02-26-2009, 06:55 AM
|
|
Member
|
|
Join Date: Feb 2009
Posts: 10
|
|
mod_security RESPONSE_BODY
Hello,
I have a problem about mod_security RESPONSE_BODY rules;
Some mod_sec 2.x rules not working, for examlpe i have a rule set for blocking r57,c99 etc php shells;
Quote:
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(? ?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.:?:news remote php shell injection::\.| rhtools\b)|ph(? (??: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(???: microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,t:none,ctl:auditLogParts=+E,deny,log,audi tlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
|
This rule is working when i switched the apache, but on LS it is not working.
This rule have to return 404 error when someone run r57 shell script.
Can you help to improve security by using SecRule RESPONSE_BODY ?
|
Threaded Mode