PaulDotCom mailing list archives
DoS by Mod Security and a simple string?
From: Adrian Crenshaw <irongeek () irongeek com>
Date: Wed, 19 Sep 2012 14:16:10 -0400
Hi all, Not sure how many sites this would even effect. I found a site that uses Mod_Security, with this as one of the rules: SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>))" \ "phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'10000001',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'" It seems to be from: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_45_trojans.conf The issue is, if some content is served up that has something like c99shell or /c99shell/ (or any string as far as I can tell that has c99shell and does not have an alphanumeric concatenated on each end) in it, the page will return a 404. This becomes an denial of service issue it this rule is used on a site that takes user submitted content, and the user types in c99shell. Imagine typing this in the title of a forum post and having the forum start to 404 threads/sub forums. I'm not sure how wide spread this rule is, and I have yet to find a forum to test on, but I can show you two sites that must be using the rule (or one close to it) because they will 404 if you put /c99shell/ in your user agent string: http://www.thismachine.info/ http://www.irongeek.com/browserinfo.php Anyone know how wide spread the rule is, and a forum or blog with comments I can test on? I know Dreamhost seems to use this rule in at least some of its shared environments. Thanks, Adrian http://www.irongeek.com -- "The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham "The ability to Google can be a serviceable substitute for technical knowledge." ~ Adrian D. Crenshaw -- "The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham "The ability to Google can be a serviceable substitute for technical knowledge." ~ Adrian D. Crenshaw
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- DoS by Mod Security and a simple string? Adrian Crenshaw (Sep 19)