07-24-2006, 04:23 PM
|
|
Web Hosting Master
|
|
Join Date: Nov 2004
Location: Switzerland
Posts: 754
|
|
Look at this russian PHP script
Some loosers are trying to upload this script on one of ours servers. We blocked theirs IPs and I wanted to share this with you.
The script is here, if you have the time to read it and make some comments it would be appreciated:
[url removed]
Let's not make it easier than it has to be ...
__________________
.:. Enterprise SAN Consultant .:.
Last edited by bear; 07-24-2006 at 05:11 PM.
|
07-24-2006, 04:55 PM
|
|
Keep rockin' in the free world
|
|
Join Date: May 2002
Location: Kingston, Ontario
Posts: 1,557
|
|
I've been working on a ruleset for mod-security that stops a good chunk of its functions as well as c99shell. Warning: These have been poping up like wildfire lately
|
07-24-2006, 05:06 PM
|
|
Web Hosting Master
|
|
Join Date: Nov 2004
Location: Switzerland
Posts: 754
|
|
Thank you Ramprage.
Actually this upload was blocked by our mod_security. If you like, I can send you our rules. We are also blocking the attackers IPs on all our servers.
__________________
.:. Enterprise SAN Consultant .:.
|
07-24-2006, 05:07 PM
|
|
Junior Guru
|
|
Join Date: Feb 2006
Location: top: 50px; left: 200px;
Posts: 213
|
|
Hmm...looks like someone wanted to try and take control of server, thanks for the headsup..!!
|
07-24-2006, 05:21 PM
|
|
Keep rockin' in the free world
|
|
Join Date: May 2002
Location: Kingston, Ontario
Posts: 1,557
|
|
Sure I'd be interested to see what rules you're using.
|
07-24-2006, 05:42 PM
|
|
Web Hosting Master
|
|
Join Date: Nov 2004
Location: Switzerland
Posts: 754
|
|
Please send a PM with your email and I will forward you our rules set.
On our servers, I blocked all IPs from: Russia, China, Taiwan, Korea and Turkey. Most of the attaks come from compromised systems on these countries.
__________________
.:. Enterprise SAN Consultant .:.
|
07-25-2006, 12:00 AM
|
|
Web Hosting Evangelist
|
|
Join Date: Oct 2004
Location: India
Posts: 491
|
|
A few proper disabled PHP functions can be helpfull to disable these php shells along with the mod_sec rules.
__________________
ESC :wq! 
|
07-25-2006, 12:24 PM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 359
|
|
Quote:
|
Originally Posted by edelweisshosting
Please send a PM with your email and I will forward you our rules set.
On our servers, I blocked all IPs from: Russia, China, Taiwan, Korea and Turkey. Most of the attaks come from compromised systems on these countries.
|
Why not put the rules here? 
|
07-25-2006, 02:10 PM
|
|
Web Hosting Master
|
|
Join Date: Nov 2004
Location: Switzerland
Posts: 754
|
|
[mod edit: stuck it in code tags for formatting]
Code:
###########################################
#Generic SQL injection rule exclusions
###########################################
#generic PHP forum posting exclusion
<LocationMatch "/posting.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#Postnuke uploads
<LocationMatch "/modules.php?op=modload&name=Downloads.*">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#Squirrel mail and Horde postings
<LocationMatch "/horde/imp/compose.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#Phorum posting
<LocationMatch "/phorum/post.php">
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
<LocationMatch "/tiki-editpage.php">
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
<LocationMatch "/misc.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
###########################################
#Double pipe exclusion rules
###########################################
<LocationMatch "/_vti_bin/fpcount.exe">
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog
</LocationMatch>
###########################################
#Front page exclusions
###########################################
<LocationMatch "/_vti_bin/_vti_aut/author.exe">
SecFilterInheritance Off
</LocationMatch>
#Enforce proper HTTP requests
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"
#HTTP response spilting generic sigs
SecFilter "Content-Length\:.*Content-Type\:.*Content-Type\:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Length\:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Type\:" chain
SecFilter "Content-Type\:"
#deny TRACE method
SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"
#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300007,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
SecFilterSelective POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300009,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
#simple buffer overflow protection
#there is an issue with positives with this, so use with care
#SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$" "id:300013,rev:1,severity:2,msg:'Generic Simple Buffer Overflow protection'"
# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult
# to prevent false postives and negatives.
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
#SecFilter "([[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
#Generic command line attack filter
SecFilterSelective REQUEST_URI "!(/Count\.cgi)" chain
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"
#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI "\.php" chain
SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
SecFilterSelective REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#really broad furl_fopen attack sig
#tune this for your system
#SecFilterSelective REQUEST_URI "!(banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main)" chain
#SecFilterSelective REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?"
#Genenric PHP body attack
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecFilterSelective REQUEST_URI "!((galler(y|i)/do_command))" chain
SecFilterSelective REQUEST_URI "\.php\?.*=(http|http|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer "\#\!.*/"
#phpMyAdmin Export.PHP File Disclosure Vulnerability
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."
#faqmanager.cgi arbitrary file access attempt
SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?toc=*/"
SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
#honeypot
SecFilterSelective REQUEST_URI "/tiki-view_forum_thread\.php\?forumId=.*&comments_parentId=.*&topics_offset=.*onmouseover=\'javascript"
#wormsign
SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC"
#phpMyAdmin Cross-Site Scripting Vulnerabilities
SecFilterSelective ARG_HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
##########################################
# Known rootkits, remote toolkits, etc. signatures
##########################################
SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?"
SecFilterSelective THE_REQUEST "/\.it/viewde"
SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.php\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js"
SecFilterSelective THE_REQUEST "/tool25\.js"
#Known rootkits
SecFilterSelective THE_REQUEST "perl xpl\.pl"
SecFilterSelective THE_REQUEST "perl kut"
SecFilterSelective THE_REQUEST "perl viewde"
SecFilterSelective THE_REQUEST "perl httpd\.txt"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png)\?(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.jpg\?"
SecFilterSelective THE_REQUEST "/tool25\.dat\?"
#other known tools
SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/ssh\.php"
SecFilterSelective THE_REQUEST "/ssh2\.php"
SecFilterSelective THE_REQUEST "/sfdg2\.php"
#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"
#new kir
SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)="
#suntzu
SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd="
SecFilterSelective THE_REQUEST "/suntzu.*\.php\?cmd="
SecFilterSelective HTTP_Content-Disposition "suntzu\.php"
#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?"
#phpbackdoor
SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd="
SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd="
#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST "wiki_up/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/ion\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/jpg\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/lala\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/.*\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/lala\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI "/phpterm"
#Frantastico worm
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilterSelective THE_REQUEST "arta\.zip "
#new unknown kits
SecFilterSelective THE_REQUEST "/iblis\.htm\?"
SecFilterSelective THE_REQUEST "/gif\.gif\?"
SecFilterSelective THE_REQUEST "/go\.php\.txt\?"
SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/zehir\.asp"
SecFilterSelective THE_REQUEST "/aflast\.txt\?"
SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd"
SecFilterSelective THE_REQUEST "/t\.gif\?"
SecFilterSelective THE_REQUEST "/phpbb_patch\?&"
SecFilterSelective THE_REQUEST "/phpbb2_patch\?&"
SecFilterSelective THE_REQUEST "/lukka\?&"
#new kit
SecFilterSelective THE_REQUEST "/c99shell\.txt"
#remote bash shell
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="
#zencart exploit
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu="
#25dec new one
SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?"
#26dec new kit
SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/vsf\.vsf\?&"
#27dec
SecFilterSelective REQUEST_URI "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI "test\.txt\?&"
#30dec
SecFilterSelective REQUEST_URI "\.k4ka\.txt\?"
#31dec
SecFilterSelective REQUEST_URI "/php\.txt\?"
#1 jan
SecFilterSelective REQUEST_URI "/sql\.txt\?"
SecFilterSelective REQUEST_URI "bind\.(gif|jpg|txt|bmp|png)\?"
# added by kamihacker from TSS
#SecFilterSelective THE_REQUEST "delmalstr"
##########################################
# Search Engine Recon/Google Hacks Security Rules
##########################################
# Note: For modsecurity 1.9.x and above only
SecFilterSelective HTTP_Referer "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'"
SecFilterSelective HTTP_Referer "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'"
SecFilterSelective HTTP_Referer "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'"
SecFilterSelective HTTP_Referer "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'"
SecFilterSelective HTTP_Referer "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'"
SecFilterSelective HTTP_Referer "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'"
SecFilterSelective HTTP_Referer "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'"
SecFilterSelective HTTP_Referer "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'"
SecFilterSelective HTTP_Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'"
SecFilterSelective HTTP_Referer "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'"
SecFilterSelective HTTP_Referer "filetype:sql \x28\x22passwd values.*password values.*pass values"
SecFilterSelective HTTP_Referer "filetype.*blt.*buddylist"
SecFilterSelective HTTP_Referer "File Upload Manager v1\.3.*rename to"
SecFilterSelective HTTP_Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser"
SecFilterSelective HTTP_Referer "inurl.*passlist\.txt"
SecFilterSelective HTTP_Referer "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin"
SecFilterSelective HTTP_Referer "Enter ip.*inurl\x3A\x22php-ping\.php\x22"
SecFilterSelective HTTP_Referer "intitle\.*PHP Shell.*Enable stderr.*filetype\.php"
SecFilterSelective HTTP_Referer "inurl\.*install.*install\.php"
SecFilterSelective HTTP_Referer "Powered by PHPFM.*filetype\.php -username"
SecFilterSelective HTTP_Referer "inurl\.*phpSysInfo.*created by phpsysinfo"
SecFilterSelective HTTP_Referer "SquirrelMail version 1\.4\.4.*inurl:src ext\.php"
SecFilterSelective HTTP_Referer "inurl\.*webutil\.pl"
##########################################
#Bad clients, known bogus useragents and other signs of malware
##########################################
#Comment spam header line
SecFilter "x-aaaaaa.*"
SecFilterSelective POST_PAYLOAD "X-AAAAAA.*"
#check for bad meta characters in User-Agent field
#SecFilterSelective HTTP_USER_AGENT ".*\'"
#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)"
#PHP code injection attack
SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS"
#For now, logging this to see what legitimate software does this
#must have a useragent string and not be from ourself
#Some hosting software does not send a UA, so use with caution
SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" chain
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" "log,pass"
#Exploit agent
SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*"
#Bad agent
SecFilterSelective HTTP_USER_AGENT "Brutus/AET"
#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0"
#Damn fine UA
SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*"
SecFilterSelective HTTP_USER_AGENT "Morzilla"
#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT ".*WebRoot "
#Exploit UA
SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S G O T T A H U R T*"
#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*"
#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber"
#Blocks scripts
SecFilterSelective HTTP_USER_AGENT lwp
#Web leaches
SecFilterSelective HTTP_USER_AGENT "Web Downloader"
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT "teleport pro"
SecFilterSelective HTTP_USER_AGENT combine
SecFilterSelective HTTP_USER_AGENT "Black Hole"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger"
SecFilterSelective HTTP_USER_AGENT "ProWebWalker"
SecFilterSelective HTTP_USER_AGENT "CheeseBot"
#Bogus Mozilla UA lines
SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$"
SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$"
#Bogus IE UA line
SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$"
#Bogus UA
SecFilterSelective HTTP_USER_AGENT "FooBar/42"
#Nessus Vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nessus"
#Nikto vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nikto"
#BAd/Bogus UAs
SecFilterSelective HTTP_USER_AGENT "Indy Library"
SecFilterSelective HTTP_USER_AGENT "Faxobot"
SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL"
#Spam spinder UAs
SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser"
SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser"
#VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak"
#Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT"
#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
#it causes problems, comment out. If you are a member of the Microsoft Site
#Builder Network, you probably do NOT want to block this ID.
#SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control"
#SecFilterSelective HTTP_USER_AGENT "^Microsoft URL"
#e-mail collectors and spammers
SecFilterSelective HTTP_USER_AGENT "WebBandit"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE"
SecFilterSelective HTTP_USER_AGENT "Telesoft*"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*"
SecFilterSelective HTTP_USER_AGENT NICErsPRO
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*"
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*"
SecFilterSelective HTTP_USER_AGENT EmailWolf
#Spiders that eat up bandwidth for their customers
#Not a spammer, just a spider, comment out if you like
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck"
SecFilterSelective HTTP_USER_AGENT "CopyGuard"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader"
#MArketing spiders
SecFilterSelective HTTP_USER_AGENT "Zeus .*Webster Pro*"
#Poker spam
SecFilterSelective HTTP_USER_AGENT "8484 Boston Project"
#collectors
SecFilterSelective HTTP_USER_AGENT "autoemailspider"
SecFilterSelective HTTP_USER_AGENT "ecollector"
SecFilterSelective HTTP_USER_AGENT "grub crawler"
#referrer spam, not the real weblogs
SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com"
#spam bots
SecFilterSelective HTTP_USER_AGENT "DTS Agent"
SecFilterSelective HTTP_USER_AGENT "POE-Component-Client"
SecFilterSelective HTTP_USER_AGENT "WISEbot"
SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash"
SecFilterSelective HTTP_USER_AGENT "Missigua"
#comment spam sign
SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE"
#Some regexps to catch silly bots
SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain
SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"
SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$"
#spammer
SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1"
SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru"
#Fake Gameboy UA
SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo"
#bogus amiga UA
SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4"
#exploit UA
SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0"
#bogus googlebot UA
SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot"
#recently caught sending spam referrals, from their actual crawler IP
SecFilterSelective HTTP_USER_AGENT "BecomeBot"
#Suverybot
SecFilterSelective HTTP_USER_AGENT "SurveyBot"
#exploit
SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\."
SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2"
SecFilterSelective HTTP_USER_AGENT "Kenjin Spider"
#WebvulnScan
SecFilterSelective HTTP_USER_AGENT "WebVulnScan"
#broken spam tool
SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$"
#PHPBB worm UA
SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX"
#fake UA
SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent"
#exploit
SecFilterSelective HTTP_USER_AGENT "Internet-exprorer"
##########################################
# Proxy Protection Security Rules
##########################################
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*217\.106\.232\.38"
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*65\.54\.190\.230"
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*66\.96\.85\.136"
SecFilterSelective THE_REQUEST "msa-mx.*\.hinet\.net"
SecFilterSelective THE_REQUEST "^POST (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "^GET (http|https|ftp)\:/"
__________________
.:. Enterprise SAN Consultant .:.
Last edited by bear; 07-25-2006 at 03:05 PM.
|
07-25-2006, 09:19 PM
|
|
ThirtySx Bits Forever!
|
|
Join Date: Jul 2001
Location: Canada
Posts: 1,284
|
|
Many thanks for posting these. There were a couple of things I had missed you had.
__________________
 "Obsolesence is just a lack of imagination."
|
07-26-2006, 02:44 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2005
Location: Washington, DC
Posts: 52
|
|
I haven't checked our mod_security rules but I believe most of these rules are already in the gotroot.com mod_security rules which we have been using for a while with no issue to report so far. Of course, proper os hardening is a must.
SW
|
07-26-2006, 06:37 AM
|
|
Web Hosting Master
|
|
Join Date: Nov 2004
Location: Switzerland
Posts: 754
|
|
Thank you These rules give about 30% - 50% increase in load.
NyteOwl/ could you post the rules that are missing from my own?
__________________
.:. Enterprise SAN Consultant .:.
|
07-26-2006, 08:00 AM
|
|
Web Hosting Evangelist
|
|
Join Date: Oct 2004
Location: India
Posts: 491
|
|
Well , the above modsec rule is unable to prevent this very notorious php shell from working. Untill we disable the "exec" in the php this will continue to do harm.
As soon as the exec is enabled in the servers, it will give an additional line where people can execute a command and that is all they need to get vital system informations to damage further. If the "exec" is disabled, this box to run command is not enabled and this can not do damage.
Now this gives additional problem as Zoomla/ModernBill and most of the populer php scripts need to "exec" function.
__________________
ESC :wq!
|
07-26-2006, 08:18 AM
|
|
Disabled
|
|
Join Date: May 2006
Posts: 1,398
|
|
rookits.conf from gotroot already works. I looked for ever for someone who knew what functions the c99 uses to block it, it can work with safe mode on, shell exec off.
With directadmin they have apache as the user and group and the shell can write to and upload anything.
Just a sensible php config, the mod security with rookits.conf and hope for the best, the rookits.conf stops c99 but not some of the other shells.
Ive even seen the c99 grab /etc/passwd with open base dir on. I have uploaded about all them shells and seen how they work and that is the most dangerous one.
Everywhere else I posted about that trying to find the functions people were like o0o0o your datacenter will kick you off and all that but Its just security testing and you cant be scared to test exploits and hacker tools on your server to make sure you are secure.
Staying current on all exploits and tools will save you some surprises.
|
07-26-2006, 08:37 AM
|
|
Web Hosting Evangelist
|
|
Join Date: Oct 2004
Location: India
Posts: 491
|
|
Quote:
|
Originally Posted by felosi
rookits.conf from gotroot already works. I looked for ever for someone who knew what functions the c99 uses to block it, it can work with safe mode on, shell exec off.
With directadmin they have apache as the user and group and the shell can write to and upload anything.
Just a sensible php config, the mod security with rookits.conf and hope for the best, the rookits.conf stops c99 but not some of the other shells.
Ive even seen the c99 grab /etc/passwd with open base dir on. I have uploaded about all them shells and seen how they work and that is the most dangerous one.
Everywhere else I posted about that trying to find the functions people were like o0o0o your datacenter will kick you off and all that but Its just security testing and you cant be scared to test exploits and hacker tools on your server to make sure you are secure.
Staying current on all exploits and tools will save you some surprises.
|
Mostly staying current on all ( well i guess all ) including the latest kernel exploit. This is not out of fear,this has actually happened. 
__________________
ESC :wq!
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
