| Posted by glace, 11-15-2007, 10:59 AM | | I have a problem with a hacker from China. He keeps uploading 4 files to my server:
mail.php
mysql.info.php
footer.txt
header.txt
He did this with 4 different accounts so far.
I have mod security installed with the ruleset from gotroot.com but it doesn't help. Now my questions:
1. Where can I download the mod security core ruleset (is it helpful anyway ?) I already found this page http://www.modsecurity.org/projects/rules/ but I do not see a "download here" link anywhere... I found the link that points to http://www.modsecurity.org/download/ but then I do not see the mod sec ruleset anywhere...
2. The rules on gotroot.com have not been updated for a long time. Are they still useful ? What do you think ?
3. Any other sources for good mod sec rules that may resolve my issues with PHP exploits.
|
| Posted by pmabraham, 11-15-2007, 12:18 PM | | Greetings:
gotroot.com mod_security rules sets are a good place to start.
Various security admins do have their own, private, rule sets.
You can add your own rule sets as well.
Please also consider disabling insecure PHP functions as well.
Thank you.
|
| Posted by CiscoMike, 11-15-2007, 01:28 PM | | make sure your PHP is up to date
disable register_globals (does anyone really use that anymore???)
make sure Apache doesn't have some backdoor (and update)
make sure your kernel doesn't have some backdoor to allow someone in (install a GRSec kernel and apply ACLs)
Block his IP range not just his IP. Go to APNIC, look up his IP, it'll be associated with an entire block, use a firewall to ban his and all those other IPs.
|
| Posted by glace, 11-15-2007, 03:53 PM | | register_globals is a real problem for me... Many of my customers are using OSCommerce. OSCommerce needs register_globals turned on which is a real problem. Does anyone have any idea on how you can disable register globals without killing off all the copies of OS Commerce on the server ?
|
| Posted by SPaReK, 11-15-2007, 03:58 PM | | Is OS Commerce still being developed? When was the last time os Commerce developers released an update?
|
| Posted by CiscoMike, 11-15-2007, 04:38 PM | | I'm not familiar with OSCommerce but with all the issues relating to register_globals through the years, I'd be horrified to find a mainstream or even midly popular product that requires that to be on. Granted if it's an older product, it's working just fine and hasn't seen a bunch of updates, not much you can do about it.
|
| Posted by Jeremy, 11-15-2007, 05:30 PM | | disable it on the server, and enable it on the vhost.
php_flag i think it was.
Id check the logs and see how hes getting the files up.
|
| Posted by shezaf, 11-15-2007, 07:59 PM | | ModSecurity core rule set are part of 2.x distribution. They can seperately be downloaded from modsecurity.org/ download/
Note that they only work with ModSecurity 2.x
|
|
 Add to Favourites
 Print this Article
|
