I downloaded that after your last email, but is modsecurity_crs_40_generic_attacks.conf the file that would contain the appropriate protection against uploading of PHP code?

Matt


On Fri, Jun 20, 2014 at 8:14 AM, Ryan Barnett <RBarnett@trustwave.com> wrote:
I believe the rules that come with cPanel are really old OWASP ModSecurity Core Rule Set (CRS) rules.  You should consider updating them - https://github.com/SpiderLabs/owasp-modsecurity-crs

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


Date: Friday, June 20, 2014 8:10 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] Fwd: Mod sec rules

I'm just using the default modsec rules that came with cpanel. Are you refering to this file? modsecurity_crs_40_generic_attacks.conf
I see the file contains some PHP restrictions


On Thu, Jun 19, 2014 at 4:15 PM, Ryan Barnett <RBarnett@trustwave.com> wrote:
Matt,
What ModSecurity ruleset are you using?  The OWASP ModSecurity Core Rule Set (CRS) has rules to detect PHP code being uploaded to the server.  Additionally, our Trustwave SpiderLabs commercial rules include more rules to inspect outbound content that would identify most PHP webshell/backdoors - http://www.modsecurity.org/projects/commercial/rules/

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


From: Matt <matt@xerad.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Thursday, June 19, 2014 3:52 PM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] Fwd: Mod sec rules


Hi all,

Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible?

i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file name in the list of allows PHP files




This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/