The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacker passed Mod_Security, how to fix this?

Discussion in 'Security' started by Secmas, Feb 8, 2008.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Hi to all,
    need your help on this.

    Yesterday we got an intrussion in one of our servers, thanks to CSF the files were caught in the fly and no damage was done, we of course, banned the IPs involved and deleted the account from our server, but the question reminds, how the hacker passed the MOD_SECURITY2 rules that we have. Or, maybe you can help me to set a new rule for this intrusion. Here are the details from Apache Log:

    It seems that I need to improve or add a rule for "cmd.txt?cmd".

    Do you have a rule for this that you could share with me?

    Thanks in advance for you kind help.
     
    #1 Secmas, Feb 8, 2008
    Last edited by a moderator: Feb 8, 2008
  2. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Yeah, I am also keen to find out how to ban an access (under mod_security2) with the string ".txt?" in the URL.
     
  3. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Wisconsin
  4. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Looks like a good piece of info. Can someone explain the above rules by giving examples?
     
  5. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
  6. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Yes, the address is working.
     
  7. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Added the rules into my .htaccess (I have mod_rewrite). But I don't think it is working. How to test for sure?
     
  8. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    OK, working great! Earlier I forgot to add:

     
  9. ChadE

    ChadE Active Member

    Joined:
    Mar 14, 2005
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    The mod_security 2 core rules block this attack - are you running the core rules or the default cPanel build? cPanel does NOT load any rules in by default. If you compile mod_sec with cPanel, you need to install the rules manually.
     
  10. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    I have the rules from CPanel and are installed and running. My rules has stopped a lot of attacks but this one passed very easily.
     
  11. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    can some one convert these .htaccess rules to mod_sec rules ?
     
Loading...

Share This Page