Status
Not open for further replies.

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
The short answer is that you can't. The only realistic way is a good AUP and if you find one, terminate the client. The longer answer is that you might be able to catch a few with crafted mod_security rules, but since writing such a script is trivial and there's so many ways to do it, especially in perl, it would be very difficult to prevent.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
My friend (a hacker) still can use cgi/perl as a webshell. How can I disable cgi/perl shell function like I disable functions show_source, system, shell_exec, passthru, exec on php
You can't unless you remove their ability to run any perl CGI scripts. That's why I said that it isn't possible.

If you've installed mod_security through WHM, try uninstalling it and then reinstall it to quickly fix the error.
 

WiroWaas

Member
Aug 11, 2006
12
0
151
A hacker still can use cgi/perl as a webshell from inside. How can I disable cgi/perl shell function like I disable functions show_source, system, shell_exec, passthru, exec on php.

I've install mod_security but it make httpd failed to start.

the error messege when I run /usr/local/apache/bin/apachectl configtest

Syntax error on line 286 of /usr/local/apache/conf/httpd.conf:
Cannot add module via name 'mod_security.c': not in list of loaded modules
Strange!! There was no # on the line LoadModule security_module libexec/mod_security.so
 
Last edited:

WiroWaas

Member
Aug 11, 2006
12
0
151
You can't unless you remove their ability to run any perl CGI scripts. That's why I said that it isn't possible.

If you've installed mod_security through WHM, try uninstalling it and then reinstall it to quickly fix the error.
OK, I'll try it.
 

WiroWaas

Member
Aug 11, 2006
12
0
151
You can't unless you remove their ability to run any perl CGI scripts. That's why I said that it isn't possible.

If you've installed mod_security through WHM, try uninstalling it and then reinstall it to quickly fix the error.
Trying to reinstall it

Addon Modules

Main >> cPanel >> Addon Modules
Updating addonupdates....

Done
Updating modsecurity....

Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/.cpanelsync.lock (0)[email protected]
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686.tar.bz2 (0)[email protected]%......Done
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/.cpanelsync.bz2 (0)[email protected]%......Done
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/install.bz2 (0)[email protected]%......Done
Got file ./install ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/uninstall.sql.bz2 (0)[email protected]%......Done
Got file ./uninstall.sql ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsec.sql.bz2 (0)[email protected]%......Done
Got file ./modsec.sql ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/addon_modsec.cgi.bz2 (0)[email protected]%......Done
Got file ./addon_modsec.cgi ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/progversion.bz2 (0)[email protected]%......Done
Got file ./progversion ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsec.conf.bz2 (0)[email protected]%......Done
Got file ./modsec.conf ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsecurity.apache.bz2 (0)[email protected]%......Done
Got file ./modsecurity.apache ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/uninstall.bz2 (0)[email protected]%......Done
Got file ./uninstall ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsec.user.conf.default.bz2 (0)[email protected]%......Done
Got file ./modsec.user.conf.default ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/modsecparse.pl.bz2 (0)[email protected]%......Done
Got file ./modsecparse.pl ok (md5 matches)
Fetching http://httpupdate.cpanel.net/cpanelsync/addons/modules/modsecurity-Linux-i686/version.bz2 (0)[email protected]%......Done
Got file ./version ok (md5 matches)
Installing Mod_Security version 1.9.1
Downloading modsecurity-apache-1.9.1.tar.gz...
Done
Editing httpd.conf
Done
Copying over default Mod_Security ruleset
Done
Backing up modsec database
Done
Setting up Front End
Done
/etc/rc.d/init.d/httpd start: httpd could not be started
The default audit log is located at /user/local/apache/logs/audit_log
All pages that are prevented from loading by mod_security will have a 406 error

Done
Updating pro....

Done

Process Complete
Trying to see the error message

Syntax error on line 286 of /usr/local/apache/conf/httpd.conf:
Cannot add module via name 'mod_security.c': not in list of loaded modules
/etc/rc.d/init.d/httpd start: httpd could not be started
Check it, recheck it again.

Got it, I found the line
LoadModule security_module libexec/mod_security.so
putted after the line
AddModule mod_security.c
lol, dunno how. The scripts write it that way, not me!!!

Then I move the line
LoadModule security_module libexec/mod_security.so
before the line
AddModule mod_security.c
Restart the httpd
/etc/rc.d/init.d/httpd restart: httpd restarted
GOT IT, but the GAME not OVER yet :(

What should I do now with mod_security ?
 

david510

Well-Known Member
Aug 22, 2004
473
0
166
Add the following in your global php.ini file and restart apache.

disable_functions = "exec,system,shell_exec,passthru,proc_open,proc_close,escapeshellcmd,popen,pcntl_exec,leak,chgrp,ini_alter"
 

kashif

Active Member
Jul 11, 2003
29
0
151
Lahore
Got it,
I use it


And the hacker give up :D

one more ptotection, mod_evasive. I want to install it but when I read http://forums.cpanel.net/showthread.php?t=46855 , you said that IMX still causes problems with PHP because of the way FP interacts with apache, mod_evasive percieves the activity as a DOS attack.

Any sollution?
Hi WiroWaas,
Can you send me the modsec.user.conf as the URL[http://www.hostmerit.com/modsec.user.conf] is not working. Waiting for your prompt response...

Thankyou,

Regards,
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
That post was 2 years old!!

If you want a "prompt response" you'd be better off using Google to good effect, for instance, with search terms like "mod_security rules" or "mod_security cpanel rules". I beleive gotroot.com has some rules which are oft used, also the very knowledgeable eth00 has some but I forget his domain...
 
Status
Not open for further replies.