Results 1 to 3 of 3
-
09-21-2006, 12:00 PM #1Web Hosting Guru
- Join Date
- Nov 2002
- Posts
- 259
Great modsecurity rule, what do you think?
Hello,
After some research and testing, I found a great rule to stop include attacks;
#Generic PHP remote file inclusion
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" log,deny
The problem lately is that scriptkiddies no longer execute WGET/PERL etc. DIRECTLY!! They simply include a script that does the work.. example:
wget somescript.pl to /tmp
perl somescript.pl
rm -f somescript.pl
This way, you cant find any clues in the /tmp folder, because after the script was executed, it was deleted! And wget isn't in the logs, because it was inside a file that was included.
This seem to be an ideal solution to stop any inclusions..
However, I've been searching for a way to INSPECT the content of the included file like this:
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter IN THE INCLUDED FILE "wget|perl|anything-suspicous| log,deny
The problem is, how can we do that!
What do you guys think?I wish I was a carpenter
-
09-21-2006, 12:04 PM #2Web Hosting Guru
- Join Date
- Nov 2002
- Posts
- 259
I just found a way to filter on OUTPUT:
## -- Command execution traces in the output (Unix) --------------------------
# Command "id"
SecFilterSelective OUTPUT "uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)"
# Command "ls -l"
SecFilterSelective OUTPUT "total [[:digit:]]+"
# Command "wget"
SecFilterSelective OUTPUT "HTTP request sent, awaiting response"
Just need to figure out how to filter an attack that launches a nobody process..I wish I was a carpenter
-
09-21-2006, 12:34 PM #3Disabled
- Join Date
- Aug 2005
- Posts
- 443
What does your audit_log look like in terms of blocked requests? Is this on a personal server (dedicated/VDS) or a large shared hosting server? If you're on a large shared hosting server, you may be blocking quite a bit of legitimate traffic.
edit: just to clarify, I am speaking in terms of this alone:
#Generic PHP remote file inclusion
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" log,deny
not including the wget|perl|other bad stuffLast edited by jpetersen; 09-21-2006 at 12:42 PM.