Güvenlik » Makaleler

Ünlü 2 phpshell'li önlemek R57.php C99.php

http://forum.whmdestek.com/

Geri git   WHM cPanel Destek Platformu » Site, Sunucu Sorunlarınız ve Çözümleri » Güvenlik » Makaleler
Sayfaya güncelle Ünlü 2 phpshell'li önlemek R57.php C99.php
 
Firma tanıtımı!
Firmanızın reklamını hemen yapın!
Reklamlar
Türkiye' nin Webmaster Sitesi
Webmaster Araçları, Bilgi ve hizmet alışverişi
Webmaster.com.TR
Reklam Alın!
Günlük 5k tekil ve üzeri sitelerinize reklam!
Fixreklam

Cevapla
 
LinkBack (5) Seçenekler Stil
  5 links from elsewhere to this Post. Click to view. #1  
Alt 03.07.07, 01:59
RAMBilisim - ait Kullanıcı Resmi (Avatar)
www.rambilisim.com
  
Üyelik tarihi: Jun 2007
Nerden: Samsun
Mesajlar: 758
Tecrübe Puanı: 43
RAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond repute
RAMBilisim - MSN üzeri Mesaj gönder
Ünlü 2 phpshell'li önlemek R57.php C99.php
Üyelerimize yararlı olacağını düşündüğüm bir makaleyi sizinle paylaşmak istiyorum makale bir meslektaşımız tarafından hazırlanmışdır.

Lamer ve Hacker'ler tarafından sıkça kullanılan sunucunuz üzerinde hesaplar arası geçiş yaparak dosyaları okuma yapma ve okudukları dosyalar içinden Local de çalışan Mysql veri tabanlarının kullanıcı adı şifrelerini alarak bozma veya değiştirme yapan Lamer ve Hacker lerin en çok kullandıkları 2 shell den biri olan R57 ile C99'u nasıl önleyebilirsiniz bunu sizlere anlatacağım..

Öncelikle R57 için WHM Panelinizden "Security" başlığında yer alan "Security Center" bölümüne giriniz.

Daha sonra burada "PHP open_basedir Tweak" bölümünde en başta yer alan Enable php open_basedir Protection. seçeneyini aktif yaparak Save butonuna basınız..

Daha sonra aynı bölümden (Security Center) "mod_userdir tweak" bölümüne geçiş yaparak Enable mod_userdir Protection. seçeneyini aktif yapıp Save butonuna basıyoruz.

sunucumuzda Zend kurulu ise

/usr/local/Zend/etc/php.ini

bölümünde bulunan php.ini dosyamızı açıyoruz (Zend dışında farklı bir modül kurulu ise veya hiçbir modül kurulu değil ise php.ini yolunu " <?php phpinfo() ?> " bu php kodu ile bulabilirsiniz)

nano /usr/local/Zend/etc/php.ini

php.ini dosyamızda yer alan safe_mode bölümünü On yapıyoruz.. ve sonra yine php.ini içinde yer alan disable_functions karşısına = işaretinden sonra bir alt satıra inmeksizin alt kısımda yer alan kodları yazıyoruz.

PHP- Kodu:
restore_ini,glob,hopenbasedir,f_open,system,dl,pas sthru,cat,exec,popen,proc_close,proc_get_status,pr oc_nice,proc_open,escapeshellcmd,escapeshellarg,sh ow_source,posix_mkfifo,mysql_list_dbs,get_current_ user,getmyuid,pconnect,link,symlink,pcntl_exec,ini _alter,parse_ini_file,leak,apache_child_terminateposix_kill,posix_setpgid,posix_setsid,posix_setuid ,proc_terminate,syslog,fpassthru,stream_select,soc ket_select,socket_create,socket_create_listen,sock et_create_pair,socket_listen,socket_accept,socket_ bind,foreach,socket_strerror,pcntl_fork,pcntl_sign al,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited ,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig ,pcntl_wtermsig,openlog,apache_get_modules,apache_ get_version,apache_getenv,apache_note,apache_seten v,virtual 
php.ini dosyamızı kaydediyor ve apache'yi yeniden başlatıyoruz

/etc/init.d/httpd restart

bununla beraber R57.php yi önlemiş bulunuyoruz C99.php için Mod Security'ye ihtiyacımız olacak bunun için WHM den Mod Security kurulumu yapmamız gerekiyor WHM panel de Cpanel bölümü altında yer alan "Plugins" bölümüne giriyor ve Mod Security'yi seçip kaydediyoruz kurulum bitince whm panelden çıkıp tekrar giriyoruz kurulumun sorunsuz şekilde olup olmadığını En alt kısımdan görebiliriz menü olarak "Mod Security" bölümünün gelmiş olması gerek.

sonrasında ssh dan işlemlerimize devam ediyoruz..

cd /usr/local/apache/conf/
rm -rf modsec.conf
wget www.ni.net.tr/dosyalar/modsec.conf.txt
mv modsec.conf.txt modsec.conf

yukarda yer alan komutları sırası ile yaptıktan sonra tekrar apache'yi restart ediyoruz

/etc/init.d/httpd restart

ve modsec.conf sayesinde c99.php'yi de önlemiş oluyoruz.

ALINTIDIR


Makaleyi hazırlayan arkadaşa teşekkür ederiz !
__________________
RAMBilişim İnternet Hizmetleri - YS-839
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #2  
Alt 29.05.08, 19:07
Celeron
  
Üyelik tarihi: Jun 2007
Nerden: Turkey
Yaş: 24
Mesajlar: 99
Tecrübe Puanı: 2
youdie is on a distinguished road
mod sec 2 içinde kuralları versen süper olur
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #3  
Alt 07.08.08, 13:14
Sempron
  
Üyelik tarihi: Feb 2008
Mesajlar: 28
Tecrübe Puanı: 0
irmon is on a distinguished road
bendeki

modsec2.conf
.?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #4  
Alt 07.08.08, 13:32
Onur - ait Kullanıcı Resmi (Avatar)
SysAdmin
  
Üyelik tarihi: Jun 2007
Nerden: Karaman
Yaş: 20
Mesajlar: 749
Tecrübe Puanı: 1013
Onur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond repute
Onur - MSN üzeri Mesaj gönder
Aşağıdaki kural zincirini deneyebilirmisiniz ?
Kod:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Secfilter "sbin/"
SecFilter "eggz"
SecFilter "eggdrop"
SecFilter "psybnc"
SecFilter "udp.pl"
SecFilter "bindtty"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "act=selfremove"
SecRule REQUEST_URI "\?act=ls"
SecRule REQUEST_URI "\?act=sql"
SecRule REQUEST_URI "\?act=processes"
SecRule REQUEST_URI "\?act=ftpquickbrute"
SecRule REQUEST_URI "\?act=encoder"
SecRule REQUEST_URI "\?act=feedback"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "\c99.php\"
SecRule REQUEST_URI "\?act=eval"
SecRule REQUEST_URI "\?act=phpinfo"
SecRule REQUEST_URI "\?act=cmd"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
#SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 
# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" 
SecFilter '$path."*"'

SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
</IfModule>
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #5  
Alt 07.08.08, 14:07
Sempron
  
Üyelik tarihi: Feb 2008
Mesajlar: 28
Tecrübe Puanı: 0
irmon is on a distinguished road
senin verdiğin kodları :

modsec2.conf dosyasındaki kodlar ile değiştirdim..

sanırm doğru yaptım dimi.?
htpd ye restart attım problem yok gibi
acaba su zamandan sonra c99 yermiç?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #6  
Alt 07.08.08, 19:45
Onur - ait Kullanıcı Resmi (Avatar)
SysAdmin
  
Üyelik tarihi: Jun 2007
Nerden: Karaman
Yaş: 20
Mesajlar: 749
Tecrübe Puanı: 1013
Onur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond repute
Onur - MSN üzeri Mesaj gönder
Mod security ile shellerin upload edilmesini değil çalıştırılmasını önleyebilirsiniz. Doğru işlemi yapıp yapmadığınızdan emin olmak için bir c99 ve r57 shellerini yükleyip test edebilirsiniz.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #7  
Alt 12.08.08, 13:44
Sempron
  
Üyelik tarihi: Jul 2008
Mesajlar: 16
Tecrübe Puanı: 0
bad dream is on a distinguished road
Alıntı:
Onur yazmış Mesajı göster
Aşağıdaki kural zincirini deneyebilirmisiniz ?
Kod:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Secfilter "sbin/"
SecFilter "eggz"
SecFilter "eggdrop"
SecFilter "psybnc"
SecFilter "udp.pl"
SecFilter "bindtty"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "act=selfremove"
SecRule REQUEST_URI "\?act=ls"
SecRule REQUEST_URI "\?act=sql"
SecRule REQUEST_URI "\?act=processes"
SecRule REQUEST_URI "\?act=ftpquickbrute"
SecRule REQUEST_URI "\?act=encoder"
SecRule REQUEST_URI "\?act=feedback"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "\c99.php\"
SecRule REQUEST_URI "\?act=eval"
SecRule REQUEST_URI "\?act=phpinfo"
SecRule REQUEST_URI "\?act=cmd"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
#SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 
# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" 
SecFilter '$path."*"'

SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
</IfModule>
whm kullanmıyorum,plesk + linux,sunucuma mod_security yükleyip bu kuralları ona eklesem aynı işlevi görür değil mi?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #8  
Alt 13.08.08, 08:58
Onur - ait Kullanıcı Resmi (Avatar)
SysAdmin
  
Üyelik tarihi: Jun 2007
Nerden: Karaman
Yaş: 20
Mesajlar: 749
Tecrübe Puanı: 1013
Onur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond repute
Onur - MSN üzeri Mesaj gönder
Evet, mod_security WHM'ye özgü birşey değil.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #9  
Alt 13.08.08, 10:32
Sempron
  
Üyelik tarihi: Feb 2008
Mesajlar: 28
Tecrübe Puanı: 0
irmon is on a distinguished road
onur
teşekkür butonu yokki basalim bi teşekkür
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
  #10  
Alt 21.08.08, 11:16
Sempron
  
Üyelik tarihi: Jun 2008
Mesajlar: 11
Tecrübe Puanı: 0
ucanengin is on a distinguished road
Sunucuya atılan shellerı onlemek ıcın , php.ini deki entegresyon xD vede mod_securıty bir yana oncelıkle kullandıgınız mysql + php versiyonuna dikkat etmenız gerekır. mesela

suanda mysql'un son versıyonu piyasadakı cok saglam bypass shelleri yemıyor.
__________________
dı bekir says :
Gecmişini Unutanlar Onu Birkez Daha Yasamak Zorunda Kalırlar.

http://bilisimMimarileri.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Alıntı ile Cevapla
Cevapla

« APF (Advanced Policy Firewall) Kurulumu | MOD_DOSEVASIVE Kurulumu »

Seçenekler
Stil
Normal Normal

Yetkileriniz
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-KodlarıKapalı
Trackbacks are Açık
Pingbacks are Açık
Refbacks are Açık

LinkBacks (?)
LinkBack to this Thread: http://forum.whmdestek.com/guvenlik-makaleleri/195-unlu-2-phpshellli-onlemek-r57-php-c99-php.html
Konuyu Başlatan For Type Tarih
PHP Shell's This thread Refback 07.02.08 02:18
PHP Shell's This thread Refback 16.01.08 02:44
PHP Shell's This thread Refback 16.09.07 15:32
PHP Shell's This thread Refback 26.08.07 07:24
php makale: Blogs, Photos, Videos and more on Technorati This thread Refback 07.08.07 15:53


Sign up for PayPal and start accepting credit card payments instantly.

Navigasyon
WHM
cPanel
Site, Server Genel
Oyun Sunucuları
IRC Sunucuları
Güvenlik
FTP
Database
DNS
SSH
Apache
Mail
Hosting ve Network
OS-İşletim Sistemleri
Hardware
Menü
İletişim
Anasayfa
Arşiv
Gizlilik
Yukarı



WHMDestek.Com © Nisan 2007 | Her Hakkı Saklıdır. | WHMDestek.Com © 2007 April | All rights reserved.
Lütfen, Alıntı yaparken kaynağı belirtmeyi unutmayınız. | Please dont forget to remember citing our name when quoting. (ybsg)