attack signature
    SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
    SecRule ARGS "\?\&(cmd|inc|name)="
    
    #remote file inclusion generic attack signature
    SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
    
    #remote file inclusion generic attack signature
    SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
    
    SecRule REQUEST_URI  "store\.php\?site_isp_root="
    
    SecRule REQUEST_URI  "baseDir=http"
    
    #Bogus file extensions generic signature
    SecRule REQUEST_URI  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"
    
    #PHP remote path attach generic signature
    SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
    SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
    
    #generic attack sig
    SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
    
    # WEB-ATTACKS uname -a command attempt
    SecRule REQUEST_URI "uname" chain
    SecRule REQUEST_URI "\x20-a" 
    
    #Generic argument protection rule against bad meta characters
    #SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"
    
    #generic php attack sigs
    SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
    
    # WEB-ATTACKS xterm command attempt
    SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
    
    # WEB-ATTACKS /etc/shadow access
    SecRule REQUEST_URI "/etc/shadow"
    
    # WEB-ATTACKS /bin/ps command attempt
    SecRule REQUEST_URI "/bin/ps"
    
    # WEB-ATTACKS /usr/bin/id command attempt
    SecRule REQUEST_URI  "/usr/bin/id" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS echo command attempt
    SecRule REQUEST_URI  "/bin/echo" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS kill command attempt
    SecRule REQUEST_URI  "/bin/kill" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS chmod command attempt
    SecRule REQUEST_URI  "/bin/chmod" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS chsh command attempt
    SecRule REQUEST_URI   "/usr/bin/chsh"
    
    # WEB-ATTACKS gcc command attempt
    SecRule REQUEST_URI  "gcc" chain
    SecRule REQUEST_URI "x20-o" 
    
    # WEB-ATTACKS /usr/bin/cc command attempt
    SecRule REQUEST_URI  "/usr/bin/cc" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /usr/bin/cpp command attempt
    SecRule REQUEST_URI  "/usr/bin/cpp" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /usr/bin/g++ command attempt
    SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS g++ command attempt
    SecRule REQUEST_URI  "g\+\+\x20" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS bin/python access attempt
    SecRule REQUEST_URI  "bin/python" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS python access attempt
    #SecRule "python\x20"
    
    # WEB-ATTACKS bin/tclsh execution attempt
    SecRule REQUEST_URI "bin/tclsh"
    
    # WEB-ATTACKS tclsh execution attempt
    SecRule REQUEST_URI "tclsh8\x20"
    
    # WEB-ATTACKS bin/nasm command attempt
    SecRule REQUEST_URI "bin/nasm"
    
    # WEB-ATTACKS nasm command attempt
    SecRule REQUEST_URI "nasm\x20"
    
    # WEB-ATTACKS /usr/bin/perl execution attempt
    SecRule REQUEST_URI "/usr/bin/perl"
    
    # WEB-ATTACKS traceroute command attempt
    SecRule REQUEST_URI  "traceroute" chain
    SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
    
    # WEB-ATTACKS ping command attempt
    SecRule REQUEST_URI  "/bin/ping" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS X application to remote host attempt
    SecRule REQUEST_URI "\x20-display\x20"
    
    # WEB-ATTACKS mail command attempt
    SecRule REQUEST_URI  "/bin/mail" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /bin/ls command attempt
    SecRule REQUEST_URI "/bin/ls" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /etc/inetd.conf access
    SecRule REQUEST_URI  "/etc/inetd\.conf"
    
    # WEB-ATTACKS /etc/motd access
    SecRule REQUEST_URI  "/etc/motd"
    # WEB-ATTACKS conf/httpd.conf attempt
    SecRule REQUEST_URI  "conf/httpd\.conf"
    
    # WEB-MISC .htpasswd access
    SecRule REQUEST_URI  "\.htpasswd" 
    
    # WEB-MISC /etc/passwd access
    SecRule REQUEST_URI  "/etc/passwd" 
    
    # WEB-MISC nessus 1.X 404 probe
    SecRule REQUEST_URI "/nessus_is_probing_you_" 
    
    # WEB-MISC nessus 2.x 404 probe
    SecRule REQUEST_URI "/NessusTest" 
    
    # WEB-MISC ls%20-l
    SecRule REQUEST_URI  "ls" chain
    SecRule REQUEST_URI "\x20-l" 
    
    # WEB-MISC apache directory disclosure attempt
    SecRule REQUEST_URI "////////" 
    
    #musicat empower attempt
    SecRule REQUEST_URI "/empower\?DB="
    
    # WEB-MISC *%0a.pl access
    SecRule REQUEST_URI "/*\x0a\.pl" 
    
    #PHPBB worm sigs
    SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
    SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
    
    #PHP defenses
    SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" 
    
    #PHP defenses
    SecRule ARGS "^(globals($|\[)|php:/)"
    
    #PHP defenses
    SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"
    
    #PHP defenses
    SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"
    
    # Web-attacks chdir
    SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
    
    # TIKIWIKI
    SecRule REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"
    
    #SMTP redirects
    SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 
    
    #These are VERY experiemental, please report false positives/negatives, etc.
    #very experimental generic remote download sig
    #foo IP or FQDN, or foo http/https/ftp://whatever
    SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
    
    #Command inline detection
    SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
    
    #very experimental connect command sig
    SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
    
    #Commands, also need a major rework, these also have issues
    SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
    #SecRule REQUEST_URI "echo\x20" 
    SecRule REQUEST_URI "links -dump "
    SecRule REQUEST_URI "links -dump-(charset|width) "
    SecRule REQUEST_URI "links (http|https|ftp)\:/"
    SecRule REQUEST_URI "links -source "
    #SecRule REQUEST_URI "mkdir\x20" 
    SecRule REQUEST_URI "perl" 
    SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" 
    
    SecRule REQUEST_URI "cd \.\." 
    SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" 
    
    #generic block for fwrite fopen uploads
    SecRule REQUEST_URI "fwrite" chain
    SecRule REQUEST_URI "fopen" 
    
    #generic sig for more bad PHP functions
    SecRule REQUEST_URI "chr\(([0-9]{1,3})\)"
    SecRule ARGS_NAMES "^php:/"
    
    # WEB-MISC Tomcat view source attempt
    SecRule REQUEST_URI "\x252ejsp"
    
    # WEB-MISC whisker HEAD/./
    #SecRule "HEAD/./"
    
    # WEB-FRONTPAGE .... request
    SecRule REQUEST_URI "\.\.\.\./"
    
    #experimental CSS rule
    #SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"
    
    #Generic attack rules pcre format
    #cross site scripting attempt IMG onerror or onload
    SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*="
    
    #cross site scripting attempt TYPE + JAVASCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript"
    
    #cross site scripting attempt STYLE + JAVASCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript"
    
    #cross site scripting attempt STYLE + JSCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript"
    
    # cross site scripting attempt STYLE + VBSCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript"
    
    #cross site scripting attempt STYLE + VBSCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript"
    
    #cross site scripting attempt STYLE + ECMACRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript"
    
    # cross site scripting attempt STYLE + EXPRESSION
    SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\("
    
    #cross site scripting attempt STYLE + EXPRESSION
    SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"
    
    # cross site scripting attempt using XML
    SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
    
    #cross site scripting attempt executing hidden Javascript
    SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"
    
    #cross site scripting attempt executing hidden Javascript
    SecRule REQUEST_URI "window\.execScript[\s]*\("
    
    #cross site scripting attempt to execute Javascript code
    SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"
    
    #cross site scripting stealth attempt to execute Javascript code
    #may false alarm for some language sets
    SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
    SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
    
    #Apache /server-info accessible
    SecRule REQUEST_URI   "/server-info" chain
    SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
    
    #Apache /server-status accessible
    #Modified so apache-protect can run
    SecRule REQUEST_URI "^/server-status/$" chain
    SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
    
    #generic Common HTTP vulnerability
    SecRule REQUEST_URI "/\?cwd=/"
    
    #General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
    SecRule REQUEST_URI "\.php\?" chain
    SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"
    
    #Experimental XML-RPC generic attack sigs
    SecRule REQUEST_BODY "\'\,\'\'\)\)\;"
    SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;"
    
    #MTS
    #XML-RPC generic attack sigs
    SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
    SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
    SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
    SecRule REQUEST_BODY "methodCall\>"
    
    #Specific XML-RPC attacks on xmlrpc.php
    SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
    SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
    SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
    
    #Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
    #SecRule REQUEST_URI "/xmlrpc\.php" chain
    #SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
    
    #XML-RPC SQL injection generic signature
    SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain
    SecRule REQUEST_BODY  "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"
    
    #generic remote file inclusion vulns
    SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
    SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
    SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
    SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"
    
    #catch smuggling attacks
    #SecRule "^(GET|POST).*Host:.*^(GET|POST)" 
    
    #Drupal remote command execution vulnerability exploit signature
    #This is already covered in another generic signature, but just in case you leave it out, here it is
    #again with a slightly tigher regexp
    SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
    #Slightly stronger version of the above
    SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
    
    #Generic PHP attack sig
    SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
    
    #Generic Nessus request filter
    SecRule REQUEST_URI "NessusTest*\.html"
    
    #Generic PHP payload command injection and upload vulnerabilities
    SecRule REQUEST_BODY "<\?php" chain
    SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
    SecRule REQUEST_BODY "\<\?php"
    
    #Generic XML RPC attack sig
    SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;"
    
    #HTTP header PHP code injection attacks
    SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"
    #wormsign
    SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
    SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"
    
    #phpbb wormsign
    SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_"
    
    #Generic PHP avatar upload exploits
    SecRule REQUEST_URI "\.php" chain
    SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
    SecRule REQUEST_BODY "\<\?php" chain
    SecRule REQUEST_BODY "\?>"
    
    #Fake image file shell attacvk
    SecRule REQUEST_HEADERS:Content-Type "image/.*"
    SecRule REQUEST_BODY "chr\("
    
    #bogus graphics file
    SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
    SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
    
    #wormsign
    SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
    
    #Special account protection
    SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
    
    #Generic PHP fopen sig
    SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
    
    SecRule ARGS perl.exe "phase:1,log,deny,status:404"

  2. #2
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    The quick fix is to comment out the rule that is being triggered and restart apache.

    Alternatively, you can try changing the default action to 404

    Change:

    SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

    to:

    SecDefaultAction "log,deny,phase:2,status:404,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  3. #3
    Join Date
    Apr 2009
    Location
    Virginia, USA
    Posts
    65
    Wow! The correct solution is not not use a version of our rules that are obsolete. ;-)

    No but seriously, those rules were retired almost 5 years ago, its cool see someone using them, but those rules are OLD! And since you're clearly running a version of modsecurity that supports the 2.x rule language you can just replace your current rules with the latest gotroot rules without any hassle. So save yourself the grief and download the latest rules from our website.

    <<snipped>>
    Last edited by bear; 03-23-2011 at 10:17 AM.
    Michael Shinn
    Secure your server now with Atomic Secured Linux
    Co-Author of Troubleshooting Linux Firewalls
    AIM: mikegotroot | E-Mail: mike @ atomicorp.com

Similar Threads

  1. how the perormance of installing pci-x NIC on desktop's PCI ?
    By ttgt in forum Colocation and Data Centers
    Replies: 0
    Last Post: 08-10-2009, 06:12 AM
  2. PCI/PCI-X 5V with 4-pin molex needed
    By UNIXy in forum Colocation and Data Centers
    Replies: 0
    Last Post: 12-29-2008, 09:55 PM
  3. FREE PCI Webinar by the PCI Security Standards Council
    By e-onlinedata support in forum Ecommerce Hosting & Discussion
    Replies: 0
    Last Post: 05-09-2008, 10:29 AM
  4. how to convert PERL file to .exe file ?
    By learnerman in forum Programming Discussion
    Replies: 4
    Last Post: 10-25-2005, 02:22 PM
  5. Replies: 1
    Last Post: 11-19-2004, 07:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •