The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to block a string using mod security

Discussion in 'Security' started by kevinchong, Nov 8, 2014.

  1. kevinchong

    kevinchong Registered

    Joined:
    Nov 8, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    How can I block specific string of php code on my server using mod_security ?

    example of php code :
    - Removed -

    I want to block any php code that have .$r76 or $r76 , these code was used to spam.
     
    #1 kevinchong, Nov 8, 2014
    Last edited by a moderator: Dec 21, 2014
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    How exactly do you wish to block it? Block the upload of the file, or block requests to the file? Normally ModSecurity blocks things like user agents, URIs, file names, referring URLs, stuff in the HTTP headers, request body, post data, etc. It doesn't exactly look at the files in your website themselves. I don't know of a way to say "block requests to a file if the file contains said string."
     
  3. kevinchong

    kevinchong Registered

    Joined:
    Nov 8, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I actually want to know :
    how to block the upload of the files
    and
    how to block the request to the files
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Blocking the upload is trickier. You could look into using the inspectfile function assuming clamav picks up the files as malicious:

    https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#inspectFile

    Blocking requests isn't too bad but you have to capture one first (unless the file name is always the same). You have to block based on an attribute of the request itself, not based on content in the file being posted to. The best thing to do would be to log POST data for a while (perhaps using a custom rule like this):

    Code:
    SecRule REQUEST_METHOD "POST" "auditlog,pass,id:39578472"
    
    This will log all the POST data to the modsec audit log. When you find a request made to one of the malicious files, assuming it was a POST request, you'll have the request body and user agent, which are very useful in making a rule to block further access to the files.

    That all said, you should really be focusing on securing or re-installing the infected application, not on blocking requests to an already infected site.
     
Loading...

Share This Page