POST Attack

Portal Home > Knowledgebase > Articles Database > POST Attack

Posted by mali, 12-28-2011, 03:30 AM
Hi, We are getting POST Attack on Cpanel . - - [28/Dec/2011:02:26:22 -0500] "GET /.sys.php?getexe=gmailreg.7.exe HTTP/1.1" 500 7520 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [28/Dec/2011:02:26:23 -0500] "POST /.sys.php?action=fbgen&v=1 HTTP/1.1" 500 7520 "-" "Mozilla/4.1 (compatible; MSIE 7.1; na; )" - - [28/Dec/2011:02:26:23 -0500] "GET /.sys.php?getexe=sonetreg.5.exe HTTP/1.1" 500 7520 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [28/Dec/2011:02:26:31 -0500] "GET /.sys.php?getexe=bloggerrename.4.exe HTTP/1.1" 500 7520 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [28/Dec/2011:02:26:31 -0500] "GET /.sys.php?getexe=fcreg.6.exe HTTP/1.1" 500 7520 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [28/Dec/2011:02:26:31 -0500] "GET /.sys.php?getexe=imgparser.4.exe HTTP/1.1" 500 7520 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [28/Dec/2011:02:26:31 -0500] "GET /.sys.php?getexe=tumlike.2.exe HTTP/1.1" 500 7520 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [28/Dec/2011:02:26:33 -0500] "POST /.sys.php?action=chkgen&v=1 HTTP/1.1" 500 7520 "-" "http" - - [28/Dec/2011:02:26:36 -0500] "POST /.sys.php?action=fbgen&v=16 HTTP/1.1" 500 7520 "-" "http" - - [28/Dec/2011:02:26:42 -0500] "POST /.sys.php?action=fbgen&v=16 HTTP/1.1" 500 7520 "-" "http" Is there any way we block it.
Posted by RRWH, 12-28-2011, 04:10 AM
have you installed and configured mod_security with some rules?
Posted by mali, 12-28-2011, 04:13 AM
We have installed Mod_security on it but unable to know how to configure it on Cpanel.Can you please inform us how to do it. We want mod_security applies on only one domain like "test.com" to block these POST requests.
Posted by Infinitnet, 12-28-2011, 09:28 AM
The best ruleset for mod_security is the ASL one in my opinion. You can find the install instructions here: http://www.atomicorp.com/wiki/index....ty_with_cpanel Then you will want to disable mod_security for all domains except the attacked one. or add the following in a .htaccess for each domain: But the most easy solution in your case would be to use CloudFlare for the domain being attacked. Last edited by Infinitnet; 12-28-2011 at 09:31 AM.
Posted by mali, 12-28-2011, 03:20 PM
That domain is hosted at Cloudflare free account setup but free account does not provide any WAF and requests of POST are coming from Cloud flare inerface as it is public facing record. Right now we have no modsec_rules folder at /usr/local/apache/conf. We have to down load these rules from www.atomicorp.com. root@server [/usr/local/apache/conf]# cat modsec2.conf LoadFile /opt/xml2/lib/libxml2.so LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.so SecRuleEngine On # See http://www.modsecurity.org/documenta...ion-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:406" SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow Include "/usr/local/apache/conf/modsec2.user.conf" #We have installed Config Server Mod_security Plugin root@server [/usr/local/apache/conf]# cat modsec2.user.conf # ConfigServer ModSecurity whitelist file Include /usr/local/apache/conf/modsec2.whitelist.conf
Posted by Ramprage, 12-28-2011, 08:36 PM
The above doesn't enable post filtering: You need to add this to modsec2.conf # Should mod_security inspect POST payloads SecRequestBodyAccess On