|
Home > Archive > Apache Server configuration support > May 2007 > help with c99 shell attack rules for mod_security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
help with c99 shell attack rules for mod_security
|
|
| vidals 2007-05-08, 1:20 pm |
| I'm brand new to mod_security. I run a small hosting company and I
want to prevent c99shell scripts from running.
I found this rule to detect URI's for the c99 shell.
#new kit
SecFilterSelective REQUEST_URI "/c99shell\.txt"
SecFilterSelective REQUEST_URI "/c99\.txt\?"
My problem is that the hackers are being more stealthy and calling the
script some random name like .../myphpstuff.php. So the URI no longer
helps detect it.
How could I detect "c99.*shell" in the actual file that apache
servers? This assumes that the hacker was successfully in installing
it.
>From reading the manual I think I would use:
"SecFilterSelective POST_PAYLOAD"
"SecRule RESPONSE_BODY "c99.*shell".
I don't know exactly what the rule should be or which file to put it
in. Any guidance would be greatly appreciated. I'm using mod_security
version 1.9.4
Thank you.
Vidals
| |
| shimmyshack 2007-05-08, 7:23 pm |
| On May 8, 7:04 pm, vidals <gvid...@gmail.com> wrote:
> I'm brand new to mod_security. I run a small hosting company and I
> want to prevent c99shell scripts from running.
>
> I found this rule to detect URI's for the c99 shell.
>
> #new kit
> SecFilterSelective REQUEST_URI "/c99shell\.txt"
> SecFilterSelective REQUEST_URI "/c99\.txt\?"
>
> My problem is that the hackers are being more stealthy and calling the
> script some random name like .../myphpstuff.php. So the URI no longer
> helps detect it.
>
> How could I detect "c99.*shell" in the actual file that apache
> servers? This assumes that the hacker was successfully in installing
> it.
>
>
> "SecFilterSelective POST_PAYLOAD"
> "SecRule RESPONSE_BODY "c99.*shell".
>
> I don't know exactly what the rule should be or which file to put it
> in. Any guidance would be greatly appreciated. I'm using mod_security
> version 1.9.4
>
> Thank you.
> Vidals
how are they managing to upload, thats where your efforts should go.
Theres nothing to stop them calling it whatever random name their
script chooses. As for the post payload, that too could be anything,
but would normally be some kind of local executable. Your security
should be such that there are very limited things that can happen as a
result of running a local executable.
the post payload stops the script from getting to your servers in the
first place, and so is only effective against the name c99.... It is
possible to parse the post payload for all strings. Have you thought
about disabling remote url opening via fopen, etc... and locking down
exec passthru, system, or at least checking for th contents of c99 in
post payloads?
the coolrules project might have more for you over on
http://www.modsecurity.org/projects...ules/index.html
if you have no way to help your users patch their software, this
encourages old software, and prevents issuing warnings about old
software when the users might not fully understand the risks of adding
the 99th module into joomla!
| |
| shimmyshack 2007-05-08, 7:23 pm |
| On May 8, 10:17 pm, shimmyshack <matt.fa...@gmail.com> wrote:
> On May 8, 7:04 pm, vidals <gvid...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
> how are they managing to upload, thats where your efforts should go.
> Theres nothing to stop them calling it whatever random name their
> script chooses. As for the post payload, that too could be anything,
> but would normally be some kind of local executable. Your security
> should be such that there are very limited things that can happen as a
> result of running a local executable.
>
> the post payload stops the script from getting to your servers in the
> first place, and so is only effective against the name c99.... It is
> possible to parse the post payload for all strings. Have you thought
> about disabling remote url opening via fopen, etc... and locking down
> exec passthru, system, or at least checking for th contents of c99 in
> post payloads?
>
> the coolrules project might have more for you over onhttp://www.modsecurity.org/projects/coolRules/index.html
>
> if you have no way to help your users patch their software, this
> encourages old software, and prevents issuing warnings about old
> software when the users might not fully understand the risks of adding
> the 99th module into joomla!
Have you as a company developed/implemented rules for the major
blogging/cms applications like wordpress, joomla and so on. It might
help to download a list of preconfigured rules and make them mandatory
for all sites, this way certain GET strings used in xss, sql
injection, header injection and so on would be stopped at the mod_sec
level, if you provided your users with piped error messages they could
see why their scripts were failing if they decided to implement some
bad practise of their own. I have experimented with buffering with
some success, although in some cases the apache process grew very
large when uploading large files, although that could be circumvented
with better rules I think.
|
|
|
|
|