The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with mod_security rules

Discussion in 'Security' started by PPNSteve, Feb 25, 2008.

  1. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Running the latest Apache 2.2.8 w/ mod_security using the basic, default rule set provided.. (does ANYONE have a good, cPanel compatible, mod_sec rule set?) until just recently we've never had a problem with basic site functions getting 406'd.

    here's what's happening, on MY access to MY own site, from the error log:

    Code:
    [Mon Feb 25 17:29:16 2008] [error] [client 24.10.xxx.1xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:Cookie. [id "950006"] [msg "System Command Injection. Matched signature <; uname>"] [severity "CRITICAL"] [hostname "yugioh-world.com"] [uri "/cgi-bin/newspro/viewnews.cgi?newsall"] 
    and quite commonly, approx 200 - 300 times a day, all different client IPs:
    Code:
    [Mon Feb 25 17:29:53 2008] [error] [client 89.107.158.229] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:Referer. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "www.ppntop50.com"] [uri "/button.php?u=Cydewinder"] [unique_id "64Ou20ZVQqIAACZtrUUAAAAF"]
    [Mon Feb 25 17:30:01 2008] [error] [client 97.89.47.19] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:Referer. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "www.ppntop50.com"] [uri "/button.php?u=Cydewinder"] [unique_id "6-vOfkZVQqIAACY5ne8AAAAn"]
    anyone have ANY ideas why these mod_sec rules, all of a sudden, would be affecting normal requests?

    here is the relevant mod_sec rule(s) in the conf:
    Code:
    SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
    thanks in advance for helping with this madness.
     
Loading...

Share This Page