server hacked using www-data exploit

Discussion in 'Server Operation' started by PermaNoob, Nov 2, 2013.

Page 2 of 4
  1. till

    till Super Moderator Staff Member ISPConfig Developer

    yes.

    take a look at the modsecurity audit log mentioned in the artile. you should see the first blocked requests there after a few minutes.
     
    till, Nov 5, 2013
    #21
  2. toto64

    toto64 New Member

    Thank you very much for your help and patience.
     
    toto64, Nov 5, 2013
    #22
  3. edge

    edge Active Member Moderator

    Looks like got hit to :/
    I do not like the HTTP/1.1 200 part.
    I've got a firewall in place blocking all unneeded ports, so running a "bot" did not work.

    Time to install modsecurity I guess..
     
    edge, Nov 5, 2013
    #23
  4. sergio.morales

    sergio.morales New Member

    Time for a rebuild I think

    Hello everyone. I was thinking of rebuilding these systems from scratch on Ubuntu 12.04 LTS, but I am concerned. Is the apache mod security installed in the How-To for 12.04 LTS?
    Also, does anyone know if the directions for the apache mod sec packages are different for Ubuntu 10/11 or where I can get them?
     
    sergio.morales, Nov 5, 2013
    #24
  5. sergio.morales

    sergio.morales New Member

    Unbelievable-Someone HELP ME!

    Whomever is doing this is really pissing me off. They have messed with my repositories so I cannot get the packages I need!! WTF!! Check out the output of what I get when I run "apt-get update":

    root@server1:/tmp# apt-get update
    Ign http://us.archive.ubuntu.com maverick Release.gpg
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/main Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/main Translation-en_US
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/multiverse Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/multiverse Translation-en_US
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/restricted Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/restricted Translation-en_US
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/universe Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick/universe Translation-en_US
    Ign http://us.archive.ubuntu.com maverick-updates Release.gpg
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/main Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/main Translation-en_US
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/multiverse Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/multiverse Translation-en_US
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/restricted Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/restricted Translation-en_US
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/universe Translation-en
    Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/universe Translation-en_US
    Ign http://us.archive.ubuntu.com maverick Release
    Ign http://us.archive.ubuntu.com maverick-updates Release
    Ign http://extras.ubuntu.com maverick Release.gpg
    Ign http://extras.ubuntu.com/ubuntu/ maverick/main Translation-en
    Ign http://extras.ubuntu.com/ubuntu/ maverick/main Translation-en_US
    Ign http://security.ubuntu.com maverick-security Release.gpg
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/main Translation-en
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/main Translation-en_US
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/multiverse Translation-en
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/multiverse Translation-en_US
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/restricted Translation-en
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/restricted Translation-en_US
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/universe Translation-en
    Ign http://security.ubuntu.com/ubuntu/ maverick-security/universe Translation-en_US
    Ign http://us.archive.ubuntu.com maverick/main Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/restricted Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/universe Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/multiverse Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/main i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/restricted i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/universe i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/multiverse i386 Packages/DiffIndex
    Ign http://extras.ubuntu.com maverick Release
    Ign http://us.archive.ubuntu.com maverick-updates/main Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/restricted Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/universe Sources/DiffIndex
    Ign http://security.ubuntu.com maverick-security Release
    Ign http://us.archive.ubuntu.com maverick-updates/multiverse Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/main i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/universe i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/main Sources
    Ign http://us.archive.ubuntu.com maverick/restricted Sources
    Ign http://us.archive.ubuntu.com maverick/universe Sources
    Ign http://us.archive.ubuntu.com maverick/multiverse Sources
    Ign http://us.archive.ubuntu.com maverick/main i386 Packages
    Ign http://us.archive.ubuntu.com maverick/restricted i386 Packages
    Ign http://us.archive.ubuntu.com maverick/universe i386 Packages
    Ign http://extras.ubuntu.com maverick/main Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/multiverse i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/main Sources
    Ign http://us.archive.ubuntu.com maverick-updates/restricted Sources
    Ign http://us.archive.ubuntu.com maverick-updates/universe Sources
    Ign http://security.ubuntu.com maverick-security/main Sources/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/multiverse Sources
    Ign http://us.archive.ubuntu.com maverick-updates/main i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/universe i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages
    Ign http://us.archive.ubuntu.com maverick/main Sources
    Ign http://us.archive.ubuntu.com maverick/restricted Sources
    Ign http://us.archive.ubuntu.com maverick/universe Sources
    Ign http://us.archive.ubuntu.com maverick/multiverse Sources
    Ign http://us.archive.ubuntu.com maverick/main i386 Packages
    Ign http://us.archive.ubuntu.com maverick/restricted i386 Packages
    Ign http://extras.ubuntu.com maverick/main i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick/universe i386 Packages
    Ign http://us.archive.ubuntu.com maverick/multiverse i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/main Sources
    Ign http://us.archive.ubuntu.com maverick-updates/restricted Sources
    Ign http://security.ubuntu.com maverick-security/restricted Sources/DiffIndex
    Ign http://security.ubuntu.com maverick-security/universe Sources/DiffIndex
    Ign http://security.ubuntu.com maverick-security/multiverse Sources/DiffIndex
    Ign http://security.ubuntu.com maverick-security/main i386 Packages/DiffIndex
    Ign http://security.ubuntu.com maverick-security/restricted i386 Packages/DiffIndex
    Ign http://security.ubuntu.com maverick-security/universe i386 Packages/DiffIndex
    Ign http://security.ubuntu.com maverick-security/multiverse i386 Packages/DiffIndex
    Ign http://us.archive.ubuntu.com maverick-updates/universe Sources
    Ign http://us.archive.ubuntu.com maverick-updates/multiverse Sources
    Ign http://us.archive.ubuntu.com maverick-updates/main i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/universe i386 Packages
    Ign http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages
    Ign http://extras.ubuntu.com maverick/main Sources
    Err http://us.archive.ubuntu.com maverick/main Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/restricted Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/universe Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/multiverse Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/main i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/restricted i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/universe i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick/multiverse i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick-updates/main Sources
    404 Not Found [IP: 91.189.91.13 80]
    Ign http://security.ubuntu.com maverick-security/main Sources
    Ign http://security.ubuntu.com maverick-security/restricted Sources
    Ign http://security.ubuntu.com maverick-security/universe Sources
    Ign http://security.ubuntu.com maverick-security/multiverse Sources
    Ign http://security.ubuntu.com maverick-security/main i386 Packages
    Ign http://security.ubuntu.com maverick-security/restricted i386 Packages
    Err http://us.archive.ubuntu.com maverick-updates/restricted Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick-updates/universe Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick-updates/multiverse Sources
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick-updates/main i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Err http://us.archive.ubuntu.com maverick-updates/universe i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Ign http://extras.ubuntu.com maverick/main i386 Packages
    Err http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages
    404 Not Found [IP: 91.189.91.13 80]
    Ign http://security.ubuntu.com maverick-security/universe i386 Packages
    Ign http://security.ubuntu.com maverick-security/multiverse i386 Packages
    Ign http://security.ubuntu.com maverick-security/main Sources
    Ign http://security.ubuntu.com maverick-security/restricted Sources
    Ign http://security.ubuntu.com maverick-security/universe Sources
    Ign http://security.ubuntu.com maverick-security/multiverse Sources
    Ign http://extras.ubuntu.com maverick/main Sources
    Ign http://security.ubuntu.com maverick-security/main i386 Packages
    Ign http://security.ubuntu.com maverick-security/restricted i386 Packages
    Ign http://security.ubuntu.com maverick-security/universe i386 Packages
    Ign http://security.ubuntu.com maverick-security/multiverse i386 Packages
    Err http://security.ubuntu.com maverick-security/main Sources
    404 Not Found [IP: 91.189.92.200 80]
    Err http://security.ubuntu.com maverick-security/restricted Sources
    404 Not Found [IP: 91.189.92.200 80]
    Ign http://extras.ubuntu.com maverick/main i386 Packages
    Err http://security.ubuntu.com maverick-security/universe Sources
    404 Not Found [IP: 91.189.92.200 80]
    Err http://security.ubuntu.com maverick-security/multiverse Sources
    404 Not Found [IP: 91.189.92.200 80]
    Err http://security.ubuntu.com maverick-security/main i386 Packages
    404 Not Found [IP: 91.189.92.200 80]
    Err http://security.ubuntu.com maverick-security/restricted i386 Packages
    404 Not Found [IP: 91.189.92.200 80]
    Err http://security.ubuntu.com maverick-security/universe i386 Packages
    404 Not Found [IP: 91.189.92.200 80]
    Err http://security.ubuntu.com maverick-security/multiverse i386 Packages
    404 Not Found [IP: 91.189.92.200 80]
    Err http://extras.ubuntu.com maverick/main Sources
    404 Not Found
    Err http://extras.ubuntu.com maverick/main i386 Packages
    404 Not Found
    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/main/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/restricted/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/universe/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/multiverse/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/main/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/restricted/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/universe/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/multiverse/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/main/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/restricted/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/universe/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/multiverse/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/main/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/restricted/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/universe/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/multiverse/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/main/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/restricted/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/universe/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/multiverse/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://extras.ubuntu.com/ubuntu/dists/maverick/main/source/Sources.gz 404 Not Found

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/main/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/restricted/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/universe/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/multiverse/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80]

    W: Failed to fetch http://extras.ubuntu.com/ubuntu/dists/maverick/main/binary-i386/Packages.gz 404 Not Found

    E: Some index files failed to download, they have been ignored, or old ones used instead.
     
    sergio.morales, Nov 6, 2013
    #25
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    This does not seem to be the result of modifications in your sources list ;)
    The "maverick" release does no longer exist on the ubuntu archive servers.
     
    Croydon, Nov 6, 2013
    #26
  7. Quaxth

    Quaxth Member

    Just to ask: Did there any changes for to use mod_security in Debian 7 Wheezy? And: What's about that old Rule Set, wouldn't it better to use an newer one?

    Thanks.
     
    Quaxth, Nov 6, 2013
    #27
  8. sergio.morales

    sergio.morales New Member

    You are CORRECT!

    Yes, I was doing a bit more digging and found that someone had run into something similar to this in the past. They explained how to update the sources.list file and after a little trial and error, I got the libapache-mod-security installed. I followed an old how-to done by Till:
    http://www.faqforge.com/linux/apache-mod-security-installation-on-debian-6-0-squeeze/

    I hope I used the correct one, cause quite frankly I am tired of seeing this server get owned by people. If there is any way you know that I can check to see if this corrects my issue, please let me know ASAP.
    Thanks in advance!
     
    sergio.morales, Nov 6, 2013
    #28
  9. sergio.morales

    sergio.morales New Member

    System replacement

    Hello everyone. Seeing as the server I was hit hard on was old, I decided to build a new box. I used this How-To:
    http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-nginx-bind-dovecot-ispconfig-3

    My question is, what do I need to do to protect myself from this same exploit? Is the problem "fixed" in this version?

    Thanks in advance.
    ps - I think the old system was compromised badly. I still see very strange things happening in the box, so either I did something wrong, or it was thoroughly compromised . . .
     
    sergio.morales, Nov 6, 2013
    #29
  10. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The problem with this exploit does only exist if php is enabled as CGI and directly accessible via /cgi-bin/php (or php5 etc).
    This is not done by ISPConfig but it might be enabled in the default vhost of a fresh system. Simply disabling this should solve the problem.
    In addition this problem is fixed (as far as I know) in latest php 5.3, 5.4 and 5.5 versions (at least in debian a force-cgi-redirect config option or something like that is compiled in).
    So after you installed everything make a check if you can access /cgi-bin/php /cgi-bin/php5 etc. from localhost (e. g. lynx http://localhost/cgi-bin/php ).
     
    Last edited: Nov 6, 2013
    Croydon, Nov 6, 2013
    #30
  11. sergio.morales

    sergio.morales New Member

    You'll have to point me at a doc

    OK, so I have been up for roughly 20 hours . . . Would you be able to point me at a doc that can show me how to disable what you mentioned? I just went o the localhost and I got the welcome page got nginx . . .

    Thanks in advance!
     
    sergio.morales, Nov 6, 2013
    #31
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The issue is about apache cgi php, nginx uses php as fpm only, so it cant be affected.
     
    till, Nov 6, 2013
    #32
  13. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Search your apache config files and vhosts for any "cgi-bin" and check if there is something about "php".
    I have no docs link currently, sorry.
     
    Croydon, Nov 6, 2013
    #33
  14. sergio.morales

    sergio.morales New Member

    Are these the settings?

    cgi.force_redirect = 1

    display_errors = Off

    expose_php = Off

    file_uploads = Off

    memory_limit = 128M changed to memory_limit = 8M

    post_max_size = 8M changed to 1m
     
    sergio.morales, Nov 6, 2013
    #34
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use apache or nginx? In post #31 you claimed that you use ngix. What Croydn posted applies to apache webservers only. If you are using nginx, you are not affected by this issue anyway as ngnx does nout use php as cgi, it uses php as php-fpm only.

    Regarding thes esettings, I explained them in this thread and why sone of them are correct and others not, at least if you want to use your webserver for cms systems or similar software.
     
    till, Nov 6, 2013
    #35
  16. sergio.morales

    sergio.morales New Member

    I think its working!

    I think I may have bought me some time . . . I am looking at my modsec_audit.log
    and this is an example of what I am now seeing . . .
    I think its working?!

    sERGE


    [06/Nov/2013:04:02:28 --0500] UnoFpEZr2VIAAA3OBpUAAAAJ 119.63.193.195 58131 XX.XX.XX.XX 80
    --5053207d-B--
    GET / HTTP/1.1
    Host: incoming.beststylesusa.com
    Accept-Language: zh-cn
    Connection: close
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

    --5053207d-F--
    HTTP/1.1 403 Forbidden
    Vary: Accept-Encoding
    Content-Length: 293
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    --5053207d-H--
    Message: Access denied with code 403 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/mod-security/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
    Action: Intercepted (phase 2)
    Stopwatch: 1383728548161112 1499 (321 796 -)
    Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/1.6.1.
    Server: Apache/2.2.16 (Ubuntu)

    --5053207d-K--
    SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,status:400,t:lowercase,t:replaceNulls,t:compressWhitespace,chain,t:none,deny,log,auditlog,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:pROTOCOL_VIOLATION/EVASION"
    SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,chain,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:pROTOCOL_VIOLATION/MISSING_HEADER"
    SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "t:lowercase,t:replaceNulls,t:compressWhitespace,t:none"

    --5053207d-Z--
     
    sergio.morales, Nov 6, 2013
    #36
  17. sergio.morales

    sergio.morales New Member

    @Till

    Hey guys. Sorry about all the questions. I have one server, an older one I have been thinking of replacing, which is the one that got hit. I think it may finally be doing better, but God knows what other damage may have been done to it. I had been planning on replacing it, and the new server that I have yet to install run NGINX.
    Again, I am just trying to make certain that I am making progress with this. If I can buy myself a few days, then I can definitely plan the replacement better . . . If not, then it's off to Manhattan in a few hours to replace it.
    Thanks again for all the help guys. Please see if you can verify my "old" server is blocking the attacks?
     
    sergio.morales, Nov 6, 2013
    #37
  18. Quaxth

    Quaxth Member

    Bump! Could someone please answer? Thanks.

     
    Quaxth, Nov 6, 2013
    #38
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Nov 6, 2013
    #39
  20. Quaxth

    Quaxth Member

    Quaxth, Nov 6, 2013
    #40
Page 2 of 4

Share This Page