a problem after installing mod_security! (URGENT)

Oh, all these 'hardening' things make life so difficult.. suhosin is even worse..

I'd say short term fix until you can get it sorted -

add the following code in your .htaccess of affected site(s):

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Then, I'd say to read up on mod_security, and see what's causing that. It's most likely either wrong filetype (e.g. doesnt know how to handle .php) OR, could be a permissions thing. I know for example that one of those mods (I think suphp) only allows .php to run as 'nobody', which is retarded

Hope that helps.

Mike

 

I'm sure Suhosin runs find in most user cases, it's just that several of it's limitations caused issues with our larger custom applications (like limiting posted form fields / arrays / file sizes, etc). Once we figured out that most of the issues our clients were having was with Suhosin truncating data, etc. we were able to adjust the default settings, but it's still 'yet another thing'

 

@theprogs - oh sorry it didn't work. Hope they get it figured out.

Funnily enough it was someone directory scanning our servers that caused me to join this forum.. These people need to be shot.

 

m afraid. So far we've renamed any 'obvious' folders

 

GRR this thing won't let me reply properly..

Not yet I'm afraid. So far we've renamed any 'obvious' folders that we can control, but I still need someone to point me to where the /cpanel / whm, etc. redirectmatch rules are generated from.

With the number of 'all my sites got hacked' type threads, you'd thing such a basic security measure would be more obvious..

Glad you got it working. We had issues with SuPHP because it wasn't running PHP scripts as anything other than 'nobody'.. That's another thing we have to figure out

 

What we did was to create a master 'banned' mysql database (accessible from all sites) and wrote a PHP script that activates on 404

this preg_matches the URI and if someone was trying to access phpmyadmin|php-my-admin| etc etc. it writes their IP into the 'banned' database, then bounces them immediately out to the FBI site (LOL)

THEN, as people enter the site(s), a second small include script just scans the banned IP list, and if it matches, bounces the visitor off to the FBI

I know some people will say 'well it could have been an error', but no.. nobody looks for things like 'phpMyAdmin-2.5.6-rc2/index.php', 'phpMyAdmin-2.5.5/index.php', etc unless they're up to no good..