Thread: [mod-security-users] Fwd: Mod sec rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Matt <ma...@xe...> - 2014-06-19 19:53:01
|
Hi all, Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible? i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file name in the list of allows PHP files |
|
From: Ryan B. <RBa...@tr...> - 2014-06-19 20:17:37
|
Matt, What ModSecurity ruleset are you using? The OWASP ModSecurity Core Rule Set (CRS) has rules to detect PHP code being uploaded to the server. Additionally, our Trustwave SpiderLabs commercial rules include more rules to inspect outbound content that would identify most PHP webshell/backdoors - http://www.modsecurity.org/projects/commercial/rules/ Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Matt <ma...@xe...<mailto:ma...@xe...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Thursday, June 19, 2014 3:52 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [mod-security-users] Fwd: Mod sec rules Hi all, Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible? i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file name in the list of allows PHP files ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Matt <ma...@xe...> - 2014-06-20 12:10:17
|
I'm just using the default modsec rules that came with cpanel. Are you refering to this file? modsecurity_crs_40_generic_attacks.conf I see the file contains some PHP restrictions On Thu, Jun 19, 2014 at 4:15 PM, Ryan Barnett <RBa...@tr...> wrote: > Matt, > What ModSecurity ruleset are you using? The OWASP ModSecurity Core Rule > Set (CRS) has rules to detect PHP code being uploaded to the server. > Additionally, our Trustwave SpiderLabs commercial rules include more rules > to inspect outbound content that would identify most PHP webshell/backdoors > - http://www.modsecurity.org/projects/commercial/rules/ > > *Ryan Barnett* > > Senior Lead Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > From: Matt <ma...@xe...> > Reply-To: "mod...@li..." < > mod...@li...> > Date: Thursday, June 19, 2014 3:52 PM > To: "mod...@li..." < > mod...@li...> > Subject: [mod-security-users] Fwd: Mod sec rules > > > Hi all, > > Lately I've been having some security issues with a software I am using, I > believe the software might have some type of exploit that allows files to > be uploaded to its root directory. I don't want to say the name of the > software at this point until that vendor has fully checked into it, but as > a temporary solution I thought it might be possible to restrict file names > of PHP files that are allowed to run under my cpanel account. Is this > possible? > > i.e. if the attacker does upload a file called "shell.php", they won't be > able to run it if it doesn't match a file name in the list of allows PHP > files > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Ryan B. <RBa...@tr...> - 2014-06-20 12:15:05
|
I believe the rules that come with cPanel are really old OWASP ModSecurity Core Rule Set (CRS) rules. You should consider updating them - https://github.com/SpiderLabs/owasp-modsecurity-crs Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Matt <ma...@xe...<mailto:ma...@xe...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Friday, June 20, 2014 8:10 AM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Fwd: Mod sec rules I'm just using the default modsec rules that came with cpanel. Are you refering to this file? modsecurity_crs_40_generic_attacks.conf I see the file contains some PHP restrictions On Thu, Jun 19, 2014 at 4:15 PM, Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>> wrote: Matt, What ModSecurity ruleset are you using? The OWASP ModSecurity Core Rule Set (CRS) has rules to detect PHP code being uploaded to the server. Additionally, our Trustwave SpiderLabs commercial rules include more rules to inspect outbound content that would identify most PHP webshell/backdoors - http://www.modsecurity.org/projects/commercial/rules/ Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Matt <ma...@xe...<mailto:ma...@xe...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Thursday, June 19, 2014 3:52 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [mod-security-users] Fwd: Mod sec rules Hi all, Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible? i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file name in the list of allows PHP files ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems_______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Matt <ma...@xe...> - 2014-06-20 20:29:30
|
I downloaded that after your last email, but is modsecurity_crs_40_generic_attacks.conf the file that would contain the appropriate protection against uploading of PHP code? Matt On Fri, Jun 20, 2014 at 8:14 AM, Ryan Barnett <RBa...@tr...> wrote: > I believe the rules that come with cPanel are really old OWASP > ModSecurity Core Rule Set (CRS) rules. You should consider updating them - > https://github.com/SpiderLabs/owasp-modsecurity-crs > > *Ryan Barnett* > > Senior Lead Security Researcher, SpiderLabs > > > > *Trustwave* | SMART SECURITY ON DEMAND > > www.trustwave.com > > > From: Matt <ma...@xe...> > Reply-To: "mod...@li..." < > mod...@li...> > Date: Friday, June 20, 2014 8:10 AM > To: "mod...@li..." < > mod...@li...> > Subject: Re: [mod-security-users] Fwd: Mod sec rules > > I'm just using the default modsec rules that came with cpanel. Are you > refering to this file? modsecurity_crs_40_generic_attacks.conf > I see the file contains some PHP restrictions > > > On Thu, Jun 19, 2014 at 4:15 PM, Ryan Barnett <RBa...@tr...> > wrote: > >> Matt, >> What ModSecurity ruleset are you using? The OWASP ModSecurity Core Rule >> Set (CRS) has rules to detect PHP code being uploaded to the server. >> Additionally, our Trustwave SpiderLabs commercial rules include more rules >> to inspect outbound content that would identify most PHP webshell/backdoors >> - http://www.modsecurity.org/projects/commercial/rules/ >> >> *Ryan Barnett* >> >> Senior Lead Security Researcher, SpiderLabs >> >> >> >> *Trustwave* | SMART SECURITY ON DEMAND >> >> www.trustwave.com >> >> >> From: Matt <ma...@xe...> >> Reply-To: "mod...@li..." < >> mod...@li...> >> Date: Thursday, June 19, 2014 3:52 PM >> To: "mod...@li..." < >> mod...@li...> >> Subject: [mod-security-users] Fwd: Mod sec rules >> >> >> Hi all, >> >> Lately I've been having some security issues with a software I am using, >> I believe the software might have some type of exploit that allows files to >> be uploaded to its root directory. I don't want to say the name of the >> software at this point until that vendor has fully checked into it, but as >> a temporary solution I thought it might be possible to restrict file names >> of PHP files that are allowed to run under my cpanel account. Is this >> possible? >> >> i.e. if the attacker does upload a file called "shell.php", they won't be >> able to run it if it doesn't match a file name in the list of allows PHP >> files >> >> >> ------------------------------ >> >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If you >> are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is strictly prohibited. If you >> received this transmission in error, please immediately contact the sender >> and destroy the material in its entirety, whether in electronic or hard >> copy format. >> >> >> ------------------------------------------------------------------------------ >> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions >> Find What Matters Most in Your Big Data with HPCC Systems >> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. >> Leverages Graph Analysis for Fast Processing & Easy Data Exploration >> http://p.sf.net/sfu/hpccsystems >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems Open Source. > Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for > Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems_______________________________________________ > mod-security-users mailing list mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Reindl H. <h.r...@th...> - 2014-06-19 20:02:29
Attachments:
signature.asc
|
Am 19.06.2014 21:52, schrieb Matt: > Lately I've been having some security issues with a software I am using, I believe the software might have some > type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the > software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might > be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible? > > i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file > name in the list of allows PHP files that's nonsense - filter based on filenames never can work if i want to attack you i will suceed by rename - period if a software seems to allow uploads to the root-directory shut down that damned piece of software or at least disable uploads completly for the sake of *anybody* out there who get attacked by compromised servers all day long caused by people try to work around and repair things which are just broken because no understading of security a application firewalls job is to mitigate the attack surface in general but not to fix known broken software |
|
From: Walter H. <mo...@sp...> - 2014-06-19 20:52:34
|
On 19 Jun 2014, at 21:52, Matt <ma...@xe...> wrote: > Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible? You can certainly do this with ModSecurity, but it might be tedious to write the necessary rules for it, especially if you have a complex web application with a bad URL structure/API, which are most of them. In this situation, it might be easier to write a .htaccess file (assuming you are using Apache) which lists the allowed URIs and denies requests for everyone else. Your web root directory should generally not be writable by the webserver, especially when running PHP that makes it easy to place executable code there. A normal user should own the directory and files, and they should not be writable by others. Maybe you must have some uploads directory that needs to have writability, but then only make that directory writable and protect it so that only safe extensions (image/txt…) are allowed. Again this could be done with ModSecurity rules or perhaps quicker with a .htaccess file. However, the actual vulnerability lies in the software that put the files there. If it’s a web application creating the files, the rogue files will be owned by the web server process owner. Do a find for all files which are owned by that user and maybe you’ll find more rogue uploads. (I’ve seen Windows users getting a botnet infection that immediately attacked all their stored FTP passwords, so don’t forget that the files could have gotten there in another way.) If it’s the webserver that created the file, you might be able to find the script by looking at the file creation times of rogue files you discovered. Hopefully, you’ll find in the access_logs of your web server the scripts that were requested around those times. -- Walter Hop | PGP key: https://lifeforms.nl/pgp |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X