On 29 Dec 2004, Andy Fewtrell wrote:
> I have not tested these methods but after discussing them with eth00, we
> both think it was better to post this to bugtraq in the hopes it may
> help other people prevent future attacks from new variations of this
> worm and help development of fixes to prevent future problems. While
> this worm currently uses perl it can be obviously re-written to avoid
> obvious mod_security (and other) rules. I could write proof of concept
> versions of the sanity worm but I feel it would be better to leave this
> out of the post.
>
> For those more interested in the mod_security rules:
>
> SecFilterSelective THE_REQUEST "wget "
> SecFilterSelective THE_REQUEST "perl "
> SecFilterSelective THE_REQUEST "lynx "
> SecFilterSelective THE_REQUEST "ftp "
> SecFilterSelective THE_REQUEST "scp "
> SecFilterSelective THE_REQUEST "rcp "
> SecFilterSelective THE_REQUEST "cvs "
> SecFilterSelective THE_REQUEST "telnet "
> SecFilterSelective THE_REQUEST "ssh "
> SecFilterSelective THE_REQUEST "echo "
> SecFilterSelective THE_REQUEST "nc "
> SecFilterSelective THE_REQUEST "mkdir "
> SecFilterSelective THE_REQUEST "cd /tmp"
> SecFilterSelective THE_REQUEST "cd /var/tmp"
Hi Andy, I have a concern with these filters in that they will may
potentially catch quite a few false positives.
In addition to the first one coming from modsecurity.org, I've added a
couple more:
SecFilterSelective ARG_highlight %27
SecFilterSelective ARG_highlight %2527
SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter ":/"
SecFilter "'"
Source: http://castlecops.com/article-5642-nested-0-0.html
Your filters I see as good for those who are ultra paranoid. Because they
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be
406'd.
THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html
"the_request - string which just contains the first line of the request.
(e.g. "GET /index.html HTTP/1.0")"
If that is correct, then filtering on those custom keywords can indeed
spawn some false positives. The biggest issues as I see it are the use of
' and/or :/ in the_request. Unless a website is doing redirects, aka:
http://example.com/redirect.jsp?http://example.net/index.html
Then I don't see a real need to include the ":/" (or "://"). The other
aspect to it is the tick mark "'", such an integral component to SQL
injections, or even escaping shell commands.
Using the mod_security filter I provided above, it has stopped over
300,000 attacks in a 55 hour period. I've provided some examples, with
some analysis of what other alternatives can be used. But the big one I
think is the mod_security filters.
--
Regards,
Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.
