How to Block WebShell?

[WiroWaas]

Anyone know how to completely block webshell (cgi/perl)?

 

[chirpy]

The short answer is that you can't. The only realistic way is a good AUP and if you find one, terminate the client. The longer answer is that you might be able to catch a few with crafted mod_security rules, but since writing such a script is trivial and there's so many ways to do it, especially in perl, it would be very difficult to prevent.

 

[chirpy]

My friend (a hacker) still can use cgi/perl as a webshell. How can I disable cgi/perl shell function like I disable functions show_source, system, shell_exec, passthru, exec on php

You can't unless you remove their ability to run any perl CGI scripts. That's why I said that it isn't possible.

If you've installed mod_security through WHM, try uninstalling it and then reinstall it to quickly fix the error.

 

[WiroWaas]

A hacker still can use cgi/perl as a webshell from inside. How can I disable cgi/perl shell function like I disable functions show_source, system, shell_exec, passthru, exec on php.

I've install mod_security but it make httpd failed to start.

the error messege when I run /usr/local/apache/bin/apachectl configtest

Syntax error on line 286 of /usr/local/apache/conf/httpd.conf:
Cannot add module via name 'mod_security.c': not in list of loaded modules

Strange!! There was no # on the line LoadModule security_module libexec/mod_security.so

 

[WiroWaas]

You can't unless you remove their ability to run any perl CGI scripts. That's why I said that it isn't possible.

If you've installed mod_security through WHM, try uninstalling it and then reinstall it to quickly fix the error.

OK, I'll try it.

 

[WiroWaas]

You can't unless you remove their ability to run any perl CGI scripts. That's why I said that it isn't possible.

If you've installed mod_security through WHM, try uninstalling it and then reinstall it to quickly fix the error.

Trying to reinstall it

Addon Modules

Main >> cPanel >> Addon Modules
Updating addonupdates....

Done
Updating modsecurity....

Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/.cpanelsync.lock (0)[email protected]
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686.tar.bz2 (0)[email protected]%......Done
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/.cpanelsync.bz2 (0)[email protected]%......Done
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/install.bz2 (0)[email protected]%......Done
Got file ./install ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/uninstall.sql.bz2 (0)[email protected]%......Done
Got file ./uninstall.sql ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsec.sql.bz2 (0)[email protected]%......Done
Got file ./modsec.sql ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/addon_modsec.cgi.bz2 (0)[email protected]%......Done
Got file ./addon_modsec.cgi ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/progversion.bz2 (0)[email protected]ected......receiving...100%......Done
Got file ./progversion ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsec.conf.bz2 (0)[email protected]%......Done
Got file ./modsec.conf ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsecurity.apache.bz2 (0)[email protected]%......Done
Got file ./modsecurity.apache ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/uninstall.bz2 (0)[email protected]%......Done
Got file ./uninstall ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanel...urity-Linux-i686/modsec.user.conf.default.bz2 (0)[email protected]%......Done
Got file ./modsec.user.conf.default ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsecparse.pl.bz2 (0)[email protected]%......Done
Got file ./modsecparse.pl ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/version.bz2 (0)[email protected]%......Done
Got file ./version ok (md5 matches)
Installing Mod_Security version 1.9.1
Downloading modsecurity-apache-1.9.1.tar.gz...
Done
Editing httpd.conf
Done
Copying over default Mod_Security ruleset
Done
Backing up modsec database
Done
Setting up Front End
Done
/etc/rc.d/init.d/httpd start: httpd could not be started
The default audit log is located at /user/local/apache/logs/audit_log
All pages that are prevented from loading by mod_security will have a 406 error

Done
Updating pro....

Done

Process Complete

Trying to see the error message

Syntax error on line 286 of /usr/local/apache/conf/httpd.conf:
Cannot add module via name 'mod_security.c': not in list of loaded modules
/etc/rc.d/init.d/httpd start: httpd could not be started

Check it, recheck it again.

Got it, I found the line

LoadModule security_module libexec/mod_security.so

putted after the line

AddModule mod_security.c

lol, dunno how. The scripts write it that way, not me!!!

Then I move the line

LoadModule security_module libexec/mod_security.so

before the line

AddModule mod_security.c

Restart the httpd

/etc/rc.d/init.d/httpd restart: httpd restarted

GOT IT, but the GAME not OVER yet

What should I do now with mod_security ?

 

[WiroWaas]

Got it,
I use it

http://www.hostmerit.com/modsec.user.conf

And the hacker give up :D

one more ptotection, mod_evasive. I want to install it but when I read http://forums.cpanel.net/showthread.php?t=46855 , you said that IMX still causes problems with PHP because of the way FP interacts with apache, mod_evasive percieves the activity as a DOS attack.

Any sollution?

 

[david510]

Add the following in your global php.ini file and restart apache.

disable_functions = "exec,system,shell_exec,passthru,proc_open,proc_close,escapeshellcmd,popen,pcntl_exec,leak,chgrp,ini_alter"

 

[kashif]

Got it,
I use it


And the hacker give up :D

one more ptotection, mod_evasive. I want to install it but when I read http://forums.cpanel.net/showthread.php?t=46855 , you said that IMX still causes problems with PHP because of the way FP interacts with apache, mod_evasive percieves the activity as a DOS attack.

Any sollution?

Hi WiroWaas,
Can you send me the modsec.user.conf as the URL[http://www.hostmerit.com/modsec.user.conf] is not working. Waiting for your prompt response...

Thankyou,

Regards,

 

[brianoz]

That post was 2 years old!!

If you want a "prompt response" you'd be better off using Google to good effect, for instance, with search terms like "mod_security rules" or "mod_security cpanel rules". I beleive gotroot.com has some rules which are oft used, also the very knowledgeable eth00 has some but I forget his domain...