Type of attack: URL Injection -- attempt to inject

Support for security such as Firewalls and securing linux
Post Reply
mantonik
Posts: 8
Joined: 2011/10/31 01:07:12
Contact:

Type of attack: URL Injection -- attempt to inject

Post by mantonik » 2011/11/01 02:09:17

Hi.

We receive information that our server generate Injection attact:

Type of attack: URL Injection -- attempt to inject / load files onto the server through application vulnerabilities
Sample log report including date and time stamp (1st field is "request", 2nd field is the IP address or the domain name being attacked, and the 3rd field is the IP address or domain name of the attacker):
Request: limousines.ie xxx.xxx.xxx.xxx - - [28/Oct/2011:04:15:12 +0100] "GET /awstats/data/includes/class_item.php?fileExtension=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 500 3506 "-" "libwww-perl/6.03" TqoeQFQz7pAAAFKAcCk "-"
Request: limousines.ie xxx.xxx.xxx.xxx - - [28/Oct/2011:04:15:12 +0100] "GET /includes/class_item.php?fileExtension=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 500 3506 "-" "libwww-perl/6.03" TqoeQFQz7pAAAF3rCp0 "-"
Request: limousines.ie xxx.xxx.xxx.xxx - - [28/Oct/2011:04:15:13 +0100] "GET /awstats/includes/class_item.php?fileExtension=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 500 3506 "-" "libwww-perl/6.03" TqoeQVQz7pAAAF3NhaI "-"

--
I install LMD and start scan on users folders, update configuration to autoremove, and notified - so far no result
http://www.rfxn.com/projects/linux-malware-detect/

Then I run
rkhunter http://thesystemadministrator.net/cpane ... kit-hunter
also it doesn't show any problem.

I am configuring now mod_security.

Any suggestion how to find from where those attacks are coming?

Thank you for help.
Mariusz

mantonik
Posts: 8
Joined: 2011/10/31 01:07:12
Contact:

Re: Type of attack: URL Injection -- attempt to inject

Post by mantonik » 2011/11/01 03:33:00

Hi.
This is my mod_security configuration:

modsec2.conf

LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so

SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
#SecFilterScanPOST On
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"





modsec2.user.conf

# ConfigServer ModSecurity whitelist file
Include /usr/local/apache/conf/modsec2.whitelist.conf
SecRule REQUEST_URI|QUERY_STRING dirty
SecRule ARGS dirty
SecRule &ARGS !^0$


Do you have any sugestion to improve security?

Thank you
Mariusz

Post Reply

Return to “CentOS 6 - Security Support”