How to protect my sites from the c99g

golden_eyes

Well-Known Member
Aug 9, 2010
88
1
58
Hello,

I saw in some servers when I upload the c99 or any shell the upload, mkdir and mkfile are [ Read Only ] in red color unlike when I upload the same file to my server it gives [ OK ] in gren so how I protect the file creating from the shell?

Sincerely,
 

lifelinux

Member
Oct 29, 2010
5
0
51
You can disable php functions in php.ini file : exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
And more: you should use suphp & Mod_security.
 

JamesCartelo

Registered
Nov 9, 2010
4
0
51
To Secure a Cpanel Hosting you may only need to use
Application Security Rules ( Gotroot rules for mod_security)

Install mod_security using update apache in Whm, Then Edit Configuration file in whm by adding
http://downloads.prometheus-group.com/delayed/rules/modsec/10_asl_rules.conf

Some of these rules are really useless on a shared hosting, It's limiting users to much!
I think you only need to block some of application attacks + Shell scripts + Rapid leech and... that you will be able by adding only this file.
 

2die4

Member
Oct 15, 2008
5
0
51
In a nice quiet neighborhood.
Been reading up and looking at rule sets myself and learning the structure of them. I also agree that disabling some of the functions for php is good. ;)

By the way are there any other sites with rule sets in addition to gotroot and atomicorp?

If you are running a php site, ZB Block (spambotsecurity) is a good script to implement to a website just to add another layer of security to ward off hackbots and spambots.
 

hostnex

Well-Known Member
May 2, 2008
77
1
58
Islamabad, Pakistan, Pakistan
cPanel Access Level
Root Administrator
To Secure a Cpanel Hosting you may only need to use
Application Security Rules ( Gotroot rules for mod_security)

Install mod_security using update apache in Whm, Then Edit Configuration file in whm by adding
http://downloads.prometheus-group.com/delayed/rules/modsec/10_asl_rules.conf

Some of these rules are really useless on a shared hosting, It's limiting users to much!
I think you only need to block some of application attacks + Shell scripts + Rapid leech and... that you will be able by adding only this file.
I tried to use the rules given in the above link but then I can not start Apache. Can you help us to implement these rules ?
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
I tried to use the rules given in the above link but then I can not start Apache. Can you help us to implement these rules ?
What error are you getting?

Also, if you are using the gotroot rules, you may want to ask over on the gotroot rules forums:


https://www.atomicorp.com/forums/
 

ModServ

Well-Known Member
Oct 17, 2006
337
5
168
Egypt
cPanel Access Level
Root Administrator
Hello,

You can use these tested rules and functions although I'm disabling tooo much functions to increase the security

Functions:
PHP:
system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy
Mod Security Rules:
PHP:
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"

SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"



#Master list of known malware script file names
#SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
#"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"

#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"

SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \
        "capture,chain,id:390144,rev:16,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"

SecRule ARGS|!ARGS:message  "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|/trf/traf\.php)" \

#rootkit patterns
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \
        "capture,chain,id:390145,rev:6,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Generic Attempt to install rootkit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:390146,severity:'2',logdata:'%{TX.0}'"

#c99 rootshell
SecRule REQUEST_URI "(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?:phpinfo|mtnf|p0k3r)|/shell[0-9]?\.php|/\.get\.php)" \
        "capture,id:390146,rev:17,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command shell attack: PHP exploit shell attempting to run command',logdata:'%{TX.0}'"

# known PHP attack shells
SecRule REQUEST_URI   "(?:wiki_up/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c(?:99|100)|c(?:99|100)shell)\.(txt|php)\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?:php|test|sql)\.txt\?|/oops?&|/maint64/index.php|/fx29sh/|fx29id[0-9]|fx29sh_update|/cyberz\.txt|/pshyco\.txt)" \
"capture,id:390147,rev:9,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Known rootkit or remote shell',logdata:'%{TX.0}'"

#|temp)/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))

#URI sigs
SecRule REQUEST_URI "/(?:(?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|shell|/ipn|php(?:3|4|5)?shell)\.(?:php?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?:ph(?:p(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|proxysx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|shell.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \
        "capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"


SecRule REQUEST_URI "/(?:(?:linuxdaybot|suntzu|shell_vup|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\.(?:txt|php))" \
        "capture,id:390148,rev:12,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"

#Request Body patterns
#trick them with a 404
SecRule RESPONSE_BODY "(?:(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57 ?shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v[0-9]\.[0-9] - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| ?shell)|(c99|c100|r57) ?shell)\b|aventgrup\.<br>|drwxr| - n3t))|This is (an|a)? exploit from < ?a|php ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass|feelcomzfeelcomz|id: feelcomz|shirohigeshirohige|lusif3r_666|was here \.\..*uname.*uid.*gid.*free.*used|b\.o\.v sience 20[0-1][0-9]|emp3ror undetectable|(o|0)wned by hacker|feelcomz rfi scanner|by pshyco, آ. 2008 error|safemodeexecdir|sh-(inf|err): )" \
        "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:'390149',rev:11,severity:'2'"

#ASP sigs
SecRule REQUEST_URI   "\.asp\?(?:.*theact=inject&thepath=|pagename=appfileexplorer|.*showupload&thepath=)" \
        "capture,id:390150,rev:5,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: ASP rootkit attempt',logdata:'%{TX.0}'"

#generic payload
#if (isset($_GET['cmd']))          passthru(stripslashes($_GET['cmd']));
SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master |.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:hexDecode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:base64Decode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"


#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt))" \
"capture,id:390802,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"

#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:[email protected]@[email protected]@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
"capture,id:390803,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known Wormsign',logdata:'%{TX.0}'"

#wormsign sigs

#New SEL attack seen
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user.+char\(.*\))" \
"capture,id:390804,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known rootkit SQL payload',logdata:'%{TX.0}'"

SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails))" \
        "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible spamtool installed on system',id:'390150',severity:'2'"

#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|<center>.*<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
        "phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
SecRule RESPONSE_HEADERS:WWW-Authenticate "basic realm.*rapidleech" \
        "capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"

SecRule ARGS_POST "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
"capture,id:390902,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Unauthorized Download Client',logdata:'%{TX.0}'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
#"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"


#WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
SecRule ARGS:cmd "(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))" \
"capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
SecRule ARGS:ev "^print [0-9];" \
"capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"

<LocationMatch homeCounter.php>
  SecRuleRemoveById 390144
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch moderation.php>
  SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /paadmin/file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /__utm.gif>
  SecRuleRemoveById 390144
</LocationMatch>
<LocationMatch /administrator/index.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /ota/admin/file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/shop_file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /modules/mod_oneononechat/chatfiles/*>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /fud/adm/admbrowse.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /wp-cron.php>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /admin/mods/easymod/easymod_install.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /alfresco/scripts/onload.js>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /assets/Files/who/>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /forum/viewtopic.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /setup/>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /administrator/index2.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /sales/soap.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /twg177/admin/>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /images/smilies/>
  SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /admin/dogen_display.php>
  SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /horde/themes/graphics/>
  SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /whois/quick.php>
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /ubbthreads.php>
  SecRuleRemoveById 390902
</LocationMatch>
Also don't forget about SuHosin, Recompile Apache and build it then in php.ini below extension="suhosin.so" add these:

PHP:
suhosin.log.syslog.facility = 9
suhosin.log.use-x-forwarded-for = Off
suhosin.executor.max_depth = 0
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_emodifier = Off
suhosin.executor.allow_symlink = Off
suhosin.simulation = Off
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = Off
suhosin.multiheader = On
suhosin.mail.protect = 1
suhosin.memory_limit = 80
suhosin.session.encrypt = On
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 0
suhosin.cookie.encrypt = On
suhosin.cookie.cryptua = On
suhosin.cookie.cryptraddr = 0
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 65000
suhosin.post.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.executor.func.blacklist = system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy
Don't panic, All of these are tested and working good except some scripts like "Joomla, One function in WP"

Tested on CentOS 5 32&64bit, cPanel/WHM, Apache 2.2.17, PHP 5.2.x

Best Regards,
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
Thanks for the plug for the Atomicorp.com rules!

As the person that wrote the atomicorp rules you just posted above, if you really want to stop unauthorized shells from running, or being uploaded you'd want to use the full 50_asl_rootkits.conf and if you want to stop them from owning your box the 10_asl_rules.conf rulesets at a minimum.

You can read about what each ruleset does here:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#What_does_each_rule_family_do.3F

Also, you might want to use the real time rules if you care about false positives and new threats/attack methods. The delayed rules are always 90 days behind the latest rules, including any fixes and are not as up to date with the latest threats, so if you care about reliability and security use the real time rules. False Positives in the real time rules are fixed the same day they are reported, so if you run into any problems with our rules we will make them work for your system - including logging into your system for free (if you want us to) to make them work for you.
 
Last edited: