Results 1 to 9 of 9

Thread: SSL 500?

  1. #1
    Join Date
    Mar 2009
    Posts
    90

    Exclamation SSL 500?

    Having sporadic issues with Payapl access my server to do a callback in my script-path software via the IPN. The issue is sporadic.

    My domain's ssl logs show this:

    Code:
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:09:23:00 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:09:52:07 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:09:52:46 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 200 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:09:57:10 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:10:54:07 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:10:55:08 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:13:23:12 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:13:24:02 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 200 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:14:02:28 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    domain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:14:48:53 -0500] "POST /script-path/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    What I don't understand is my server has been up 100% of the time. I monitor 80 and 443 on 1 minute intervals.

    I'm using Centos, Cpanel with Apache 2.2, PHP 5x w/ suphp enabled.

    Also, in my httpd.conf file I added the below as well hoping it might help:

    RLimitMEM 473331029
    RLimitCPU 240
    ErrorLog logs/error_log
    DefaultType text/plain
    AddType text/html .shtml

    ServerLimit 1000
    KeepAlive On
    MaxKeepAliveRequests 64
    KeepAliveTimeout 1
    MinSpareServers 5
    MaxSpareServers 15
    StartServers 30
    MaxClients 850
    MaxRequestsPerChild 64
    HostnameLookups Off
    UseCanonicalName Off
    What could possibly be the cause? I grep'd the IP address of Paypal in various logs in /var/logs, /usr/local/apache/logs/ and /usr/local/apache/domlogs/mydomain.com*

    Only the above came up. I even grep'd "paypal.php", got nothing.


    I'm using CSF/LFD on the server with mod_security enabled too.

  2. #2
    Join Date
    Nov 2003
    Location
    New Jersey, USA
    Posts
    81
    It looks like a "500 internal server error" and there are many causes for this error like:

    - paypal.php file permission, if your server run phpsuexec or suphp make sure paypal.php file permission is set to 644 and above directory to 755

    - check your mod_security logs, you maybe tripping some rule there.

    - paypal.php is corrupted, just reupload the file
    Web Hosting - Reseller Hosting - VPS - Dedicated Servers - Cloud Hosting - Email Marketing
    BuyHTTP, LLC - R1Soft CDP backup and RVsitebuilder included with all shared/reseller plans
    Cloud Hosting Truly redundant high available cloud from a trusted name.

  3. #3
    Join Date
    Mar 2009
    Posts
    90
    I'm not using suphp on this server, that was a mistake in my OP.

    I checked /usr/local/apache/logs/modsec_audit.log (plus unzipped all archived modsec logs).

    I got these errors:

    Host: www.mydomain.com
    Apache-Error: [file "core.c"] [line 3631] [level 3] File does not exist: /home/username/public_html/500.shtml


    suexec log = nothing


    [email protected] [/usr/local/apache/logs]# grep 'paypal' error_log
    * About to connect() to api-3t.paypal.com port 443 (#0)
    * Connected to api-3t.paypal.com (66.211.168.126) port 443 (#0)
    * subject: C=US, ST=California, L=San Jose, O=PayPal, Inc., OU=Information Systems, CN=api-3t.paypal.com
    Host: api-3t.paypal.com

    [email protected] [/usr/local/apache/logs]# grep 'paypal.php' error_log (nothing)


    [email protected] [/usr/local/apache/domlogs]# grep 'paypal.php' mydomain.com-ssl_log
    mydomain.com:xxx.xxx.288.2 - - [05/Jul/2009:15:42:28 -0500] "GET /billing/modules/gateways/callback/paypal.php HTTP/1.1" 200 20 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:15:43:12 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:16:05:18 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:16:19:19 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 200 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:16:19:19 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 200 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:16:35:25 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:16:43:52 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 200 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:17:00:03 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 200 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:17:27:07 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:17:32:20 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:17:38:13 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:18:15:32 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:18:17:55 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:19:30:04 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:20:38:29 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:20:48:28 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:21:56:26 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:22:45:37 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"
    mydomain.com-ssl_log:66.211.170.66 - - [05/Jul/2009:23:43:59 -0500] "POST /billing/modules/gateways/callback/paypal.php HTTP/1.0" 500 - "-" "-"

    I'm using WHMCS software

    Code:
    drwxr-xr-x  2 username username 4.0K Jul  6 00:20 callback/
    Code:
    -rw-r--r--  1 username username 13K Jul  6 00:20 paypal.php

  4. #4
    Join Date
    Mar 2009
    Posts
    90
    This is my modsec config file too:

    Code:
    # http://www.gotroot.com/mod_security+rules
    # Gotroot.com ModSecurity rules
    # Application Security Rules for modsec 2.x
    #
    # Version: N-20061022-01
    #
    # Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rules.conf
    #
    # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
    # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
    # Redistribution is strictly prohibited in any form, including whole or in part.
    #
    # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS 
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
    # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
    # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
    # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
    # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
    # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
    # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
    # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
    # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
    # THE POSSIBILITY OF SUCH DAMAGE.
    
    #--------------------------------
    # notes
    #--------------------------------
    # Rules work with modsecurity 2.0 and above only
    
    #--------------------------------
    #start rules
    #--------------------------------
    
    #Configure for your site
    SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
    
    #Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it
    #Then post your fix eh!
    #SecRule REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'"
    
    
    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecRule HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"
    
    #deny TRACE method
    SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"
    
    #XSS insertion into headers
    SecRule REQUEST_HEADERS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"
    
    
    #Don't accept chunked encodings
    #modsecurity can not look at these, so this is a hole
    #that can bypass your rules, the rule before this one
    #should cover this, but hey paranoia is cheap
    SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
    
    #Code injection via content length
    SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
    
    ##generic recursion signatures
    SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
    SecRule REQUEST_URI "\.\./\.\./"
    #generic path recurision sig
    
    
    #generic recursion signatures
    SecRule REQUEST_URI "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"
    
    #generic bogus path sigs
    SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
    
    #Generic PHP exploit signatures
    SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
    
    #Generic PHP exploit signatures
    SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
    
    #slightly tighter rules with narrower focus
    SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
    
    #generic XSS PHP attack types
    SecRule REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'"
    SecRule REQUEST_BODY|REQUEST_URI  "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)"
    
    
    #Prevent SQL injection in cookies
    SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
    
    #Prevent command injection through cookies
    SecRule REQUEST_COOKIES "\; cmd="
    
    #Prevent SQL injection in UA
    SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
    
    # Generic filter to prevent SQL injection attacks
    # Understand that all SQL filters are very limited and are very difficult 
    # to prevent false postives and negatives.  
    # Pplease report false positives/negatives to [email protected]
    SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
    SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
    
    #Generic SQL sigs
    SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"
    
    #Generic SQL sigs
    SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
    
    #Generic SQL sigs
    SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
    SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" 
    
    #Meta character SQL injection
    SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"
    
    #Generic command line attack filter
    SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
    SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|"
    
    #Generic PHP bad functions protection
    #PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
    SecRule ARGS compress\.zlib:
    
    #Generic XSS filter
    #please report false positives
    SecRule REQUEST_URI "!/mt\.cgi" chain
    SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
    
    #XSS in referrer and UA headers
    SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
    
    #PHP Injection Attack generic signature
    SecRule REQUEST_URI  "\.php" chain
    SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
    
    #PHP Injection Attack generic signature
    SecRule REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
    
    #Generic PHP remote file inclusion attack signature
    SecRule REQUEST_URI "\.php\?" chain
    SecRule REQUEST_URI "(http|https|ftp)\:/" chain
    SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Generic PHP remote file inclusion attack signature with command
    SecRule REQUEST_URI "\.php\?" chain
    SecRule REQUEST_URI "(http|https|ftp)\:/" chain
    SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Genenric PHP body attack
    SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
    SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Generic PHP remote file injection
    SecRule REQUEST_URI "!(/do_command)" chain
    SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
    
    #script, perl, etc. code in HTTP_Referer string
    SecRule HTTP_Referer "\#\!.*/"
    
    #generic command line attack
    SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"
    
    #remote file inclusion generic attack signature
    SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
    SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
    
    #remote file inclusion generic attack signature
    SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
    SecRule ARGS "\?\&(cmd|inc|name)="
    
    #remote file inclusion generic attack signature
    SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
    
    #remote file inclusion generic attack signature
    SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
    
    SecRule REQUEST_URI  "store\.php\?site_isp_root="
    
    SecRule REQUEST_URI  "baseDir=http"
    
    #Bogus file extensions generic signature
    SecRule REQUEST_URI  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"
    
    #PHP remote path attach generic signature
    SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
    SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
    
    #generic attack sig
    SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
    
    # WEB-ATTACKS uname -a command attempt
    SecRule REQUEST_URI "uname" chain
    SecRule REQUEST_URI "\x20-a" 
    
    #Generic argument protection rule against bad meta characters
    #SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"
    
    #generic php attack sigs
    SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
    
    # WEB-ATTACKS xterm command attempt
    SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
    
    # WEB-ATTACKS /etc/shadow access
    SecRule REQUEST_URI "/etc/shadow"
    
    # WEB-ATTACKS /bin/ps command attempt
    SecRule REQUEST_URI "/bin/ps"
    
    # WEB-ATTACKS /usr/bin/id command attempt
    SecRule REQUEST_URI  "/usr/bin/id" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS echo command attempt
    SecRule REQUEST_URI  "/bin/echo" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS kill command attempt
    SecRule REQUEST_URI  "/bin/kill" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS chmod command attempt
    SecRule REQUEST_URI  "/bin/chmod" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS chsh command attempt
    SecRule REQUEST_URI   "/usr/bin/chsh"
    
    # WEB-ATTACKS gcc command attempt
    SecRule REQUEST_URI  "gcc" chain
    SecRule REQUEST_URI "x20-o" 
    
    # WEB-ATTACKS /usr/bin/cc command attempt
    SecRule REQUEST_URI  "/usr/bin/cc" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /usr/bin/cpp command attempt
    SecRule REQUEST_URI  "/usr/bin/cpp" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /usr/bin/g++ command attempt
    SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS g++ command attempt
    SecRule REQUEST_URI  "g\+\+\x20" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS bin/python access attempt
    SecRule REQUEST_URI  "bin/python" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS python access attempt
    #SecRule "python\x20"
    
    # WEB-ATTACKS bin/tclsh execution attempt
    SecRule REQUEST_URI "bin/tclsh"
    
    # WEB-ATTACKS tclsh execution attempt
    SecRule REQUEST_URI "tclsh8\x20"
    
    # WEB-ATTACKS bin/nasm command attempt
    SecRule REQUEST_URI "bin/nasm"
    
    # WEB-ATTACKS nasm command attempt
    SecRule REQUEST_URI "nasm\x20"
    
    # WEB-ATTACKS /usr/bin/perl execution attempt
    SecRule REQUEST_URI "/usr/bin/perl"
    
    # WEB-ATTACKS traceroute command attempt
    SecRule REQUEST_URI  "traceroute" chain
    SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
    
    # WEB-ATTACKS ping command attempt
    SecRule REQUEST_URI  "/bin/ping" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS X application to remote host attempt
    SecRule REQUEST_URI "\x20-display\x20"
    
    # WEB-ATTACKS mail command attempt
    SecRule REQUEST_URI  "/bin/mail" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /bin/ls command attempt
    SecRule REQUEST_URI "/bin/ls" chain
    SecRule REQUEST_URI "\x20" 
    
    # WEB-ATTACKS /etc/inetd.conf access
    SecRule REQUEST_URI  "/etc/inetd\.conf"
    
    # WEB-ATTACKS /etc/motd access
    SecRule REQUEST_URI  "/etc/motd"
    # WEB-ATTACKS conf/httpd.conf attempt
    SecRule REQUEST_URI  "conf/httpd\.conf"
    
    # WEB-MISC .htpasswd access
    SecRule REQUEST_URI  "\.htpasswd" 
    
    # WEB-MISC /etc/passwd access
    SecRule REQUEST_URI  "/etc/passwd" 
    
    # WEB-MISC nessus 1.X 404 probe
    SecRule REQUEST_URI "/nessus_is_probing_you_" 
    
    # WEB-MISC nessus 2.x 404 probe
    SecRule REQUEST_URI "/NessusTest" 
    
    # WEB-MISC ls%20-l
    SecRule REQUEST_URI  "ls" chain
    SecRule REQUEST_URI "\x20-l" 
    
    # WEB-MISC apache directory disclosure attempt
    SecRule REQUEST_URI "////////" 
    
    #musicat empower attempt
    SecRule REQUEST_URI "/empower\?DB="
    
    # WEB-MISC *%0a.pl access
    SecRule REQUEST_URI "/*\x0a\.pl" 
    
    #PHPBB worm sigs
    SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
    SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
    
    #PHP defenses
    SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" 
    
    #PHP defenses
    SecRule ARGS "^(globals($|\[)|php:/)"
    
    #PHP defenses
    SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"
    
    #PHP defenses
    SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"
    
    # Web-attacks chdir
    SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
    
    # TIKIWIKI
    SecRule REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"
    
    #SMTP redirects
    SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 
    
    #These are VERY experiemental, please report false positives/negatives, etc.
    #very experimental generic remote download sig
    #foo IP or FQDN, or foo http/https/ftp://whatever
    SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
    
    #Command inline detection
    SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
    
    #very experimental connect command sig
    SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
    
    #Commands, also need a major rework, these also have issues
    SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
    #SecRule REQUEST_URI "echo\x20" 
    SecRule REQUEST_URI "links -dump "
    SecRule REQUEST_URI "links -dump-(charset|width) "
    SecRule REQUEST_URI "links (http|https|ftp)\:/"
    SecRule REQUEST_URI "links -source "
    #SecRule REQUEST_URI "mkdir\x20" 
    SecRule REQUEST_URI "perl" 
    SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" 
    
    SecRule REQUEST_URI "cd \.\." 
    SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" 
    
    #generic block for fwrite fopen uploads
    SecRule REQUEST_URI "fwrite" chain
    SecRule REQUEST_URI "fopen" 
    
    #generic sig for more bad PHP functions
    SecRule REQUEST_URI "chr\(([0-9]{1,3})\)"
    SecRule ARGS_NAMES "^php:/"
    
    # WEB-MISC Tomcat view source attempt
    SecRule REQUEST_URI "\x252ejsp"
    
    # WEB-MISC whisker HEAD/./
    #SecRule "HEAD/./"
    
    # WEB-FRONTPAGE .... request
    SecRule REQUEST_URI "\.\.\.\./"
    
    #experimental CSS rule
    #SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"
    
    #Generic attack rules pcre format
    #cross site scripting attempt IMG onerror or onload
    SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*="
    
    #cross site scripting attempt TYPE + JAVASCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript"
    
    #cross site scripting attempt STYLE + JAVASCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript"
    
    #cross site scripting attempt STYLE + JSCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript"
    
    # cross site scripting attempt STYLE + VBSCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript"
    
    #cross site scripting attempt STYLE + VBSCRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript"
    
    #cross site scripting attempt STYLE + ECMACRIPT
    SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript"
    
    # cross site scripting attempt STYLE + EXPRESSION
    SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\("
    
    #cross site scripting attempt STYLE + EXPRESSION
    SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"
    
    # cross site scripting attempt using XML
    SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
    
    #cross site scripting attempt executing hidden Javascript
    SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"
    
    #cross site scripting attempt executing hidden Javascript
    SecRule REQUEST_URI "window\.execScript[\s]*\("
    
    #cross site scripting attempt to execute Javascript code
    SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"
    
    #cross site scripting stealth attempt to execute Javascript code
    #may false alarm for some language sets
    SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
    SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
    
    #Apache /server-info accessible
    SecRule REQUEST_URI   "/server-info" chain
    SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
    
    #Apache /server-status accessible
    #Modified so apache-protect can run
    SecRule REQUEST_URI "^/server-status/$" chain
    SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
    
    #generic Common HTTP vulnerability
    SecRule REQUEST_URI "/\?cwd=/"
    
    #General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
    SecRule REQUEST_URI "\.php\?" chain
    SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"
    
    #Experimental XML-RPC generic attack sigs
    SecRule REQUEST_BODY "\'\,\'\'\)\)\;"
    SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;"
    
    #MTS
    #XML-RPC generic attack sigs
    SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
    SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
    SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
    SecRule REQUEST_BODY "methodCall\>"
    
    #Specific XML-RPC attacks on xmlrpc.php
    SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
    SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
    SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
    
    #Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
    #SecRule REQUEST_URI "/xmlrpc\.php" chain
    #SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
    
    #XML-RPC SQL injection generic signature
    SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain
    SecRule REQUEST_BODY  "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"
    
    #generic remote file inclusion vulns
    SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
    SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
    SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
    SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"
    
    #catch smuggling attacks
    #SecRule "^(GET|POST).*Host:.*^(GET|POST)" 
    
    #Drupal remote command execution vulnerability exploit signature
    #This is already covered in another generic signature, but just in case you leave it out, here it is
    #again with a slightly tigher regexp
    SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
    #Slightly stronger version of the above
    SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
    
    #Generic PHP attack sig
    SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
    
    #Generic Nessus request filter
    SecRule REQUEST_URI "NessusTest*\.html"
    
    #Generic PHP payload command injection and upload vulnerabilities
    SecRule REQUEST_BODY "<\?php" chain
    SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
    SecRule REQUEST_BODY "\<\?php"
    
    #Generic XML RPC attack sig
    SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;"
    
    #HTTP header PHP code injection attacks
    SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"
    #wormsign
    SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
    SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"
    
    #phpbb wormsign
    SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_"
    
    #Generic PHP avatar upload exploits
    SecRule REQUEST_URI "\.php" chain
    SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
    SecRule REQUEST_BODY "\<\?php" chain
    SecRule REQUEST_BODY "\?>"
    
    #Fake image file shell attacvk
    SecRule REQUEST_HEADERS:Content-Type "image/.*"
    SecRule REQUEST_BODY "chr\("
    
    #bogus graphics file
    SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
    SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
    
    #wormsign
    SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
    
    #Special account protection
    SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
    
    #Generic PHP fopen sig
    SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
    Maybe something is triggering this paypal call back? Although, logs don't show that.

  5. #5
    Join Date
    Nov 2003
    Location
    New Jersey, USA
    Posts
    81
    Have you tried to reupload the file from the source?

    If that didn't help try to recompile apache.
    Web Hosting - Reseller Hosting - VPS - Dedicated Servers - Cloud Hosting - Email Marketing
    BuyHTTP, LLC - R1Soft CDP backup and RVsitebuilder included with all shared/reseller plans
    Cloud Hosting Truly redundant high available cloud from a trusted name.

  6. #6
    Join Date
    Mar 2009
    Posts
    90
    Already did both, re-uploaded and recompiled. Didn't help

  7. #7
    Join Date
    Nov 2003
    Location
    New Jersey, USA
    Posts
    81
    If you running suhosin check /var/log/messages logs or turn it off along with mod_security.
    Web Hosting - Reseller Hosting - VPS - Dedicated Servers - Cloud Hosting - Email Marketing
    BuyHTTP, LLC - R1Soft CDP backup and RVsitebuilder included with all shared/reseller plans
    Cloud Hosting Truly redundant high available cloud from a trusted name.

  8. #8
    Join Date
    Mar 2009
    Posts
    90
    I'm not running suhosin

  9. #9
    Join Date
    Nov 2003
    Location
    New Jersey, USA
    Posts
    81
    I can't think of anything else at the moment, why don't try to contact WHMCS support, they should be able to help you better, maybe you missed something here or there they can spot.
    Web Hosting - Reseller Hosting - VPS - Dedicated Servers - Cloud Hosting - Email Marketing
    BuyHTTP, LLC - R1Soft CDP backup and RVsitebuilder included with all shared/reseller plans
    Cloud Hosting Truly redundant high available cloud from a trusted name.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •