Page 1 of 1

Type of attack: URL Injection -- attempt to inject

Posted: 2011/11/01 02:09:17
by mantonik

We receive information that our server generate Injection attact:

Type of attack: URL Injection -- attempt to inject / load files onto the server through application vulnerabilities
Sample log report including date and time stamp (1st field is "request", 2nd field is the IP address or the domain name being attacked, and the 3rd field is the IP address or domain name of the attacker):
Request: - - [28/Oct/2011:04:15:12 +0100] "GET /awstats/data/includes/class_item.php?fileExtension=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 500 3506 "-" "libwww-perl/6.03" TqoeQFQz7pAAAFKAcCk "-"
Request: - - [28/Oct/2011:04:15:12 +0100] "GET /includes/class_item.php?fileExtension=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 500 3506 "-" "libwww-perl/6.03" TqoeQFQz7pAAAF3rCp0 "-"
Request: - - [28/Oct/2011:04:15:13 +0100] "GET /awstats/includes/class_item.php?fileExtension=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 500 3506 "-" "libwww-perl/6.03" TqoeQVQz7pAAAF3NhaI "-"

I install LMD and start scan on users folders, update configuration to autoremove, and notified - so far no result

Then I run
rkhunter ... kit-hunter
also it doesn't show any problem.

I am configuring now mod_security.

Any suggestion how to find from where those attacks are coming?

Thank you for help.

Re: Type of attack: URL Injection -- attempt to inject

Posted: 2011/11/01 03:33:00
by mantonik
This is my mod_security configuration:


LoadFile /opt/xml2/lib/
LoadFile /opt/lua/lib/
LoadModule security2_module modules/

SecRuleEngine On
# See
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
#SecFilterScanPOST On
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"


# ConfigServer ModSecurity whitelist file
Include /usr/local/apache/conf/modsec2.whitelist.conf
SecRule ARGS dirty
SecRule &ARGS !^0$

Do you have any sugestion to improve security?

Thank you