a problem after installing mod_security! (URGENT)

theprogs

Member
Dec 16, 2011
7
0
51
cPanel Access Level
Website Owner
Hello all,

today I've installed mod_security plugin, using Easy::Apache v3.7.2, I only checked on its check box in the customization process, and did a rebuild,

after that, all php files were not be able to execute, instead of that, any one can download them by browsing them in the URL!!!

please help me to fix the problem very fast :(

Thank you,

The Programmer
 

theprogs

Member
Dec 16, 2011
7
0
51
cPanel Access Level
Website Owner
I rebuilt it again using "Build Profile Now" and I did a reboot to the server,

but the same thing :( what to dooo, please help me :(

The Programmer
 

MikeLewin

Member
Dec 1, 2011
15
0
51
cPanel Access Level
Root Administrator
Oh, all these 'hardening' things make life so difficult.. suhosin is even worse..

I'd say short term fix until you can get it sorted -

add the following code in your .htaccess of affected site(s):

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Then, I'd say to read up on mod_security, and see what's causing that. It's most likely either wrong filetype (e.g. doesnt know how to handle .php) OR, could be a permissions thing. I know for example that one of those mods (I think suphp) only allows .php to run as 'nobody', which is retarded

Hope that helps.

Mike
 

Infopro

Well-Known Member
May 20, 2003
17,112
514
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Since we have no ideas what your previous build contained, I would select the Basic option as it says right there beside it: "If your previous build has failed...."

Get it back up and working, first things first.

You might wish to put in a ticket to cPanel support via your WHM for help with this as well. There's a small menu, top right corner of WHM header to get to Support.

Oh, all these 'hardening' things make life so difficult.. suhosin is even worse..
Not sure what problems you're having but I've got suhosin running on all my servers without issue. Most do these days I would think.
 

theprogs

Member
Dec 16, 2011
7
0
51
cPanel Access Level
Website Owner
MikeLewin,

thanks for trying to help, but it didn't work, I think there's some issue in PHP handling as Infopro said,

I opened a ticket in my hosting, but they still didn't fix it, I don't want to interfere their work now,

I will wait for the technical support, or I will just do the Basic option :(

BTW, I don't know if it's related or not, but someone was trying hard to hack the website by using directory scannar, I denyed lots ips, but he kept scanning with different ips, that's why I installed the mod_security plugin, I wanted to deny certain agents from accessing the website, I just don't know if that mod_security caused the problem, or the hacker did something to the server :(

thanks all,

The Programmer
 

MikeLewin

Member
Dec 1, 2011
15
0
51
cPanel Access Level
Root Administrator
Not sure what problems you're having but I've got suhosin running on all my servers without issue. Most do these days I would think.
I'm sure Suhosin runs find in most user cases, it's just that several of it's limitations caused issues with our larger custom applications (like limiting posted form fields / arrays / file sizes, etc). Once we figured out that most of the issues our clients were having was with Suhosin truncating data, etc. we were able to adjust the default settings, but it's still 'yet another thing'
 

MikeLewin

Member
Dec 1, 2011
15
0
51
cPanel Access Level
Root Administrator
@theprogs - oh sorry it didn't work. Hope they get it figured out.

Funnily enough it was someone directory scanning our servers that caused me to join this forum.. These people need to be shot.
 

Infopro

Well-Known Member
May 20, 2003
17,112
514
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
but it's still 'yet another thing'
In my humble opinion, you can never have too many 'things' when it comes to security.


Funnily enough it was someone directory scanning our servers that caused me to join this forum.. These people need to be shot.
Welcome to the wonderful world of Web Hosting. It will not ever end, you can not prevent this (scanning etc) from happening. Your best bet is more 'things' :p
 

theprogs

Member
Dec 16, 2011
7
0
51
cPanel Access Level
Website Owner
They didnt solve the problem, as they said they recompiled php, but that didnt help
the same problem is still happening

yes mike, they need to be shot between their eyes those attackers, but did u figure out how to stop their attacks?

The programmer
 

theprogs

Member
Dec 16, 2011
7
0
51
cPanel Access Level
Website Owner
finally, it's working now! the support guy said that he there was no php handler defined in WHM, he turned on suPHP and everything is ok now.

The Programmer
 

MikeLewin

Member
Dec 1, 2011
15
0
51
cPanel Access Level
Root Administrator
They didnt solve the problem, as they said they recompiled php, but that didnt help
the same problem is still happening

yes mike, they need to be shot between their eyes those attackers, but did u figure out how to stop their attacks?

The programmer
m afraid. So far we've renamed any 'obvious' folders
 

MikeLewin

Member
Dec 1, 2011
15
0
51
cPanel Access Level
Root Administrator
GRR this thing won't let me reply properly..

Not yet I'm afraid. So far we've renamed any 'obvious' folders that we can control, but I still need someone to point me to where the /cpanel / whm, etc. redirectmatch rules are generated from.

With the number of 'all my sites got hacked' type threads, you'd thing such a basic security measure would be more obvious..

Glad you got it working. We had issues with SuPHP because it wasn't running PHP scripts as anything other than 'nobody'.. That's another thing we have to figure out :)
 

MikeLewin

Member
Dec 1, 2011
15
0
51
cPanel Access Level
Root Administrator
What we did was to create a master 'banned' mysql database (accessible from all sites) and wrote a PHP script that activates on 404

this preg_matches the URI and if someone was trying to access phpmyadmin|php-my-admin| etc etc. it writes their IP into the 'banned' database, then bounces them immediately out to the FBI site (LOL)

THEN, as people enter the site(s), a second small include script just scans the banned IP list, and if it matches, bounces the visitor off to the FBI

I know some people will say 'well it could have been an error', but no.. nobody looks for things like 'phpMyAdmin-2.5.6-rc2/index.php', 'phpMyAdmin-2.5.5/index.php', etc unless they're up to no good..