Türkce » WHM cPanel

Ünlü 2 phpshell'li önlemek R57.php C99.php

http://forum.whmdestek.com/

Go Back   WHM/cPanel Support Platform » Türkce » WHM cPanel
Reload this Page Ünlü 2 phpshell'li önlemek R57.php C99.php
 

Reply
Page 1 of 2 1 2
 
LinkBack (5) Thread Tools Display Modes
  5 links from elsewhere to this Post. Click to view. #1  
Old 03.07.07, 02:59
RAMBilisim's Avatar
www.rambilisim.com
  
Join Date: Jun 2007
Location: Samsun
Posts: 912
Rep Power: 44
RAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond reputeRAMBilisim has a reputation beyond repute
Send a message via MSN to RAMBilisim
Ünlü 2 phpshell'li önlemek R57.php C99.php
Üyelerimize yararli olacagini düsündügüm bir makaleyi sizinle paylasmak istiyorum makale bir meslektasimiz tarafindan hazirlanmisdir.

Lamer ve Hacker'ler tarafindan sikca kullanilan sunucunuz üzerinde hesaplar arasi gecis yaparak dosyalari okuma yapma ve okuduklari dosyalar icinden Local de calisan Mysql veri tabanlarinin kullanici adi sifrelerini alarak bozma veya degistirme yapan Lamer ve Hacker lerin en cok kullandiklari 2 shell den biri olan R57 ile C99'u nasil önleyebilirsiniz bunu sizlere anlatacagim..

Öncelikle R57 icin WHM Panelinizden "Security" basliginda yer alan "Security Center" bölümüne giriniz.

Daha sonra burada "PHP open_basedir Tweak" bölümünde en basta yer alan Enable php open_basedir Protection. seceneyini aktif yaparak Save butonuna basiniz..

Daha sonra ayni bölümden (Security Center) "mod_userdir tweak" bölümüne gecis yaparak Enable mod_userdir Protection. seceneyini aktif yapip Save butonuna basiyoruz.

sunucumuzda Zend kurulu ise

/usr/local/Zend/etc/php.ini

bölümünde bulunan php.ini dosyamizi aciyoruz (Zend disinda farkli bir modül kurulu ise veya hicbir modül kurulu degil ise php.ini yolunu " <?php phpinfo() ?> " bu php kodu ile bulabilirsiniz)

nano /usr/local/Zend/etc/php.ini

php.ini dosyamizda yer alan safe_mode bölümünü On yapiyoruz.. ve sonra yine php.ini icinde yer alan disable_functions karsisina = isaretinden sonra bir alt satira inmeksizin alt kisimda yer alan kodlari yaziyoruz.

PHP Code:
restore_ini,glob,hopenbasedir,f_open,system,dl,pas sthru,cat,exec,popen,proc_close,proc_get_status,pr oc_nice,proc_open,escapeshellcmd,escapeshellarg,sh ow_source,posix_mkfifo,mysql_list_dbs,get_current_ user,getmyuid,pconnect,link,symlink,pcntl_exec,ini _alter,parse_ini_file,leak,apache_child_terminateposix_kill,posix_setpgid,posix_setsid,posix_setuid ,proc_terminate,syslog,fpassthru,stream_select,soc ket_select,socket_create,socket_create_listen,sock et_create_pair,socket_listen,socket_accept,socket_ bind,foreach,socket_strerror,pcntl_fork,pcntl_sign al,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited ,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig ,pcntl_wtermsig,openlog,apache_get_modules,apache_ get_version,apache_getenv,apache_note,apache_seten v,virtual 
php.ini dosyamizi kaydediyor ve apache'yi yeniden baslatiyoruz

/etc/init.d/httpd restart

bununla beraber R57.php yi önlemis bulunuyoruz C99.php icin Mod Security'ye ihtiyacimiz olacak bunun icin WHM den Mod Security kurulumu yapmamiz gerekiyor WHM panel de Cpanel bölümü altinda yer alan "Plugins" bölümüne giriyor ve Mod Security'yi secip kaydediyoruz kurulum bitince whm panelden cikip tekrar giriyoruz kurulumun sorunsuz sekilde olup olmadigini En alt kisimdan görebiliriz menü olarak "Mod Security" bölümünün gelmis olmasi gerek.

sonrasinda ssh dan islemlerimize devam ediyoruz..

cd /usr/local/apache/conf/
rm -rf modsec.conf
wget www.ni.net.tr/dosyalar/modsec.conf.txt
mv modsec.conf.txt modsec.conf

yukarda yer alan komutlari sirasi ile yaptiktan sonra tekrar apache'yi restart ediyoruz

/etc/init.d/httpd restart

ve modsec.conf sayesinde c99.php'yi de önlemis oluyoruz.

ALINTIDIR


Makaleyi hazirlayan arkadasa tesekkür ederiz !
__________________
RAMBilisim internet Hizmetleri - YS-839
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #2  
Old 29.05.08, 20:07
Athlon
  
Join Date: Jun 2007
Location: Turkey
Age: 26
Posts: 100
Rep Power: 3
youdie is on a distinguished road
mod sec 2 icinde kurallari versen super olur
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #3  
Old 07.08.08, 14:14
Celeron
  
Join Date: Feb 2008
Posts: 51
Rep Power: 3
irmon is on a distinguished road
bendeki

modsec2.conf
.?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #4  
Old 07.08.08, 14:32
Onur's Avatar
Peynir
  
Join Date: Jun 2007
Location: Karaman
Age: 21
Posts: 1,587
Rep Power: 100000
Onur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond repute
Asagidaki kural zincirini deneyebilirmisiniz ?
Code:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Secfilter "sbin/"
SecFilter "eggz"
SecFilter "eggdrop"
SecFilter "psybnc"
SecFilter "udp.pl"
SecFilter "bindtty"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "act=selfremove"
SecRule REQUEST_URI "\?act=ls"
SecRule REQUEST_URI "\?act=sql"
SecRule REQUEST_URI "\?act=processes"
SecRule REQUEST_URI "\?act=ftpquickbrute"
SecRule REQUEST_URI "\?act=encoder"
SecRule REQUEST_URI "\?act=feedback"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "\c99.php\"
SecRule REQUEST_URI "\?act=eval"
SecRule REQUEST_URI "\?act=phpinfo"
SecRule REQUEST_URI "\?act=cmd"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
#SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 
# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" 
SecFilter '$path."*"'

SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
</IfModule>
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #5  
Old 07.08.08, 15:07
Celeron
  
Join Date: Feb 2008
Posts: 51
Rep Power: 3
irmon is on a distinguished road
senin verdigin kodlari :

modsec2.conf dosyasindaki kodlar ile degistirdim..

sanirm dogru yaptim dimi.?
htpd ye restart attim problem yok gibi
acaba su zamandan sonra c99 yermic?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #6  
Old 07.08.08, 20:45
Onur's Avatar
Peynir
  
Join Date: Jun 2007
Location: Karaman
Age: 21
Posts: 1,587
Rep Power: 100000
Onur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond repute
Mod security ile shellerin upload edilmesini degil calistirilmasini önleyebilirsiniz. Dogru islemi yapip yapmadiginizdan emin olmak icin bir c99 ve r57 shellerini yükleyip test edebilirsiniz.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #7  
Old 12.08.08, 14:44
Sempron
  
Join Date: Jul 2008
Posts: 17
Rep Power: 0
bad dream is on a distinguished road
Quote:
Originally Posted by Onur View Post
Asagidaki kural zincirini deneyebilirmisiniz ?
Code:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Secfilter "sbin/"
SecFilter "eggz"
SecFilter "eggdrop"
SecFilter "psybnc"
SecFilter "udp.pl"
SecFilter "bindtty"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "act=selfremove"
SecRule REQUEST_URI "\?act=ls"
SecRule REQUEST_URI "\?act=sql"
SecRule REQUEST_URI "\?act=processes"
SecRule REQUEST_URI "\?act=ftpquickbrute"
SecRule REQUEST_URI "\?act=encoder"
SecRule REQUEST_URI "\?act=feedback"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "\c99.php\"
SecRule REQUEST_URI "\?act=eval"
SecRule REQUEST_URI "\?act=phpinfo"
SecRule REQUEST_URI "\?act=cmd"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
#SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 
# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" 
SecFilter '$path."*"'

SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
</IfModule>
whm kullanmiyorum,plesk + linux,sunucuma mod_security yükleyip bu kurallari ona eklesem ayni islevi görür degil mi?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #8  
Old 13.08.08, 09:58
Onur's Avatar
Peynir
  
Join Date: Jun 2007
Location: Karaman
Age: 21
Posts: 1,587
Rep Power: 100000
Onur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond reputeOnur has a reputation beyond repute
Evet, mod_security WHM'ye özgü birsey degil.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #9  
Old 13.08.08, 11:32
Celeron
  
Join Date: Feb 2008
Posts: 51
Rep Power: 3
irmon is on a distinguished road
onur
tesekkür butonu yokki basalim bi tesekkür
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #10  
Old 21.08.08, 12:16
Sempron
  
Join Date: Jun 2008
Posts: 11
Rep Power: 0
ucanengin is on a distinguished road
Sunucuya atilan shelleri onlemek icin , php.ini deki entegresyon xD vede mod_security bir yana oncelikle kullandiginiz mysql + php versiyonuna dikkat etmeniz gerekir. mesela

suanda mysql'un son versiyonu piyasadaki cok saglam bypass shelleri yemiyor.
__________________
di bekir says :
Gecmisini Unutanlar Onu Birkez Daha Yasamak Zorunda Kalirlar.

http://bilisimMimarileri.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Reply
Page 1 of 2 1 2

« Otomatik Radyo Kurulumu | Rapidswitch AWBS Modülü - Serverlarinizi AWBS'den Yönetin - Modulated By Hostingdevi.com »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

LinkBacks (?)
LinkBack to this Thread: http://forum.whmdestek.com/whm-cpanel/195-unlu-2-phpshellli-onlemek-r57-php-c99-php.html
Posted By For Type Date
PHP Shell's This thread Refback 07.02.08 03:18
PHP Shell's This thread Refback 16.01.08 03:44
PHP Shell's This thread Refback 16.09.07 16:32
PHP Shell's This thread Refback 26.08.07 08:24
php makale: Blogs, Photos, Videos and more on Technorati This thread Refback 07.08.07 16:53



netinternet

Navigasyon
WHM
cPanel
Site, Server Genel
Oyun Sunuculari
IRC Sunuculari
Güvenlik
FTP
Database
DNS
SSH
Apache
Mail
Hosting ve Network
OS-isletim Sistemleri
Hardware
Menü
Contact Us
Anasayfa
Archive
Privacy
Top



WHMDestek.Com © Nisan 2007 | Her Hakki Saklidir. | WHMDestek.Com © 2007 April | All rights reserved.
Lütfen, Alinti yaparken kaynagi belirtmeyi unutmayiniz. | Please dont forget to remember citing our name when quoting. (ybsg)
WHMDestek.com and all its content are owned and powered by all forum users who have been supporting us since years. | WHMDestek.com ve tüm icerigi tüm forum kullanicilarimiza aittir.