Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod_Security / PHPBB Worm

Discussion in 'Security' started by StevenC, Dec 22, 2004.

  1. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    This was grabbed from a post @ webhostingtalk so i thought i would let you knows know about it:

    After you have installed the mod_security from the addon manager:

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    add those two rules.

    An example:

    Thats just one site (divide by 2).


    Pulled from:
    http://www.webhostingtalk.com/showthread.php?s=&threadid=355810
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 StevenC, Dec 22, 2004
    Last edited: Dec 22, 2004
  2. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    316
    I suggest that you use only the second line, the first one with chain, is good if you ony have phpBB installed, but I have seen this abused through other scripts too.

    SecFilter "chr\(([0-9]{1,3})\)" deny,log

    It may be better to use it as I have it above, since they can use other scripts with this same exploit style, too.
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    168
    An additional general rule might offer some extra protection against general php exploits.


    I think this is a fairly good one:

    SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite|cmd|readfile|mysql_query)"
     
    #3 jamesbond, Dec 27, 2004
    Last edited: Dec 27, 2004
  4. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    How to translate :

    into .htaccess Rule?

    Thank you
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    168
    With mod_rewrite you mean?

    By the way, this is a broad rule, so keep an eye on the audit_log to see if it's causing any problems for sites on your server.

    Also, since the commands are usually followed by a ( or a space, the rule could be tweaked some more in order to reduce false positives.
     
    #5 jamesbond, Dec 27, 2004
    Last edited: Dec 27, 2004
  6. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    Yes, by mod_rewrite
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice