How to disable the C99 Shell script from running using ModSec2 rules ?

Here are two rules that should do the trick.

SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"


If you have ssh access you also can run this command to search for any scripts on the server.
find /home/ -name "*.php" -print | xargs egrep -l -i 'c99shell' >> /somedirectory/exploits.txt


Other search terms you may want to use, which will provide some false positives, but will be more thorough are....

"c99" "r57" "shell" , etc.

Hi,

Thanks for the rules,

But after i  put it in  /usr/local/apache/conf/modsec2.user.conf and try to restart the httpd , the following error appear :

"Invalid command 'SecFilterSelective', perhaps mis-spelled or defined by a module not included in the server configuration"

Is the rules not compatible with my modsec2 ? or i need to install some modules to make it works ?

Thank you.