The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

a problem after installing mod_security! (URGENT)

Discussion in 'Security' started by theprogs, Dec 16, 2011.

  1. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello all,

    today I've installed mod_security plugin, using Easy::Apache v3.7.2, I only checked on its check box in the customization process, and did a rebuild,

    after that, all php files were not be able to execute, instead of that, any one can download them by browsing them in the URL!!!

    please help me to fix the problem very fast :(

    Thank you,

    The Programmer
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure if this is related to mod security. You might try rebuilding Apache again.
     
  3. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    with the same procedure?

    /http://imageshack.us/photo/my-images/97/apachef.jpg/


    thanks
     
  4. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I rebuilt it again using "Build Profile Now" and I did a reboot to the server,

    but the same thing :( what to dooo, please help me :(

    The Programmer
     
  5. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Oh, all these 'hardening' things make life so difficult.. suhosin is even worse..

    I'd say short term fix until you can get it sorted -

    add the following code in your .htaccess of affected site(s):

    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>

    Then, I'd say to read up on mod_security, and see what's causing that. It's most likely either wrong filetype (e.g. doesnt know how to handle .php) OR, could be a permissions thing. I know for example that one of those mods (I think suphp) only allows .php to run as 'nobody', which is retarded

    Hope that helps.

    Mike
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Since we have no ideas what your previous build contained, I would select the Basic option as it says right there beside it: "If your previous build has failed...."

    Get it back up and working, first things first.

    You might wish to put in a ticket to cPanel support via your WHM for help with this as well. There's a small menu, top right corner of WHM header to get to Support.

    Not sure what problems you're having but I've got suhosin running on all my servers without issue. Most do these days I would think.
     
  7. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    MikeLewin,

    thanks for trying to help, but it didn't work, I think there's some issue in PHP handling as Infopro said,

    I opened a ticket in my hosting, but they still didn't fix it, I don't want to interfere their work now,

    I will wait for the technical support, or I will just do the Basic option :(

    BTW, I don't know if it's related or not, but someone was trying hard to hack the website by using directory scannar, I denyed lots ips, but he kept scanning with different ips, that's why I installed the mod_security plugin, I wanted to deny certain agents from accessing the website, I just don't know if that mod_security caused the problem, or the hacker did something to the server :(

    thanks all,

    The Programmer
     
  8. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm sure Suhosin runs find in most user cases, it's just that several of it's limitations caused issues with our larger custom applications (like limiting posted form fields / arrays / file sizes, etc). Once we figured out that most of the issues our clients were having was with Suhosin truncating data, etc. we were able to adjust the default settings, but it's still 'yet another thing'
     
  9. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    @theprogs - oh sorry it didn't work. Hope they get it figured out.

    Funnily enough it was someone directory scanning our servers that caused me to join this forum.. These people need to be shot.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In my humble opinion, you can never have too many 'things' when it comes to security.


    Welcome to the wonderful world of Web Hosting. It will not ever end, you can not prevent this (scanning etc) from happening. Your best bet is more 'things' :p
     
  11. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    They didnt solve the problem, as they said they recompiled php, but that didnt help
    the same problem is still happening

    yes mike, they need to be shot between their eyes those attackers, but did u figure out how to stop their attacks?

    The programmer
     
  12. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    finally, it's working now! the support guy said that he there was no php handler defined in WHM, he turned on suPHP and everything is ok now.

    The Programmer
     
  13. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    m afraid. So far we've renamed any 'obvious' folders
     
  14. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    GRR this thing won't let me reply properly..

    Not yet I'm afraid. So far we've renamed any 'obvious' folders that we can control, but I still need someone to point me to where the /cpanel / whm, etc. redirectmatch rules are generated from.

    With the number of 'all my sites got hacked' type threads, you'd thing such a basic security measure would be more obvious..

    Glad you got it working. We had issues with SuPHP because it wasn't running PHP scripts as anything other than 'nobody'.. That's another thing we have to figure out :)
     
  15. theprogs

    theprogs Member

    Joined:
    Dec 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ummm, I think I will try again the agent denying trick, that hacker never gave up, he's trying everyday with several scanners to find an exploit, he was a member of our forums before we kicked him out :)
     
  16. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    What we did was to create a master 'banned' mysql database (accessible from all sites) and wrote a PHP script that activates on 404

    this preg_matches the URI and if someone was trying to access phpmyadmin|php-my-admin| etc etc. it writes their IP into the 'banned' database, then bounces them immediately out to the FBI site (LOL)

    THEN, as people enter the site(s), a second small include script just scans the banned IP list, and if it matches, bounces the visitor off to the FBI

    I know some people will say 'well it could have been an error', but no.. nobody looks for things like 'phpMyAdmin-2.5.6-rc2/index.php', 'phpMyAdmin-2.5.5/index.php', etc unless they're up to no good..
     
Loading...

Share This Page