[Dshield] Another web server attack

jayjwa jayjwa at atr2.ath.cx
Sat Nov 19 18:49:11 GMT 2005



On Thu, 17 Nov 2005, lucy at lucindrea.com wrote:

-> ya , i've been seeing alot of 404's in my server log for /blog...(several
-> combos of paths) , now i know what it is.


-> > I did find out a few things -- the malicious script added Javascript or
-> > PHP code
-> > to existing script files that were group/world writable, which when
-> > executed
-> > would allow the web site to be used as an anonymizer for the purpose of
-> > accessing warez and other such undesireable stuff on a server in Russia
-> > (which
-> > apparently was a legit box, but had also been co-opted as a warez
-> > ditribution
-> > point.)


It's probably a good time to mention this again, seems like it should be quite 
effective against this sort of attack:


http://www.modsecurity.org/


1.9 as of this writing is current.

curl -O -v \
http://www.modsecurity.org/download/modsecurity-apache-1.9.tar.gz \
-O http://www.modsecurity.org/download/modsecurity-apache-1.9.tar.gz.asc

The src archive contains both Apache & APache2 code.



You can then filter for suspect requests, ex:

SecFilter       "delete[[:space:]]+from"        "deny,log,status:400"
SecFilter       "insert[[:space:]]+into"        "deny,log,status:400"
SecFilter       "select.+from"                  "deny,log,status:400"
SecFilter       "viewtopic.php"                 "deny,log,status:403"
SecFilter       /etc/passwd     "deny,log,status:403"
SecFilter       /bin/bash       "deny,log,status:403"
SecFilter       /etc/shadow     "deny,log,status:403"


Just be careful not to filter things that could appear in legit requests too. 
;)



-- 
    / /     __  __  __  __  __ __  __  mail me for my *
   / /__   / / /  \/ / / /_/ / \ \/ /  * email address.
  /_____/ /_/ /_/\__/ /_____/  /_/\_\ ::[ATr2 RG 2005]::
============================================================
IF you have to request that people contact you via a WEBFORM
because you've blocked off virtually all smtp-sent email from
your own MTA  ...You just might be guilty of DNS-RBL abuse.


More information about the list mailing list