Re: [mod-security-users] Boink filter

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2/3/06, li...@32... <li...@32...> wrote:
> I just had an attempt made on my server to exploit it. The user was able =
to
> upload a folder call .sgurz into the tmp folder, this folder had 2 files,
> boink and .boink2.
> I do not think it did anything except use up all the apache processes.
> What would the filer need to be in order to block this type of attack in =
the
> future?

Turn mod_security on and watch the logs to see what gets through; you
may find that something like this helps:

# command execution attack wget
SecFilterSignatureAction "log,deny,status:403,msg:'wget command
execution attack'"
SecFilterSelective ARGS_VALUES ";[[:space:]]*wget[[:space:]]*"

But take Ivan's advice and remount /tmp noexec. We ended up just
symlinking /var/tmp /usr/tmp and /tmp to /dev/shm and remounting that
noexec, as those are all the popular spots for script kiddies to put
their junk.

Augie.

--
Registered Linux user #229905
GPG Public Key: http://www.schwer.us/schwer.asc
Key fingerprint =3D 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072