Page 1 of 2 12 LastLast
Results 1 to 40 of 41
  1. #1
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82

    Shadow pass exploit !

    Is there anybody know about this bug ? There some hackers try rip shadow and get root permission. How can fix it ?

  2. #2
    Join Date
    Feb 2002
    Location
    Vestal, NY
    Posts
    1,378
    There have been tools for script kiddies to rip shadow passwords and bugs ever sine the shadow password system first came out. Which particular bug/exploit are you referring to?
    H4Y Technologies LLC Check out our new website!
    "Smarter, Cheaper, Faster" - SMB, Reseller, VDS, Dedicated, Colo hosting done right.

    ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
    **http://h4y.us**
    Voice: (866)435-5642. *** Email: askus at host4yourself d0t com

  3. #3
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Sorry, i'm not sure what is the way hacker use in two ways, but can you tell me how to fixed both that ways ? I mean two ways you said...

    Thanks

  4. #4
    He didnt say two way just multiple

    Please specify which way you are refering to

  5. #5
    Join Date
    Dec 2002
    Location
    California
    Posts
    2,005
    You might want to hire a security firm to secure your server for you. Should only cost between $30-$100...
    I wish all my traffic went through AS174.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Well, firstly i would make sure the permissions on /etc/shadow are correct.. Secondly i would make sure all software is updated including kernel.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    The majority of time is when people think its ok to leave copys of there shadow file. There are no reasons to even touch your shadow file, let alone make copys and backups of them.

    That is how people gain your passwords to decrypt them, even if someone does get it, using a good password will not get bruteforced.

    Most common I have saw is /etc/shadow.OLD

    With incorrect permisisons, so all you do is view it and decrypt. The mere fact that anyone can decrypt your passwords is beyond me.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  8. #8
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Originally posted by HostGeekZ
    That is how people gain your passwords to decrypt them, even if someone does get it, using a good password will not get bruteforced.
    All passwords are crackable thus it is just a matter of time... and for todays systems/technologies even with good password doesn't mean that it will not get brute-forced... see, if I have the /etc/shadow file with me, I can basically run Crack/John The Ripper etc... the better processing speed/specs I have for my system... the faster it will be... our standard keyboard only consists of 108 keys (I didn't count though :p)... so brute-force is just a guessing password of '1', '11', '12', '13', 'a', 'aa'... until all 108 keys are tried combination... yes, it takes time... so it is just a matter of time and it is possible... although if you set hard to guess password... you did decrease the chance of being brute-forced... but still it is possible... IMO
    Which is why passwords need to be changed frequently and having your system administrator to check logs is one of the main reason for this

    Just my thoughts ... ...
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    there are also rainbow tables which are basicalyl a stored database of all possible combos, for certian kinds of passwords.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Dec 2002
    Location
    California
    Posts
    2,005
    Originally posted by choon
    All passwords are crackable thus it is just a matter of time... and for todays systems/technologies even with good password doesn't mean that it will not get brute-forced... see, if I have the /etc/shadow file with me, I can basically run Crack/John The Ripper etc... the better processing speed/specs I have for my system... the faster it will be... our standard keyboard only consists of 108 keys (I didn't count though :p)... so brute-force is just a guessing password of '1', '11', '12', '13', 'a', 'aa'... until all 108 keys are tried combination... yes, it takes time... so it is just a matter of time and it is possible... although if you set hard to guess password... you did decrease the chance of being brute-forced... but still it is possible... IMO
    Which is why passwords need to be changed frequently and having your system administrator to check logs is one of the main reason for this

    Just my thoughts ... ...
    Brute forcing a password with any kind of decent complexity/randomness/length is not plausible with today's technology. If you want a simple test, put a 10 character password on a zip (don't use an old version of Winzip and try to use an exploit), and download one of those trial versions of a zip cracking program. Let me know how long it says it will take to exhaust the keyspace once it gets past 7 characters or so....
    I wish all my traffic went through AS174.

  11. #11
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Originally posted by SolidJoe
    Brute forcing a password with any kind of decent complexity/randomness/length is not plausible with today's technology. If you want a simple test, put a 10 character password on a zip (don't use an old version of Winzip and try to use an exploit), and download one of those trial versions of a zip cracking program. Let me know how long it says it will take to exhaust the keyspace once it gets past 7 characters or so....
    What I posted previously is about cracking system user password on linux/FreeBSD... which is why I mentioned about /etc/shawdow file and which is why I quoted the line... if I use hard to guess password with 12 characters randomly, mixture of upper and lower case blah... as long as I have the hash password on hand which doesn't change, It is possible to crack it just take time... ...

    Whereby for zip thing... personally I am not sure but someone on earth might be able to... we won't know for sure... what you mentioned is about what are available password cracking programs or tools... whereby it doesn't mean that it is not possible with someone knowledgable who can code their own cracking program(s) cater/specially for certain platform etc... ...

    Again, just my thoughts... ...
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  12. #12
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    780
    /etc/shadow has the permission of "r--------" by default, means only root can view it. If you leave it alone and forget it, you are safe. But if you change its permission and copy it somewhere else, then they (they bad guys) may get it, given where to look, and how to get there.

    to see what info they might get from your /etc/shadow, Visit http://www.openwall.com/john/ and get the infamous "john the ripper".

    run it

    #john -wordfile:/tmp/somedict.txt /etc/shadow

    - you might not want to run that on your server, since it takes a LOT of cpu.

    there is no mathematical decryption of /etc/shadow. Its a one way function . All that john-the-ripper does is feeds common dictionary words from the somedict.txt file and tries to match the entry in /etc/shadow.

    If you have strong passwords like x$1xR0.o-^83%, you have nothing to worry about. If you have passwords like jack, jill, boss etc, you might find the output intresting..

    Experienced OpenStack Admin For Hire
    regular as admin0 on freenode IRC on #openstack and #openstack-ansible channels

  13. #13
    Join Date
    Dec 2002
    Location
    California
    Posts
    2,005
    Originally posted by choon
    What I posted previously is about cracking system user password on linux/FreeBSD... which is why I mentioned about /etc/shawdow file and which is why I quoted the line... if I use hard to guess password with 12 characters randomly, mixture of upper and lower case blah... as long as I have the hash password on hand which doesn't change, It is possible to crack it just take time... ...

    Whereby for zip thing... personally I am not sure but someone on earth might be able to... we won't know for sure... what you mentioned is about what are available password cracking programs or tools... whereby it doesn't mean that it is not possible with someone knowledgable who can code their own cracking program(s) cater/specially for certain platform etc... ...

    Again, just my thoughts... ...
    I realize there is a difference between shadow files and zip files. However at the end of the day, it's essentially the same. You have the possible keyspace you've setup (for example, a-z, A-Z, 0-9, all the special characters, and spaces). If you are brute forcing it, which you are with any program that tries to crack the shadow file/zip file, it tries every one of those combinations for 1 character. Then 2 characters. Then 3 characters, etc. Once you get past 7 or so, the complexity becomes so large that it takes years to process on a single highend system. Even with a distributed approach, your talking months for less than 10 characters.

    As I said before, in essence, if you have a complex/large password, it is implausible to brute force it with today's technology. Ok, public sector technology. I can't speak for various Governments who very well might have the brute strength needed to (no pun intended) brute force a password of considerable length.
    I wish all my traffic went through AS174.

  14. #14
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Originally posted by SolidJoe
    I realize there is a difference between shadow files and zip files. However at the end of the day, it's essentially the same. You have the possible keyspace you've setup (for example, a-z, A-Z, 0-9, all the special characters, and spaces). If you are brute forcing it, which you are with any program that tries to crack the shadow file/zip file, it tries every one of those combinations for 1 character. Then 2 characters. Then 3 characters, etc. Once you get past 7 or so, the complexity becomes so large that it takes years to process on a single highend system. Even with a distributed approach, your talking months for less than 10 characters.

    As I said before, in essence, if you have a complex/large password, it is implausible to brute force it with today's technology. Ok, public sector technology. I can't speak for various Governments who very well might have the brute strength needed to (no pun intended) brute force a password of considerable length.
    Yes, with lengthy and complex password will take years (or maybe I die :p) to brute-force which is why i mentioned TIME... anyway whether it is possible to brute-force or not... end of the day is... it is important to change password (of course to another hard-to-guess) at least once in a while...
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  15. #15
    Join Date
    Dec 2002
    Location
    California
    Posts
    2,005
    For those who may be curious just how inplausible it is to brute force passwords, check out these stats from the distributed.net RC5-72 challenge. Note that is only RC5-72. That is not a "strong" cipher by any means, yet look at this:

    Total Blocks to Search: 1,099,511,627,776
    Total Blocks Tested: 2,718,714,318
    Overall Rate: 32 Blocks/sec
    Total Keys to Search: 4,722,366,482,869,646,000,000
    Total Keys Tested: 11,676,789,082,976,945,000
    Overall Rate: 138,329,602,655 Keys/sec
    Percent Complete: 0.247%
    Time Working: 977 days

    The odds are 1 in 407,132 that we will wrap this thing
    up in the next 24 hours. (This also means that we'll
    hit 100% in 407,132 days at yesterday's rate.)

    407,132 days to exhaust the keyspace. That's roughly 1100 years. Yesterday, just over 8,000 computers were working on the project. If you had one, and lets just use this for averages, it would take 8,000 years to exhaust the keyspace.

    As you can see, brute forcing remains an extremely ineffecient way of obtaining a password.
    I wish all my traffic went through AS174.

  16. #16
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Again, the user is referring to shadow passwords which are indeed crackable. Let's TRY to keep this on topic, shall we?

    The issue with shadow being crackable isn't shadow, as much as it is the users. Permissions won't change a thing, if someone's got root access to your system, and your average user uses stupid passwords, because they could care less about security.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Linux-tech, permissions play a large role. If permissions were changed to where they were readable.. root access would not need to be gained to read the file.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #18
    Join Date
    Dec 2002
    Location
    California
    Posts
    2,005
    I'd like to know the method by which shadow passwords are crackable, besides brute force.
    I wish all my traffic went through AS174.

  19. #19
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Oh, I'm not saying they don't play a part, but, for the most part, the permissions there aren't touched. Permissions on shadow are a mere drop of the whole problem involving security re: shadow, actually.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  20. #20
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi,

    Thank for your alls post, but when i check all account, i saw this in public_html a user have:

    cgitelnet.pl

    nstview.php

    .shadow

    in the shadow i can see all users on my server and pass like htaccess pass. I dont know what was hacker do but i was do some thing like this for my server:

    Disable: telnet

    Safe mode: on

    Loaded Modules:

    mod_dosevasive, mod_security, mod_bandwidth, mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_setenvif, mod_so, mod_expires, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

    Disable functions:

    exec,dl,shell_exec,system,popen,pclose,proc_open,proc_close,passthru,virtual,leak,chgrp,ini_alter,ini_restore

    And root pass is more 20 words includes: %, $, &, *

    i think with what i've do for my server it will be very hard to hack, so pls check it out and help me fix, thank for all ! 2 files hacker was upload i'm current attach in this post
    Attached Files Attached Files
    Last edited by VIETHOSTING; 08-09-2005 at 01:00 AM.

  21. #21
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Both files are "Web Shells", which provide access too your server via http.

    This will run in the most part as the user nobody, unless you are running in an suexec enviorment in which case they will execute commands as the local user.

    Is the .shadow file the same as /etc/shadow on your server, if this is the case you need to ask yourself how they gained access to your /etc/shadow file. Paste the output of ls -alh /etc/ | grep shadow

    The telnet and nsttest files both use POST method(see below) to pass commands to the server, so you will not have any of the actual commands executed logged in your httpd logs.

    Code:
    <form name="f" method="POST" action="$ScriptLocation">
    ---
    <form method=post action=
    Searching your httpd logs you will be able to get the ip of the offender/proxys that where used and that looked at the web shells. You can make some attempt at matching these up if anyone accessed sshd, ftpd and so on.

    If you have had no experience of "tracing" how people did this and that on your server, then you will no doubt find the simplest things difficult, in that case I suggest you hire someone to look over your server.

    On a side note, run the .shadow file with john the ripper to see what passwords would have been decrypted, this can never be exact due to wordlist differences but you can just use the default john list.

    wget http://www.openwall.com/john/c/john-1.6.tar.gz

    untar it etc

    make generic

    them just go into run, copy the .shadow file there as decryptme and execute
    ./john -wordfile:passwords.lst decryptme &

    and let it run, when its completed

    ./john -show decryptme

    ---

    The above is just quick things from memory, you will need to read the docs for a better explination, I also belive passwords.lst is a different name.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  22. #22
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    [email protected] [/]# ls -alh /etc/ | grep shadow
    -r-------- 1 root root 472 Jul 9 16:43 gshadow
    -rw------- 1 root root 465 Jul 9 09:53 gshadow-
    -rw------- 1 root root 5.4K Aug 8 23:59 shadow
    -rw------- 1 root root 5.4K Aug 8 22:59 shadow-
    -rw------- 1 root root 5.2K Aug 5 14:54 shadow.old
    -rw------- 1 root root 5.1K Jul 31 00:26 shadow.OLD
    -r-------- 1 root root 53K Aug 8 23:59 shadow,v
    -rw------- 1 root root 60 Jul 15 13:40 wwwacct.conf.shadow


    That's what i get when use ls -alh /etc/ | grep shadow command.

  23. #23
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    All appear to be root only, which is fine.

    Does the .shadow file match your /etc/shadow file?
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  24. #24
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Yes, it corect with shadow :-s

    But i hear a hacker say, he know a new bugs, but i didnt tell how to fix. It call "listen root" ... I'm afraid of he will use the same way to hack my server again

  25. #25
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Listen root just sounds like a keylogger.

    What version of kernel are you running?
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  26. #26
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi i was get this:

    CentOS 3.5 i686 - WHM X v3.1.0

    package kernel-smp-2.4.21-32.0.1.EL


  27. #27
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    With those permissions and that kernel you should be ok. Has he done anything to verify that he can read the shadow file or is he just threatening?
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  28. #28
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    By the way, disable telnet just block the port. How to prevent they run cgi-telnet with php , cgi ?

    Because i can se they use .pl and still can run command and do many thing ...

  29. #29
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    cgi-telnet.pl as any perl script have a possibilities use any features which have in your system. for thism hacker not need cgi-telnet.pl, just perl (even suexeced) will be enough. for example, there is not way block to cgi application to walk around other directories or files, especially if they open for group reading.
    but, your /etc/shadow have a correct permission so. most likely he use may be some suid application and exploit for gaining access to this or maybe hacker use sudo.
    also, may be he just use some trojan virus which inserted to you local computer and just keylog your root password - BTW. it is very easy way for gaining root access.

    PS. regarding exploit - i remember that in past year one of our customer have a similar problem and hacker activity was terminated when we disable sudo on machine.
    Last edited by rustelekom; 08-09-2005 at 05:10 PM.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  30. #30
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    617
    Beside set the file to be read only by root for /etc/shadow

    can we set it for

    /etc/passwd and httpd.conf ?

    any other files needed to be make it not viewable by normal user..?
    Linux System admin (since 2001)
    * cPanel/WHM, Directadmin, Apache, DNS, PHP, HyperVM, Lxadmin, Openvz*

  31. #31
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Originally posted by jayzee
    Beside set the file to be read only by root for /etc/shadow

    can we set it for

    /etc/passwd and httpd.conf ?

    any other files needed to be make it not viewable by normal user..?
    No, users will not be able to Login to their control panel and other services .

    you can chmod :

    /home to 711

    /tmp to 1777

    /etc/php.ini : 711

    /usr/local/apache/conf/httpd.conf :744

    /backup (backup folder ) to 700
    and so on....

    you can chmod any root directory to 711 , but be careful , it may stop any feature/service(like cpanel feature) so you have to customize it .

    Cheers.
    Last edited by SmartActive; 08-13-2005 at 06:56 AM.
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.

  32. #32
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi, thanks all. But when i test with the newest remview version, It still can upload with Folder chmod 711.

    You can take a look with my files include here
    Attached Files Attached Files
    Last edited by VIETHOSTING; 08-13-2005 at 04:29 PM.

  33. #33
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    2SV_Ngheo
    You may easily block remview using open_base php function. Also, you should understand that with php as module and with non enabld safe mode you can't get more security than you have if you not use something that jail or chroot EACH user.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  34. #34
    Join Date
    Jun 2003
    Location
    United Kingdom
    Posts
    716
    Humans are lazy, and most even for root password normally use this format <word><2 digit number

  35. #35
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Yes , you should have safemode on , and disable some php functions , and use phpbasedir & I Prefer the use of phpsuexec .
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.

  36. #36
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi,

    In fact, i know all that solutions, but hacker attacked with this:

    Run command: ln /etc/shadow.shadow >> This will make a hardlink to shadow. After that chmod to 777 then reinstall frontpage.

    Please tell me a solution ?

  37. #37
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    are you give him non jailed ssh?
    BTW. you may restrict access for ordinary users to some system command.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  38. #38
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    They use SSH through PHP shell and .pl files. It normal support by Apache. How can we prevent ?

    Pls check some first my posts, see all functions i was disable and what i've done.

  39. #39
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    he can't use phpshell if you use open_base and also disable system function. but he may use perl system command.
    but ordinary user can't make hardlink with perl. just because perl is suexeced and rights and permission will assign to user script when he run it.
    but, he can run his script by cron and this may give to him chance. same about sudo command. also same for system utilits which have suid flag and may have exploit (on older, not updated system).
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  40. #40
    Have you thought about installing mod_security

    This gives you the ability to log the "POST" events and then you can build up a rough idea of what they are doing and consequently using mod_security again you can block them.

    A good site with a constantly updated list of mod_security rules is gotroot.com

    Definitly worth an install

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •