The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to block halifax in modsec(apache)

Discussion in 'EasyApache' started by its_joe, Aug 8, 2008.

  1. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    We have server with Cpanel 11 and CentOS 5 installed on it.

    Many client upload phishing contents and due to this the server is affected. So please tell us how to block/stop word from the URL using modsec . We need to block the following words:
    halifax, Halifax, HaliFax, bankofamerica, BankofAmerica and others

    We tried the following but that is not working:
    SecFilter Halifax "deny,status:406"
    SecFilterSelective REQUEST_URI "/~(root|Halifax)/"
    SecFilterSelective REQUEST_URI "Halifax"

    So please suggest how to block these words using modsec on the server.

    waiting for the reply
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just me of course, but I think I'd rather kill the accounts attempting this than to simply block words they may use to do it.
     
  3. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    I second infopro there, get rid of the scammers!
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    search your domlogs for indications on what accounts are doing this sort of thing and in WHM there is a "mass terminate" tool. Just get rid of that crap so the rest of us don't have to deal with it.
     
  5. mail2sacp

    mail2sacp Well-Known Member

    Joined:
    Feb 25, 2007
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I have some query regarding c99 or rs47 and want to know how can we ban this script execution on server globally?

    If in any case if any client or hacker uploaded this script how can we ban this script for executing which will stop him globally?
     
  6. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    Thanks for your replies people :)

    But mass termination of this account or deleting individual account who has uploaded these page is not the solution.

    It is not the client who is uploading the page, these pages are uploaded from web and all these files has nobody ownership. Means they are not uploaded from FTP protocol.

    So is there anyway to block that URL on server using modsec or something else, so that words like halifax, bankofamerica will not work even client want to access it????

    Waiting for the reply.

    its_joe
     
  7. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    Sounds like either those accounts or your server has been compromised.
    You better get a sysadmin to look at this box of yours ;)
     
Loading...

Share This Page