yes. take a look at the modsecurity audit log mentioned in the artile. you should see the first blocked requests there after a few minutes.
Looks like got hit to :/ I do not like the HTTP/1.1 200 part. I've got a firewall in place blocking all unneeded ports, so running a "bot" did not work. Time to install modsecurity I guess..
Time for a rebuild I think Hello everyone. I was thinking of rebuilding these systems from scratch on Ubuntu 12.04 LTS, but I am concerned. Is the apache mod security installed in the How-To for 12.04 LTS? Also, does anyone know if the directions for the apache mod sec packages are different for Ubuntu 10/11 or where I can get them?
Unbelievable-Someone HELP ME! Whomever is doing this is really pissing me off. They have messed with my repositories so I cannot get the packages I need!! WTF!! Check out the output of what I get when I run "apt-get update": root@server1:/tmp# apt-get update Ign http://us.archive.ubuntu.com maverick Release.gpg Ign http://us.archive.ubuntu.com/ubuntu/ maverick/main Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick/main Translation-en_US Ign http://us.archive.ubuntu.com/ubuntu/ maverick/multiverse Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick/multiverse Translation-en_US Ign http://us.archive.ubuntu.com/ubuntu/ maverick/restricted Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick/restricted Translation-en_US Ign http://us.archive.ubuntu.com/ubuntu/ maverick/universe Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick/universe Translation-en_US Ign http://us.archive.ubuntu.com maverick-updates Release.gpg Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/main Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/main Translation-en_US Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/multiverse Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/multiverse Translation-en_US Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/restricted Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/restricted Translation-en_US Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/universe Translation-en Ign http://us.archive.ubuntu.com/ubuntu/ maverick-updates/universe Translation-en_US Ign http://us.archive.ubuntu.com maverick Release Ign http://us.archive.ubuntu.com maverick-updates Release Ign http://extras.ubuntu.com maverick Release.gpg Ign http://extras.ubuntu.com/ubuntu/ maverick/main Translation-en Ign http://extras.ubuntu.com/ubuntu/ maverick/main Translation-en_US Ign http://security.ubuntu.com maverick-security Release.gpg Ign http://security.ubuntu.com/ubuntu/ maverick-security/main Translation-en Ign http://security.ubuntu.com/ubuntu/ maverick-security/main Translation-en_US Ign http://security.ubuntu.com/ubuntu/ maverick-security/multiverse Translation-en Ign http://security.ubuntu.com/ubuntu/ maverick-security/multiverse Translation-en_US Ign http://security.ubuntu.com/ubuntu/ maverick-security/restricted Translation-en Ign http://security.ubuntu.com/ubuntu/ maverick-security/restricted Translation-en_US Ign http://security.ubuntu.com/ubuntu/ maverick-security/universe Translation-en Ign http://security.ubuntu.com/ubuntu/ maverick-security/universe Translation-en_US Ign http://us.archive.ubuntu.com maverick/main Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick/restricted Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick/universe Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick/multiverse Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick/main i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick/restricted i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick/universe i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick/multiverse i386 Packages/DiffIndex Ign http://extras.ubuntu.com maverick Release Ign http://us.archive.ubuntu.com maverick-updates/main Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/restricted Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/universe Sources/DiffIndex Ign http://security.ubuntu.com maverick-security Release Ign http://us.archive.ubuntu.com maverick-updates/multiverse Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/main i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/universe i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick/main Sources Ign http://us.archive.ubuntu.com maverick/restricted Sources Ign http://us.archive.ubuntu.com maverick/universe Sources Ign http://us.archive.ubuntu.com maverick/multiverse Sources Ign http://us.archive.ubuntu.com maverick/main i386 Packages Ign http://us.archive.ubuntu.com maverick/restricted i386 Packages Ign http://us.archive.ubuntu.com maverick/universe i386 Packages Ign http://extras.ubuntu.com maverick/main Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick/multiverse i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/main Sources Ign http://us.archive.ubuntu.com maverick-updates/restricted Sources Ign http://us.archive.ubuntu.com maverick-updates/universe Sources Ign http://security.ubuntu.com maverick-security/main Sources/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/multiverse Sources Ign http://us.archive.ubuntu.com maverick-updates/main i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/universe i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages Ign http://us.archive.ubuntu.com maverick/main Sources Ign http://us.archive.ubuntu.com maverick/restricted Sources Ign http://us.archive.ubuntu.com maverick/universe Sources Ign http://us.archive.ubuntu.com maverick/multiverse Sources Ign http://us.archive.ubuntu.com maverick/main i386 Packages Ign http://us.archive.ubuntu.com maverick/restricted i386 Packages Ign http://extras.ubuntu.com maverick/main i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick/universe i386 Packages Ign http://us.archive.ubuntu.com maverick/multiverse i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/main Sources Ign http://us.archive.ubuntu.com maverick-updates/restricted Sources Ign http://security.ubuntu.com maverick-security/restricted Sources/DiffIndex Ign http://security.ubuntu.com maverick-security/universe Sources/DiffIndex Ign http://security.ubuntu.com maverick-security/multiverse Sources/DiffIndex Ign http://security.ubuntu.com maverick-security/main i386 Packages/DiffIndex Ign http://security.ubuntu.com maverick-security/restricted i386 Packages/DiffIndex Ign http://security.ubuntu.com maverick-security/universe i386 Packages/DiffIndex Ign http://security.ubuntu.com maverick-security/multiverse i386 Packages/DiffIndex Ign http://us.archive.ubuntu.com maverick-updates/universe Sources Ign http://us.archive.ubuntu.com maverick-updates/multiverse Sources Ign http://us.archive.ubuntu.com maverick-updates/main i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/universe i386 Packages Ign http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages Ign http://extras.ubuntu.com maverick/main Sources Err http://us.archive.ubuntu.com maverick/main Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/restricted Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/universe Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/multiverse Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/main i386 Packages 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/restricted i386 Packages 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/universe i386 Packages 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick/multiverse i386 Packages 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick-updates/main Sources 404 Not Found [IP: 91.189.91.13 80] Ign http://security.ubuntu.com maverick-security/main Sources Ign http://security.ubuntu.com maverick-security/restricted Sources Ign http://security.ubuntu.com maverick-security/universe Sources Ign http://security.ubuntu.com maverick-security/multiverse Sources Ign http://security.ubuntu.com maverick-security/main i386 Packages Ign http://security.ubuntu.com maverick-security/restricted i386 Packages Err http://us.archive.ubuntu.com maverick-updates/restricted Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick-updates/universe Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick-updates/multiverse Sources 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick-updates/main i386 Packages 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick-updates/restricted i386 Packages 404 Not Found [IP: 91.189.91.13 80] Err http://us.archive.ubuntu.com maverick-updates/universe i386 Packages 404 Not Found [IP: 91.189.91.13 80] Ign http://extras.ubuntu.com maverick/main i386 Packages Err http://us.archive.ubuntu.com maverick-updates/multiverse i386 Packages 404 Not Found [IP: 91.189.91.13 80] Ign http://security.ubuntu.com maverick-security/universe i386 Packages Ign http://security.ubuntu.com maverick-security/multiverse i386 Packages Ign http://security.ubuntu.com maverick-security/main Sources Ign http://security.ubuntu.com maverick-security/restricted Sources Ign http://security.ubuntu.com maverick-security/universe Sources Ign http://security.ubuntu.com maverick-security/multiverse Sources Ign http://extras.ubuntu.com maverick/main Sources Ign http://security.ubuntu.com maverick-security/main i386 Packages Ign http://security.ubuntu.com maverick-security/restricted i386 Packages Ign http://security.ubuntu.com maverick-security/universe i386 Packages Ign http://security.ubuntu.com maverick-security/multiverse i386 Packages Err http://security.ubuntu.com maverick-security/main Sources 404 Not Found [IP: 91.189.92.200 80] Err http://security.ubuntu.com maverick-security/restricted Sources 404 Not Found [IP: 91.189.92.200 80] Ign http://extras.ubuntu.com maverick/main i386 Packages Err http://security.ubuntu.com maverick-security/universe Sources 404 Not Found [IP: 91.189.92.200 80] Err http://security.ubuntu.com maverick-security/multiverse Sources 404 Not Found [IP: 91.189.92.200 80] Err http://security.ubuntu.com maverick-security/main i386 Packages 404 Not Found [IP: 91.189.92.200 80] Err http://security.ubuntu.com maverick-security/restricted i386 Packages 404 Not Found [IP: 91.189.92.200 80] Err http://security.ubuntu.com maverick-security/universe i386 Packages 404 Not Found [IP: 91.189.92.200 80] Err http://security.ubuntu.com maverick-security/multiverse i386 Packages 404 Not Found [IP: 91.189.92.200 80] Err http://extras.ubuntu.com maverick/main Sources 404 Not Found Err http://extras.ubuntu.com maverick/main i386 Packages 404 Not Found W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/main/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/restricted/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/universe/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/multiverse/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/main/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/restricted/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/universe/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick/multiverse/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/main/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/restricted/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/universe/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/multiverse/source/Sources.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/main/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/restricted/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/universe/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/maverick-updates/multiverse/binary-i386/Packages.gz 404 Not Found [IP: 91.189.91.13 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/main/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/restricted/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/universe/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/multiverse/source/Sources.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://extras.ubuntu.com/ubuntu/dists/maverick/main/source/Sources.gz 404 Not Found W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/main/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/restricted/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/universe/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/maverick-security/multiverse/binary-i386/Packages.gz 404 Not Found [IP: 91.189.92.200 80] W: Failed to fetch http://extras.ubuntu.com/ubuntu/dists/maverick/main/binary-i386/Packages.gz 404 Not Found E: Some index files failed to download, they have been ignored, or old ones used instead.
This does not seem to be the result of modifications in your sources list The "maverick" release does no longer exist on the ubuntu archive servers.
Just to ask: Did there any changes for to use mod_security in Debian 7 Wheezy? And: What's about that old Rule Set, wouldn't it better to use an newer one? Thanks.
You are CORRECT! Yes, I was doing a bit more digging and found that someone had run into something similar to this in the past. They explained how to update the sources.list file and after a little trial and error, I got the libapache-mod-security installed. I followed an old how-to done by Till: http://www.faqforge.com/linux/apache-mod-security-installation-on-debian-6-0-squeeze/ I hope I used the correct one, cause quite frankly I am tired of seeing this server get owned by people. If there is any way you know that I can check to see if this corrects my issue, please let me know ASAP. Thanks in advance!
System replacement Hello everyone. Seeing as the server I was hit hard on was old, I decided to build a new box. I used this How-To: http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-nginx-bind-dovecot-ispconfig-3 My question is, what do I need to do to protect myself from this same exploit? Is the problem "fixed" in this version? Thanks in advance. ps - I think the old system was compromised badly. I still see very strange things happening in the box, so either I did something wrong, or it was thoroughly compromised . . .
The problem with this exploit does only exist if php is enabled as CGI and directly accessible via /cgi-bin/php (or php5 etc). This is not done by ISPConfig but it might be enabled in the default vhost of a fresh system. Simply disabling this should solve the problem. In addition this problem is fixed (as far as I know) in latest php 5.3, 5.4 and 5.5 versions (at least in debian a force-cgi-redirect config option or something like that is compiled in). So after you installed everything make a check if you can access /cgi-bin/php /cgi-bin/php5 etc. from localhost (e. g. lynx http://localhost/cgi-bin/php ).
You'll have to point me at a doc OK, so I have been up for roughly 20 hours . . . Would you be able to point me at a doc that can show me how to disable what you mentioned? I just went o the localhost and I got the welcome page got nginx . . . Thanks in advance!
Search your apache config files and vhosts for any "cgi-bin" and check if there is something about "php". I have no docs link currently, sorry.
Are these the settings? cgi.force_redirect = 1 display_errors = Off expose_php = Off file_uploads = Off memory_limit = 128M changed to memory_limit = 8M post_max_size = 8M changed to 1m
Do you use apache or nginx? In post #31 you claimed that you use ngix. What Croydn posted applies to apache webservers only. If you are using nginx, you are not affected by this issue anyway as ngnx does nout use php as cgi, it uses php as php-fpm only. Regarding thes esettings, I explained them in this thread and why sone of them are correct and others not, at least if you want to use your webserver for cms systems or similar software.
I think its working! I think I may have bought me some time . . . I am looking at my modsec_audit.log and this is an example of what I am now seeing . . . I think its working?! sERGE [06/Nov/2013:04:02:28 --0500] UnoFpEZr2VIAAA3OBpUAAAAJ 119.63.193.195 58131 XX.XX.XX.XX 80 --5053207d-B-- GET / HTTP/1.1 Host: incoming.beststylesusa.com Accept-Language: zh-cn Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) --5053207d-F-- HTTP/1.1 403 Forbidden Vary: Accept-Encoding Content-Length: 293 Connection: close Content-Type: text/html; charset=iso-8859-1 --5053207d-H-- Message: Access denied with code 403 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/mod-security/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] Action: Intercepted (phase 2) Stopwatch: 1383728548161112 1499 (321 796 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache/2.2.16 (Ubuntu) --5053207d-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,status:400,t:lowercase,t:replaceNulls,t:compressWhitespace,chain,t:none,deny,log,auditlog,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tagROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,chain,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header',severity:2,id:960015,tagROTOCOL_VIOLATION/MISSING_HEADER" SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "t:lowercase,t:replaceNulls,t:compressWhitespace,t:none" --5053207d-Z--
@Till Hey guys. Sorry about all the questions. I have one server, an older one I have been thinking of replacing, which is the one that got hit. I think it may finally be doing better, but God knows what other damage may have been done to it. I had been planning on replacing it, and the new server that I have yet to install run NGINX. Again, I am just trying to make certain that I am making progress with this. If I can buy myself a few days, then I can definitely plan the replacement better . . . If not, then it's off to Manhattan in a few hours to replace it. Thanks again for all the help guys. Please see if you can verify my "old" server is blocking the attacks?
Guide for wheezy: http://www.linuxquestions.org/quest...0/howto-set-up-modsecurity-on-debian-7-35569/
That I had already! What I would like to know is about with ISPConfig 3 running! There anything special to be care about? Or any extra comands etc? Thanks.
