a problem after installing mod_security! (URGENT)

[theprogs]

Hello all,

today I've installed mod_security plugin, using Easy::Apache v3.7.2, I only checked on its check box in the customization process, and did a rebuild,

after that, all php files were not be able to execute, instead of that, any one can download them by browsing them in the URL!!!

please help me to fix the problem very fast

Thank you,

The Programmer

 

[Infopro]

Not sure if this is related to mod security. You might try rebuilding Apache again.

 

[theprogs]

with the same procedure?

/http://imageshack.us/photo/my-images/97/apachef.jpg/


thanks

 

[theprogs]

I rebuilt it again using "Build Profile Now" and I did a reboot to the server,

but the same thing what to dooo, please help me

The Programmer

 

[MikeLewin]

Oh, all these 'hardening' things make life so difficult.. suhosin is even worse..

I'd say short term fix until you can get it sorted -

add the following code in your .htaccess of affected site(s):

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Then, I'd say to read up on mod_security, and see what's causing that. It's most likely either wrong filetype (e.g. doesnt know how to handle .php) OR, could be a permissions thing. I know for example that one of those mods (I think suphp) only allows .php to run as 'nobody', which is retarded

Hope that helps.

Mike

 

[Infopro]

Since we have no ideas what your previous build contained, I would select the Basic option as it says right there beside it: "If your previous build has failed...."

Get it back up and working, first things first.

You might wish to put in a ticket to cPanel support via your WHM for help with this as well. There's a small menu, top right corner of WHM header to get to Support.

Oh, all these 'hardening' things make life so difficult.. suhosin is even worse..

Not sure what problems you're having but I've got suhosin running on all my servers without issue. Most do these days I would think.

 

[theprogs]

MikeLewin,

thanks for trying to help, but it didn't work, I think there's some issue in PHP handling as Infopro said,

I opened a ticket in my hosting, but they still didn't fix it, I don't want to interfere their work now,

I will wait for the technical support, or I will just do the Basic option

BTW, I don't know if it's related or not, but someone was trying hard to hack the website by using directory scannar, I denyed lots ips, but he kept scanning with different ips, that's why I installed the mod_security plugin, I wanted to deny certain agents from accessing the website, I just don't know if that mod_security caused the problem, or the hacker did something to the server

thanks all,

The Programmer

 

[MikeLewin]

Not sure what problems you're having but I've got suhosin running on all my servers without issue. Most do these days I would think.

I'm sure Suhosin runs find in most user cases, it's just that several of it's limitations caused issues with our larger custom applications (like limiting posted form fields / arrays / file sizes, etc). Once we figured out that most of the issues our clients were having was with Suhosin truncating data, etc. we were able to adjust the default settings, but it's still 'yet another thing'

 

[MikeLewin]

@theprogs - oh sorry it didn't work. Hope they get it figured out.

Funnily enough it was someone directory scanning our servers that caused me to join this forum.. These people need to be shot.

 

[Infopro]

but it's still 'yet another thing'

In my humble opinion, you can never have too many 'things' when it comes to security.

Funnily enough it was someone directory scanning our servers that caused me to join this forum.. These people need to be shot.

Welcome to the wonderful world of Web Hosting. It will not ever end, you can not prevent this (scanning etc) from happening. Your best bet is more 'things' :p

 

[theprogs]

They didnt solve the problem, as they said they recompiled php, but that didnt help
the same problem is still happening

yes mike, they need to be shot between their eyes those attackers, but did u figure out how to stop their attacks?

The programmer

 

[theprogs]

finally, it's working now! the support guy said that he there was no php handler defined in WHM, he turned on suPHP and everything is ok now.

The Programmer

 

[MikeLewin]

They didnt solve the problem, as they said they recompiled php, but that didnt help
the same problem is still happening

yes mike, they need to be shot between their eyes those attackers, but did u figure out how to stop their attacks?

The programmer

m afraid. So far we've renamed any 'obvious' folders

 

[MikeLewin]

GRR this thing won't let me reply properly..

Not yet I'm afraid. So far we've renamed any 'obvious' folders that we can control, but I still need someone to point me to where the /cpanel / whm, etc. redirectmatch rules are generated from.

With the number of 'all my sites got hacked' type threads, you'd thing such a basic security measure would be more obvious..

Glad you got it working. We had issues with SuPHP because it wasn't running PHP scripts as anything other than 'nobody'.. That's another thing we have to figure out

 

[theprogs]

m afraid. So far we've renamed any 'obvious' folders

ummm, I think I will try again the agent denying trick, that hacker never gave up, he's trying everyday with several scanners to find an exploit, he was a member of our forums before we kicked him out

 

[MikeLewin]

What we did was to create a master 'banned' mysql database (accessible from all sites) and wrote a PHP script that activates on 404

this preg_matches the URI and if someone was trying to access phpmyadmin|php-my-admin| etc etc. it writes their IP into the 'banned' database, then bounces them immediately out to the FBI site (LOL)

THEN, as people enter the site(s), a second small include script just scans the banned IP list, and if it matches, bounces the visitor off to the FBI

I know some people will say 'well it could have been an error', but no.. nobody looks for things like 'phpMyAdmin-2.5.6-rc2/index.php', 'phpMyAdmin-2.5.5/index.php', etc unless they're up to no good..