Re: [mod-security-users] Fwd: Mod sec rules

[Ryan B. <RBa...@tr...>]

Matt,
What ModSecurity ruleset are you using?  The OWASP ModSecurity Core Rule Set (CRS) has rules to detect PHP code being uploaded to the server.  Additionally, our Trustwave SpiderLabs commercial rules include more rules to inspect outbound content that would identify most PHP webshell/backdoors - http://www.modsecurity.org/projects/commercial/rules/

Ryan Barnett
Senior Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: Matt <ma...@xe...<mailto:ma...@xe...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Thursday, June 19, 2014 3:52 PM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [mod-security-users] Fwd: Mod sec rules


Hi all,

Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible?

i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file name in the list of allows PHP files


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.