Results 1 to 24 of 24
  1. #1
    Join Date
    Jul 2003
    Posts
    527

    stop hackers from disabling mod_security ?

    hi,
    i have a problem with a hacker that uses .htaccess to disable mod_security
    using this code

    PHP Code:
    <IfModule mod_security.c>
        
    SecFilterEngine Off
        SecFilterScanPOST Off
    </IfModule
    so is there a way to stop this ?
    also they have come up with a smart way to run shell files named as images using this code in .htaccess

    PHP Code:
    AddType application/x-httpd-php .gif 
    is there a way to disable the "AddType application" ?
    thanks

  2. #2
    Join Date
    Aug 2007
    Location
    Greece
    Posts
    390
    You should update the scripts at first.
    If someone can write to your web root you are in a pretty bad position.
    To disable certain functions from .htaccess you could see the allowoverride directive at httpd.conf
    NOT a webhost!helping here just for the fun of it!
    G(r)eek inside.

  3. #3
    You need to disable Override for that domain.

    AllowOverride None
    Server Surgeon George
    http://www.serversurgeon.com
    Linux, BSD and Windows Administration Services
    Toll Free US 877-378-7436 International +1-213-291-9191

  4. #4
    Join Date
    Jul 2001
    Location
    Troy, Missouri USA
    Posts
    1,299
    My question is, why are they still on your server???


    Bob

  5. #5
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Quote Originally Posted by BizB View Post
    hi,
    i have a problem with a hacker that uses .htaccess to disable mod_security
    using this code
    Get the hacker out of your system and dont let him access the site/account. Take measures, so that hacker cant even view the files.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  6. #6
    Join Date
    Jul 2003
    Posts
    527
    the problem is a hacker gets the ftp password by hacking the client pc
    and then uploads the shell and the .htacess to try and hack the server

    what i want is how to stop .htaccess from stop mod_security with out effect other normal .htaccess commands

  7. #7
    Join Date
    Jul 2001
    Location
    Troy, Missouri USA
    Posts
    1,299
    Quote Originally Posted by BizB View Post
    the problem is a hacker gets the ftp password by hacking the client pc
    and then uploads the shell and the .htacess to try and hack the server

    what i want is how to stop .htaccess from stop mod_security with out effect other normal .htaccess commands
    If this is the case then nothing you do will stop the hacker without disabling the client’s ability to use their account. You could try changing permissions so the file is un-writable. You can also try to block the hackers ip's.

    But you cannot be responsible for the client’s pc issues.

    Bob

  8. #8
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Either you need to add "AllowOverride None" for .htaccess for the particular domain or change the name of the "AccessFileName" name from .htaccess to any other name by adding this line in the VH of the domain.

    AccessFileName .myhtaccess
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  9. #9
    Join Date
    Jul 2003
    Posts
    527
    so isent there a way to just disable the command "SecFilterEngine Off" and "AddType application" ?
    or some way to not allow any thing to disable mod_security ?

  10. #10
    Join Date
    Jul 2003
    Posts
    527
    i found a way by adding
    PHP Code:
    <Directory "/home/username/public_html">
        
    Options All
        AllowOverride none
    </Directory
    under the users info in httpd.conf
    just under
    <VirtualHost>

    Edit: the problem it also stops
    AuthType Basic
    which is needed to add password protection to folders
    Last edited by BizB; 02-03-2008 at 11:16 AM.

  11. #11
    Join Date
    Apr 2002
    Posts
    930
    What version of mod_security are you using?

    If you are using mod_security 1.9 you can disable .htaccess functionality for mod_security by compiling it with:

    /usr/local/apache/bin/apxs -D DISABLE_HTACCESS_CONFIG -cia mod_security.c

    This means that end users will not be able to use any mod_security specific directives in their .htaccess file.

  12. #12
    Join Date
    Jul 2003
    Posts
    527
    am using the one that comes with cpanel
    Version: 1.9.1-2.6
    how do i reinstall it ? normally i just select it while building apache by cpanel

  13. #13
    Join Date
    Apr 2002
    Posts
    930
    You would have to download it and install it yourself, which is relatively easy to do.

    The downside to depending on installer such as cPanel's plugins and EasyApache is that you are very limited in what you can customize. As is the case in this situation. You cannot pass additional parameters to the compile during the use of these installers.

  14. #14
    Join Date
    Jul 2003
    Posts
    527
    Quote Originally Posted by SPaReK View Post
    What version of mod_security are you using?

    If you are using mod_security 1.9 you can disable .htaccess functionality for mod_security by compiling it with:

    /usr/local/apache/bin/apxs -D DISABLE_HTACCESS_CONFIG -cia mod_security.c

    This means that end users will not be able to use any mod_security specific directives in their .htaccess file.
    cool
    that fixed turning off mod_security
    any idear on how to stop
    PHP Code:
    AddType application/x-httpd-php .gif 
    thanks alot

  15. #15
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    You should always deny everything by default and then specifically only allow the options you want to allow. Control it by only allowing options you can trust, so you they can still do things such as basic auth, perhaps using mod_rewrite, etc. There are a lot of other solutions, but for .htaccess, other than locking it down (read only), renaming it the control file, filtering in Apache itself by file/dir name and other variables, you should be able to most easily select what options are available and just deny the rest. There's also likely a lot more to the issue than allowing mod_security and .htaccess to be bypassed and modified, respectively.

  16. #16
    Join Date
    Dec 2006
    Posts
    477
    I'm not sure how disabling the AddType makes your server any more secure - the hacker could still PHP files with a normal extension.

  17. #17
    Join Date
    Jul 2003
    Posts
    527
    its just to stop the hacker from hiding the php file as a gif or a jpg
    there must be a way to stop
    PHP Code:
    AddType application/x-httpd-php .gif 
    inside .htaccess files

  18. #18
    Join Date
    Jul 2003
    Posts
    527
    any one knows how to disable "AddType application/x-httpd-php" being used inside .htaccess ?

  19. #19
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    AddType is under the override FileInfo, so not including FileInfo in your AllowOverride should do what you want.

    However, as others have said, if the hacker has ftp access then whatever you do to restrict him will be pointless. If the client can't keep his login secure then you have to disable it. Lock out the hacker (and the client) altogether.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  20. #20
    Join Date
    Jul 2001
    Location
    Troy, Missouri USA
    Posts
    1,299
    Edit wrong post...
    Last edited by sitekeeper; 02-05-2008 at 10:03 AM.

  21. #21
    Join Date
    Jul 2007
    Posts
    55
    The most important thing is to prevent them from disable mod security.
    L
    I work with a cup of tea, prefer green tea.

  22. #22
    Join Date
    Jul 2003
    Posts
    527
    yes your right but i have found out that some hackers have edited php shells to use Base64 encoding for the Get or Post commands so it will not be filtered by mod_security
    example
    the command
    get .htaccess
    will be
    Z2V0IC5odGFjY2Vzcw==
    so they just replace all the commands inside the php shell script to Base64 encoded commands
    is there a way to block the server from reading Base64 encoding ?

  23. #23
    Quote Originally Posted by BizB View Post
    yes your right but i have found out that some hackers have edited php shells to use Base64 encoding for the Get or Post commands so it will not be filtered by mod_security
    example
    the command
    get .htaccess
    will be
    Z2V0IC5odGFjY2Vzcw==
    so they just replace all the commands inside the php shell script to Base64 encoded commands
    is there a way to block the server from reading Base64 encoding ?
    in your php.ini
    disable_function add this :
    base64_decode

  24. #24
    Join Date
    Jul 2003
    Posts
    527
    Quote Originally Posted by alwatan View Post
    in your php.ini
    disable_function add this :
    base64_decode
    thanks I'll try it and see

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •