The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to protect my sites from the c99g

Discussion in 'Security' started by golden_eyes, Oct 7, 2010.

  1. golden_eyes

    golden_eyes Well-Known Member

    Joined:
    Aug 9, 2010
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I saw in some servers when I upload the c99 or any shell the upload, mkdir and mkfile are [ Read Only ] in red color unlike when I upload the same file to my server it gives [ OK ] in gren so how I protect the file creating from the shell?

    Sincerely,
     
  2. lifelinux

    lifelinux Member

    Joined:
    Oct 29, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    You can disable php functions in php.ini file : exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
    And more: you should use suphp & Mod_security.
     
  3. golden_eyes

    golden_eyes Well-Known Member

    Joined:
    Aug 9, 2010
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Is there any tutorial for the suphp and mod_security help me with the setup?

    Sincerely,
     
  4. lifelinux

    lifelinux Member

    Joined:
    Oct 29, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
  5. JamesCartelo

    JamesCartelo Registered

    Joined:
    Nov 9, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    To Secure a Cpanel Hosting you may only need to use
    Application Security Rules ( Gotroot rules for mod_security)

    Install mod_security using update apache in Whm, Then Edit Configuration file in whm by adding
    http://downloads.prometheus-group.com/delayed/rules/modsec/10_asl_rules.conf

    Some of these rules are really useless on a shared hosting, It's limiting users to much!
    I think you only need to block some of application attacks + Shell scripts + Rapid leech and... that you will be able by adding only this file.
     
  6. 2die4

    2die4 Member

    Joined:
    Oct 15, 2008
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    In a nice quiet neighborhood.
    Been reading up and looking at rule sets myself and learning the structure of them. I also agree that disabling some of the functions for php is good. ;)

    By the way are there any other sites with rule sets in addition to gotroot and atomicorp?

    If you are running a php site, ZB Block (spambotsecurity) is a good script to implement to a website just to add another layer of security to ward off hackbots and spambots.
     
  7. hostnex

    hostnex Well-Known Member

    Joined:
    May 2, 2008
    Messages:
    77
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Islamabad, Pakistan, Pakistan
    cPanel Access Level:
    Root Administrator
    I tried to use the rules given in the above link but then I can not start Apache. Can you help us to implement these rules ?
     
  8. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    What error are you getting?

    Also, if you are using the gotroot rules, you may want to ask over on the gotroot rules forums:


    https://www.atomicorp.com/forums/
     
  9. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Hello,

    You can use these tested rules and functions although I'm disabling tooo much functions to increase the security

    Functions:
    PHP:
    system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy
    Mod Security Rules:
    PHP:
    SecRule REQUEST_FILENAME "\.pl"
    SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
    SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"

    SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
    SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
    SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
    SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"



    #Master list of known malware script file names
    #SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
    #"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
    #SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"

    #SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"

    SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

    SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \
            
    "capture,chain,id:390144,rev:16,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"

    SecRule ARGS|!ARGS:message  "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|/trf/traf\.php)" \

    #rootkit patterns
    SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \
            
    "capture,chain,id:390145,rev:6,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Generic Attempt to install rootkit',logdata:'%{TX.0}'"
    SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

    #Body sigs
    SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
    "capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:390146,severity:'2',logdata:'%{TX.0}'"

    #c99 rootshell
    SecRule REQUEST_URI "(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?:phpinfo|mtnf|p0k3r)|/shell[0-9]?\.php|/\.get\.php)" \
            
    "capture,id:390146,rev:17,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command shell attack: PHP exploit shell attempting to run command',logdata:'%{TX.0}'"

    # known PHP attack shells
    SecRule REQUEST_URI   "(?:wiki_up/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c(?:99|100)|c(?:99|100)shell)\.(txt|php)\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?:php|test|sql)\.txt\?|/oops?&|/maint64/index.php|/fx29sh/|fx29id[0-9]|fx29sh_update|/cyberz\.txt|/pshyco\.txt)" \
    "capture,id:390147,rev:9,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Known rootkit or remote shell',logdata:'%{TX.0}'"

    #|temp)/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))

    #URI sigs
    SecRule REQUEST_URI "/(?:(?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|shell|/ipn|php(?:3|4|5)?shell)\.(?:php?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?:ph(?:p(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|proxysx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|shell.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \
            
    "capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"


    SecRule REQUEST_URI "/(?:(?:linuxdaybot|suntzu|shell_vup|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\.(?:txt|php))" \
            
    "capture,id:390148,rev:12,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"

    #Request Body patterns
    #trick them with a 404
    SecRule RESPONSE_BODY "(?:(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57 ?shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v[0-9]\.[0-9] - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| ?shell)|(c99|c100|r57) ?shell)\b|aventgrup\.<br>|drwxr| - n3t))|This is (an|a)? exploit from < ?a|php ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass|feelcomzfeelcomz|id: feelcomz|shirohigeshirohige|lusif3r_666|was here \.\..*uname.*uid.*gid.*free.*used|b\.o\.v sience 20[0-1][0-9]|emp3ror undetectable|(o|0)wned by hacker|feelcomz rfi scanner|by pshyco, آ. 2008 error|safemodeexecdir|sh-(inf|err): )" \
            
    "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:'390149',rev:11,severity:'2'"

    #ASP sigs
    SecRule REQUEST_URI   "\.asp\?(?:.*theact=inject&thepath=|pagename=appfileexplorer|.*showupload&thepath=)" \
            
    "capture,id:390150,rev:5,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: ASP rootkit attempt',logdata:'%{TX.0}'"

    #generic payload
    #if (isset($_GET['cmd']))          passthru(stripslashes($_GET['cmd']));
    SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master |.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
    "capture,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
    SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
    "capture,t:hexDecode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
    SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
    "capture,t:base64Decode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"


    #Generic remote perl execution with .pl extension
    SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt))" \
    "capture,id:390802,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"

    #some broken attack program
    SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
    "capture,id:390803,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known Wormsign',logdata:'%{TX.0}'"

    #wormsign sigs

    #New SEL attack seen
    SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user.+char\(.*\))" \
    "capture,id:390804,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known rootkit SQL payload',logdata:'%{TX.0}'"

    SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails))" \
            
    "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible spamtool installed on system',id:'390150',severity:'2'"

    #Rapid Leech blocks
    SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|<center>.*<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
            
    "phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
    SecRule RESPONSE_HEADERS:WWW-Authenticate "basic realm.*rapidleech" \
            
    "capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"

    SecRule ARGS_POST "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
    "capture,id:390902,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Unauthorized Download Client',logdata:'%{TX.0}'"
    #SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
    #"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"


    #WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
    SecRule ARGS:cmd "(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))" \
    "capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
    SecRule ARGS:ev "^print [0-9];" \
    "capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"

    <LocationMatch homeCounter.php>
      
    SecRuleRemoveById 390144
      SecRuleRemoveById 390145
    </LocationMatch>
    <
    LocationMatch moderation.php>
      
    SecRuleRemoveById 390148
    </LocationMatch>
    <
    LocationMatch /paadmin/file_manager.php>
      
    SecRuleRemoveById 390149
    </LocationMatch>
    <
    LocationMatch /__utm.gif>
      
    SecRuleRemoveById 390144
    </LocationMatch>
    <
    LocationMatch /administrator/index.php>
      
    SecRuleRemoveById 390149
    </LocationMatch>
    <
    LocationMatch /ota/admin/file_manager.php>
      
    SecRuleRemoveById 390149
    </LocationMatch>
    <
    LocationMatch /admin/shop_file_manager.php>
      
    SecRuleRemoveById 390149
    </LocationMatch>
    <
    LocationMatch /admin/file_manager.php>
      
    SecRuleRemoveById 390149
    </LocationMatch>
    <
    LocationMatch /modules/mod_oneononechat/chatfiles/*>
      SecRuleRemoveById 390147
    </LocationMatch>
    <LocationMatch /fud/adm/admbrowse.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /wp-cron.php>
      SecRuleRemoveById 390147
    </LocationMatch>
    <LocationMatch /admin/mods/easymod/easymod_install.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /e107_plugins/autogallery/autogallery.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /alfresco/scripts/onload.js>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /e107_plugins/autogallery/autogallery.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /assets/Files/who/>
      SecRuleRemoveById 390147
    </LocationMatch>
    <LocationMatch /forum/viewtopic.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /setup/>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /administrator/index2.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /sales/soap.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /twg177/admin/>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /images/smilies/>
      SecRuleRemoveById 390148
    </LocationMatch>
    <LocationMatch /admin/dogen_display.php>
      SecRuleRemoveById 390801
    </LocationMatch>
    <LocationMatch /horde/themes/graphics/>
      SecRuleRemoveById 390148
    </LocationMatch>
    <LocationMatch /whois/quick.php>
      SecRuleRemoveById 390145
    </LocationMatch>
    <LocationMatch /ubbthreads.php>
      SecRuleRemoveById 390902
    </LocationMatch>
    Also don't forget about SuHosin, Recompile Apache and build it then in php.ini below extension="suhosin.so" add these:

    PHP:
    suhosin.log.syslog.facility 9
    suhosin
    .log.use-x-forwarded-for = Off
    suhosin
    .executor.max_depth 0
    suhosin
    .executor.include.max_traversal 4
    suhosin
    .executor.disable_emodifier Off
    suhosin
    .executor.allow_symlink Off
    suhosin
    .simulation Off
    suhosin
    .apc_bug_workaround Off
    suhosin
    .sql.bailout_on_error Off
    suhosin
    .multiheader On
    suhosin
    .mail.protect 1
    suhosin
    .memory_limit 80
    suhosin
    .session.encrypt On
    suhosin
    .session.cryptua On
    suhosin
    .session.cryptdocroot On
    suhosin
    .session.cryptraddr 0
    suhosin
    .cookie.encrypt On
    suhosin
    .cookie.cryptua On
    suhosin
    .cookie.cryptraddr 0
    suhosin
    .cookie.max_array_depth 100
    suhosin
    .cookie.max_array_index_length 64
    suhosin
    .cookie.max_name_length 64
    suhosin
    .cookie.max_totalname_length 256
    suhosin
    .cookie.max_value_length 10000
    suhosin
    .cookie.max_vars 100
    suhosin
    .cookie.disallow_nul On
    suhosin
    .get.max_array_depth 50
    suhosin
    .get.max_array_index_length 64
    suhosin
    .get.max_name_length 64
    suhosin
    .get.max_totalname_length 256
    suhosin
    .get.max_value_length 512
    suhosin
    .get.max_vars 100
    suhosin
    .get.disallow_nul On
    suhosin
    .post.max_array_depth 100
    suhosin
    .post.max_array_index_length 64
    suhosin
    .post.max_totalname_length 256
    suhosin
    .post.max_value_length 65000
    suhosin
    .post.disallow_nul On
    suhosin
    .upload.max_uploads 25
    suhosin
    .upload.disallow_elf On
    suhosin
    .upload.disallow_binary Off
    suhosin
    .upload.remove_binary Off
    suhosin
    .session.max_id_length 128
    suhosin
    .request.max_array_depth 100
    suhosin
    .request.max_array_index_length 64
    suhosin
    .request.max_totalname_length 256
    suhosin
    .request.max_value_length 65000
    suhosin
    .request.max_varname_length 64
    suhosin
    .request.disallow_nul On
    suhosin
    .executor.func.blacklist system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy
    Don't panic, All of these are tested and working good except some scripts like "Joomla, One function in WP"

    Tested on CentOS 5 32&64bit, cPanel/WHM, Apache 2.2.17, PHP 5.2.x

    Best Regards,
     
  10. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Thanks for the plug for the Atomicorp.com rules!

    As the person that wrote the atomicorp rules you just posted above, if you really want to stop unauthorized shells from running, or being uploaded you'd want to use the full 50_asl_rootkits.conf and if you want to stop them from owning your box the 10_asl_rules.conf rulesets at a minimum.

    You can read about what each ruleset does here:

    https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#What_does_each_rule_family_do.3F

    Also, you might want to use the real time rules if you care about false positives and new threats/attack methods. The delayed rules are always 90 days behind the latest rules, including any fixes and are not as up to date with the latest threats, so if you care about reliability and security use the real time rules. False Positives in the real time rules are fixed the same day they are reported, so if you run into any problems with our rules we will make them work for your system - including logging into your system for free (if you want us to) to make them work for you.
     
    #10 mikegotroot, Jan 18, 2011
    Last edited: Jan 18, 2011
Loading...

Share This Page