How to disable the C99 Shell script from running using ModSec2 rules ?


May i know if anybody know how to disable C99 shell script from running using specific Modsec2 security rules ?

Appreciates if anyboy can help.

Thank you.
Who is Participating?
Oh of course I apologize about that.. my bad, here are the rules for modsec2 that will stop c99 Shell script.

#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

#generic shell
SecRule REQUEST_URI "shell\.txt"


Here are two rules that should do the trick.

SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

If you have ssh access you also can run this command to search for any scripts on the server.
find /home/ -name "*.php" -print | xargs egrep -l -i 'c99shell' >> /somedirectory/exploits.txt

Other search terms you may want to use, which will provide some false positives, but will be more thorough are....

"c99" "r57" "shell" , etc.

smksaAuthor Commented:

Thanks for the rules,

But after i  put it in  /usr/local/apache/conf/modsec2.user.conf and try to restart the httpd , the following error appear :

"Invalid command 'SecFilterSelective', perhaps mis-spelled or defined by a module not included in the server configuration"

Is the rules not compatible with my modsec2 ? or i need to install some modules to make it works ?

Thank you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.