The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Security / PHPBB Worm

Discussion in 'Security' started by StevenC, Dec 22, 2004.

  1. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    This was grabbed from a post @ webhostingtalk so i thought i would let you knows know about it:

    After you have installed the mod_security from the addon manager:

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    add those two rules.

    An example:

    Thats just one site (divide by 2).


    Pulled from:
    http://www.webhostingtalk.com/showthread.php?s=&threadid=355810
     
    #1 StevenC, Dec 22, 2004
    Last edited: Dec 22, 2004
  2. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    I suggest that you use only the second line, the first one with chain, is good if you ony have phpBB installed, but I have seen this abused through other scripts too.

    SecFilter "chr\(([0-9]{1,3})\)" deny,log

    It may be better to use it as I have it above, since they can use other scripts with this same exploit style, too.
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    An additional general rule might offer some extra protection against general php exploits.


    I think this is a fairly good one:

    SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite|cmd|readfile|mysql_query)"
     
    #3 jamesbond, Dec 27, 2004
    Last edited: Dec 27, 2004
  4. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    How to translate :

    into .htaccess Rule?

    Thank you
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    With mod_rewrite you mean?

    By the way, this is a broad rule, so keep an eye on the audit_log to see if it's causing any problems for sites on your server.

    Also, since the commands are usually followed by a ( or a space, the rule could be tweaked some more in order to reduce false positives.
     
    #5 jamesbond, Dec 27, 2004
    Last edited: Dec 27, 2004
  6. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Yes, by mod_rewrite
     
Loading...

Share This Page