Linux worm crawls the web, what to do to protect our systems

Shockwave shockwave at clan-tf20.com
Tue Nov 8 15:34:43 UTC 2005


----- Original Message ----- 
From: "Michael A. Peters" <mpeters at mac.com>
To: <fedora-list at redhat.com>
Sent: Tuesday, November 08, 2005 1:12 AM
Subject: Re: Linux worm crawls the web, what to do to protect our systems


> On Tue, 2005-11-08 at 11:30 +0800, List wrote:
>
> >
> > Will it help if i firewalled off port 7111 and 7222?
> >
> > regards
> >
>
> Maybe.
> Depends upon how sophisticated it is.
>

I run FC3 and PHPNuke and I have been probed as well.  The best solution I
have found is to install something called mod_security for apache.  Here's a
link:

http://www.modsecurity.org/

The directions are really simple to follow and it works like a charm once
you install a decent configuration file.  I searched the web and pieced
together something that seems to work well.  I've included it below:

-----------------
<IfModule mod_security.c>
        # Turn the filtering engine On or Off
        SecFilterEngine On

        # Make sure that URL encoding is valid
        SecFilterCheckURLEncoding On

        # Unicode encoding check
        SecFilterCheckUnicodeEncoding On

        # Only allow bytes from this range
        SecFilterForceByteRange 0 255

        # Only log suspicious requests
        SecAuditEngine RelevantOnly

        # The name of the audit log file
        SecAuditLog logs/audit_log
        # Debug level set to a minimum
        SecFilterDebugLog logs/modsec_debug_log
        SecFilterDebugLevel 0

        # Should mod_security inspect POST payloads
        SecFilterScanPOST On

        # By default log and deny suspicious requests
        # with HTTP status 500
        SecFilterDefaultAction "deny,log,status:500"

        # Specific filters
        SecFilter /bin/sh
        SecFilter /bin/bash
        SecFilter /bin/tcsh
        SecFilter /bin/csh
        SecFilter /var/spool
        SecFilter /dev/shm
        SecFilter /var/tmp
        SecFilter /bin/ps
        SecFilter /usr/local/flash
        SecFilter udp.pl
        SecFilter r0nin
        SecFilter pbsync
        SecFilter bindz
        SecFilter inetd
        SecFilter psybnc
        SecFilter PhiLaR.pl
        SecFilter php-shell.php
        SecFilter phpshell.php
        SecFilter dc.pl
        SecFilter elflbl
        SecFilter zregbot
        SecFilter irclordz
        SecFilter dalnet

        # Detect attempts to execute binaries residing in /bin
        SecFilterSelective ARGS "/bin/"
        SecFilterSelective ARGS "/usr/bin/"

        ## PHPBB Vulnerability
        SecFilter "viewtopic\.php\?" chain
        SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
        SecFilter "admin_styles.php\?" chain
        SecFilter "\$_GET"

        # WEB-PHP Mail Exploit
        SecFilterSelective THE_REQUEST "data/album\.php" deny,log
        SecFilter "b77ybvFuiTAy" deny,log

        # CPANEL Guestbook
        #SecFilter "admin\.php\?action.*uid=1([^0-9]|$)"

        # Require HTTP_USER_AGENT and HTTP_HOST in all requests
        #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

        # WEB-ATTACKS /usr/bin/gcc command attempt
        SecFilterSelective THE_REQUEST "/usr/bin/gcc"

        # Very crude filters to prevent SQL injection attacks
        SecFilter "delete[[:space:]]+from"
        SecFilter "insert[[:space:]]+into"

        # Require Content-Length to be provided with
        # every POST request
        SecFilterSelective REQUEST_METHOD "^POST$" chain
        #SecFilterSelective HTTP_Content-Length "^$"

        # Don't accept transfer encodings we know we don't handle
        # (and you don't need it anyway)
        SecFilterSelective HTTP_Transfer-Encoding "!^$"

        # Protecting from XSS attacks through the PHP session cookie
        SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
        SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

        # Block various methods of downloading files to a server
        SecFilterSelective THE_REQUEST "wget"
        SecFilterSelective THE_REQUEST "lynx"
        SecFilterSelective THE_REQUEST "scp"
        SecFilterSelective THE_REQUEST "cvs"
        SecFilterSelective THE_REQUEST "rcp "
        SecFilterSelective THE_REQUEST "telnet"
        SecFilterSelective THE_REQUEST "echo"
        SecFilterSelective THE_REQUEST "links -dump"
        SecFilterSelective THE_REQUEST "links -dump-charset"
        SecFilterSelective THE_REQUEST "links -dump-width"
        SecFilterSelective THE_REQUEST "links http://"
        SecFilterSelective THE_REQUEST "links ftp://"
        SecFilterSelective THE_REQUEST "links -source"
        SecFilterSelective THE_REQUEST "mkdir"
        SecFilterSelective THE_REQUEST "cd /tmp"
        SecFilterSelective THE_REQUEST "cd /var/tmp"
        SecFilterSelective THE_REQUEST "cd /var/netenberg"
        SecFilterSelective THE_REQUEST "uname -a"
        SecFilterSelective THE_REQUEST "\.htgroup"
        SecFilterSelective THE_REQUEST "\.htaccess"

        # WEB-CLIENT Javascript URL host spoofing attempt
        SecFilter "javascript\://"

        # WEB-MISC cross site scripting \(img src=javascript\) attempt
        SecFilter "img src=javascript"

        # WEB-MISC cd..
        SecFilterSelective THE_REQUEST "cd\.\."

        # WEB-MISC ///cgi-bin access
        SecFilterSelective THE_REQUEST "///cgi-bin"

        # WEB-MISC /cgi-bin/// access
        SecFilterSelective THE_REQUEST "/cgi-bin///"

        # WEB-MISC /~root access
        SecFilterSelective THE_REQUEST "/~root"

        # WEB-MISC /~ftp access
        SecFilterSelective THE_REQUEST "/~ftp"

        # WEB-MISC htgrep attempt
        SecFilterSelective THE_REQUEST "/htgrep" chain
        SecFilter "hdr=/"

        # WEB-MISC htgrep access
        SecFilterSelective THE_REQUEST "/htgrep" log,pass

        # WEB-MISC .history access
        SecFilterSelective THE_REQUEST "/\.history"

        # WEB-MISC .bash_history access
        SecFilterSelective THE_REQUEST "/\.bash_history"

        # WEB-PHP PHP-Wiki cross site scripting attempt
        SecFilterSelective THE_REQUEST "<script"

        # WEB-PHP strings overflow
        SecFilterSelective THE_REQUEST "\?STRENGUR"

        # WEB-PHP PHPLIB remote command attempt
        SecFilter "_PHPLIB\[libdir\]"

</IfModule>
-----------------

Put this in a file called modsecurity.conf in /etc/httpd/conf.d and a stock
FC3 apache installation will load it automatically.  To install the package,
all you need to do is download the source and untar/gunzip the files, change
to the apache2 directory and execute this as root:

apxs -cia mod_security.c

This will not only build the DSO but also add the appropriate line to your
existing httpd.conf file without disturbing any other custom settings.  Even
so, a httpd.conf.bak is created just in case.  Restart httpd and you're
ready to go!  The new log file audit_log in /var/log/httpd will show you
what is being blocked.

Another aspect of this attack is that it tries to use the /tmp directory to
launch programs.  You can go the extra step to mount that directory without
execute permissions if you want to be even more secure.  That will stop
anyone from executing anything even if they get by mod_security.

I hope this helps.


Tom




More information about the users mailing list