Thread: [mod-security-users] Problem executing PHP script as filter action
Brought to you by:
victorhora,
zimmerletw
From: David B. Jr. <db...@gm...> - 2006-04-25 16:50:40
|
I'm having a problem with the following rule: SecFilter "/bin/davetest" "exec:/usr/local/mod_sec/report-attack.sh" where the contents of /usr/local/mod_sec/report-attack.sh are #!/usr/local/bin/php -q <?php ob_start(); print_r($_SERVER); $data =3D ob_get_contents();//save it in a variable for later use ob_end_clean();//stop buffering mail("db...@xx...","Environment Vars",$data); echo "Done! \n"; $file =3D "/tmp/davetest.txt"; $open =3D @fopen($file, "w"); fwrite($open, $data); fclose($open); ?> The file will execute from the command line, and it looks like it's processed in the audit log: mod_security-message: Access denied with code 403. Pattern match "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"] mod_security-action: 403 mod_security-executed: /usr/local/mod_sec/report-attack.sh But I never get an email and the file is never written. Am I doing somethin= g wrong? mod_security 1.9.3 apache 1.3.33 php version 4.4.0 Thanks for any help David Brieck |
From: Tom A. <tan...@oa...> - 2006-04-25 17:13:57
|
David Brieck Jr. wrote: > The file will execute from the command line, and it looks like it's > processed in the audit log: > But I never get an email and the file is never written. Am I doing > something wrong? Does it execute correctly from the command line if run as user "apache"? That would be the first thing I would check. Likely a permissions issue. Tom |
From: David B. Jr. <db...@gm...> - 2006-04-26 15:34:40
|
On 4/25/06, Tom Anderson <tan...@oa...> wrote: > Does it execute correctly from the command line if run as user "apache"? > That would be the first thing I would check. Likely a permissions > issue. > > Tom Our apache runs as httpd. If I su httpd then run the file I both get an email and have the variables written out to the text file. Since my original email I also tried to send an email with a perl script with the same results: an email sent from the command line and nothing when executed with mod security. I also tried to run the perl script both throug= h mod sec and as the httpd user with the same results as the php file. We don't run sendmail, we run qmail with the sendmail replacement, not sure if this matters. Ultimately the script will do much more than send an email, but I figure that's a good place to start. (resending this because i didn't hit reply to all) |
From: Ivan R. <iva...@gm...> - 2006-04-26 13:58:33
|
On 4/25/06, Tom Anderson <tan...@oa...> wrote: > David Brieck Jr. wrote: > > The file will execute from the command line, and it looks like it's > > processed in the audit log: > > > But I never get an email and the file is never written. Am I doing > > something wrong? > > Does it execute correctly from the command line if run as user "apache"? > That would be the first thing I would check. Likely a permissions issu= e. Also, can you try executing some other script that is not PHP? PHP has some built-in security "logic" (need I say that it's faulty?) that attempts to detect if it's run as a CGI script (and then stops executing if it does). If you increase the debug log level you might get more information about the execution. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: David B. Jr. <db...@gm...> - 2006-04-26 15:32:59
|
On 4/26/06, Ivan Ristic <iva...@gm...> wrote: > > > Also, can you try executing some other script that is not PHP? PHP has > some built-in security "logic" (need I say that it's faulty?) that > attempts to detect if it's run as a CGI script (and then stops > executing if it does). > > If you increase the debug log level you might get more information > about the execution. > Thanks. I just finished trying a bash script to send me an email. It looks like this: #!/bin/bash /bin/mail -s "My subject" db...@xx... <<EOF This is a test email. EOF It's permissions are: [root@cp mod_sec]# ls -l report-attack.sh -rwxr-xr-x 1 root root 93 Apr 26 10:34 report-attack.sh The permissions on /bin/mail are: [root@cp mod_sec]# ls -l /bin/mail -rwxr-xr-x 1 root mail 66492 Jun 24 2001 /bin/mail Again, I have no problems doing this from the command line, it's just when mod_sec tries to do it. Our apache is not chrooted nor are we using the mod_sec chroot path. I increased the dubug level to 9 and there were no error messages, just it'= s normal stuff. Another interesting thing I noticed was that the error code returned is 403, but it should be 500 as the default is set: # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:500" Any ideas why it would be giving a different error code for this rule with an exec on it as well? Here is the entire entry from the audit log: =3D=3D4124522d=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: REMOVED xx.xx.xx.xx - - [26/Apr/2006:10:33:55 -0400] "GET /index.php?act=3Drssout&id=3D1&/ bin/davetest HTTP/1.1" 403 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1= ; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1. 5.0.2" RE@E0woBlkYAAEUAj4k "-" Handler: mod_gzip_handler ---------------------------------------- GET /index.php?act=3Drssout&id=3D1&/bin/davetest HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9 ,text/plain;q=3D0.8,image/png,*/*;q=3D0.5 Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=3D 0.5 Cache-Control: max-age=3D0 Connection: keep-alive Cookie: REMOVED Host: REMOVED Keep-Alive: 300 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 mod_security-message: Access denied with code 403. Pattern match "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"] mod_security-action: 403 mod_security-executed: /usr/local/mod_sec/report- attack.sh HTTP/1.1 403 Forbidden Keep-Alive: timeout=3D10, max=3D99 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=3Diso-8859-1 --4124522d-- Thanks for your help, I'm really at a loss to the problem. (resending this because i didn't hit reply to all) |
From: Ivan R. <iva...@gm...> - 2006-04-26 15:58:11
|
> > I increased the dubug level to 9 and there were no error messages, just i= t's > normal stuff. There should be a line that begins with "sec_exec_child: First line from script output". Can you find it? What does it say? > Ultimately the script will do much more than send an email, but I figure > that's a good place to start. I am not sure that is such a good idea. What will happen when you get 100 attacks per second? Even if you build a throttling mechanism your box is going to have difficulties starting 100 binaries per second. :) A safer approach is to observe the audit log entries from a single process. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Alex V. <ale...@ss...> - 2006-04-26 16:05:10
|
On Mer 26 avril 2006 17:32, David Brieck Jr. a =E9crit : [...] > mod_security-message: Access denied with code 403. Pattern match > "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"] > mod_security-action: 403 > mod_security-executed: /usr/local/mod_sec/report- attack.sh [...] Why do you have a space betwwen report- and attack ??? try avoid dashes i= n name and see if that's problem source. Hope this help Alex |
From: David B. Jr. <db...@gm...> - 2006-04-26 17:31:10
|
On 4/26/06, Alex V. <ale...@ss...> wrote: > > On Mer 26 avril 2006 17:32, David Brieck Jr. a =E9crit : > [...] > > mod_security-message: Access denied with code 403. Pattern match > > "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"] > > mod_security-action: 403 > > mod_security-executed: /usr/local/mod_sec/report- attack.sh > [...] > Why do you have a space betwwen report- and attack ??? try avoid dashes i= n > name and see if that's problem source. > > Hope this help > > Alex Not sure why that came through with a space, there are no spaces in the filename. Removing the dash doesn't seem to do anything either: mod_security-message: Access denied with code 403. Pattern match "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"] mod_security-action: 403 mod_security-executed: /usr/local/mod_sec/reportattack.sh and still no email. :( |
From: David B. Jr. <db...@gm...> - 2006-04-26 17:27:21
|
On 4/26/06, Ivan Ristic <iva...@gm...> wrote: > > > > > I increased the dubug level to 9 and there were no error messages, just > it's > > normal stuff. > > There should be a line that begins with "sec_exec_child: First line > from script output". Can you find it? What does it say? > > > Ultimately the script will do much more than send an email, but I figur= e > > that's a good place to start. > > I am not sure that is such a good idea. What will happen when you get > 100 attacks per second? Even if you build a throttling mechanism your > box is going to have difficulties starting 100 binaries per second. :) > > A safer approach is to observe the audit log entries from a single > process. > Here are the results from the debug log if the level is set to 9. [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][2] Detection phase starting (request 8288628): "GET /index.php?act=3Drssout&id=3D1&/bin/davetest HTTP/1.1" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][4] Normalised REQUEST_URI: "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "GET /index.php?act=3Drssout&id=3D1&/bin/davetest HTTP/1.1" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" [26/Apr/2006:13:09:05 -0400] [ xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=3Drssout&id=3D1&/bin/davetest" If I "grep "sec_exec_child" modsec_debug_log" there are no results. My reasoning is that we were recently broken into and after going back over all the logs it became very clear that if we just had something running to block the offenders based on mod security's filters we would probably not have been hacked. What would you suggest using instead to monitor the logs? |
From: Ivan R. <iva...@gm...> - 2006-04-26 23:06:54
|
On 4/26/06, David Brieck Jr. <db...@gm...> wrote: > Here are the results from the debug log if the level is set to 9. > > ... What you pasted does not appear as a valid debug log fragment. Why don't you send me (to my private email address) the complete debug log file and I'll have a look. > What would you suggest using instead to monitor the logs? Well, I am somewhat biased toward the ModSecurity Console: http://www.thinkingstone.com/products/console/ You can also look at SEC (http://www.estpak.ee/~risto/sec/) for real-time monitoring, or the Artificial Ignorance script I distribute as part of Apache tools (http://www.apachesecurity.net/tools/). -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |