How to disable the C99 Shell script from running using ModSec2 rules ?

Posted on 2009-02-21
Last Modified: 2012-05-06

May i know if anybody know how to disable C99 shell script from running using specific Modsec2 security rules ?

Appreciates if anyboy can help.

Thank you.
Question by:smksa
    LVL 4

    Expert Comment

    Here are two rules that should do the trick.

    SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

    If you have ssh access you also can run this command to search for any scripts on the server.
    find /home/ -name "*.php" -print | xargs egrep -l -i 'c99shell' >> /somedirectory/exploits.txt

    Other search terms you may want to use, which will provide some false positives, but will be more thorough are....

    "c99" "r57" "shell" , etc.

    LVL 2

    Author Comment


    Thanks for the rules,

    But after i  put it in  /usr/local/apache/conf/modsec2.user.conf and try to restart the httpd , the following error appear :

    "Invalid command 'SecFilterSelective', perhaps mis-spelled or defined by a module not included in the server configuration"

    Is the rules not compatible with my modsec2 ? or i need to install some modules to make it works ?

    Thank you.

    LVL 4

    Accepted Solution

    Oh of course I apologize about that.. my bad, here are the rules for modsec2 that will stop c99 Shell script.

    #c99 rootshell
    SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

    #generic shell
    SecRule REQUEST_URI "shell\.txt"



    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection. provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now