?
Solved

How to disable the C99 Shell script from running using ModSec2 rules ?

Posted on 2009-02-21
3
Medium Priority
?
1,697 Views
Last Modified: 2012-05-06
Hi,

May i know if anybody know how to disable C99 shell script from running using specific Modsec2 security rules ?

Appreciates if anyboy can help.

Thank you.
0
Comment
Question by:smksa
  • 2
3 Comments
 
LVL 4

Expert Comment

by:ipburn3r
ID: 23704191
Here are two rules that should do the trick.

SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"


If you have ssh access you also can run this command to search for any scripts on the server.
find /home/ -name "*.php" -print | xargs egrep -l -i 'c99shell' >> /somedirectory/exploits.txt


Other search terms you may want to use, which will provide some false positives, but will be more thorough are....

"c99" "r57" "shell" , etc.

0
 
LVL 2

Author Comment

by:smksa
ID: 23704285
Hi,

Thanks for the rules,

But after i  put it in  /usr/local/apache/conf/modsec2.user.conf and try to restart the httpd , the following error appear :

"Invalid command 'SecFilterSelective', perhaps mis-spelled or defined by a module not included in the server configuration"

Is the rules not compatible with my modsec2 ? or i need to install some modules to make it works ?

Thank you.

0
 
LVL 4

Accepted Solution

by:
ipburn3r earned 1500 total points
ID: 23704754
Oh of course I apologize about that.. my bad, here are the rules for modsec2 that will stop c99 Shell script.

#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

#generic shell
SecRule REQUEST_URI "shell\.txt"


Cheers



0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question