litespeed hacked?

[robfrew]

It looks like I cannot get into any secure (https) areas of any website running the patched RC2. That is why I cannot get into the control panel because it resides on a secure setup. I had to load the original RC2 to get my secure sites to work again.

[robfrew]

Any updates or fixes for this yet?

[mistwang]

Have updated RC2 to address the https issue.
which edition are you using? i386 or x86_64? want to address the issue with 4.1RC3

[robfrew]

Quote:

Originally Posted by mistwang

Have updated RC2 to address the https issue.
which edition are you using? i386 or x86_64? want to address the issue with 4.1RC3

We are using x86_64.

[robfrew]

Quote:

Originally Posted by mistwang

Have updated RC2 to address the https issue.
which edition are you using? i386 or x86_64? want to address the issue with 4.1RC3

Looking forward to RC3.

[luky]

This filter do not work for 4.0.10

Quote:

GET /index.php
2010-07-21 01:38:07.676 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Find context with URI: [/], location: [/home/www/domains/MY-DOMAIN.com/html/]
2010-07-21 01:38:07.676 [DEBUG] [HTAccess] Updating configuration file [/home/www/domains/MY-DOMAIN.com/html/.htaccess]
2010-07-21 01:38:07.676 [INFO] [HTAccess] Updating configuration from [/home/www/domains/MY-DOMAIN.com/html/.htaccess]
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Find .htaccess context with URI: [/], location: [/home/www/domains/MY-DOMAIN.com/html/]
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] processContextPath() return 0
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] no request variables, skip ruleset: XSS attack
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] no request variables, skip ruleset: SQL Injection attack
2010-07-21 01:38:07.677 [INFO] [184.193.59.46:59568-0#MY-DOMAIN.com] [SECURITY] match [REQUEST_URI] against pattern [\x00], result: 1
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] readyCacheData() return 0
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Written to client: 453
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] m_pHandler->onWrite() return 0
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpConnection::flush()!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpConnection::nextRequest()!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Non-KeepAlive, CLOSING!
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] processNewReq() return 0.
2010-07-21 01:38:07.677 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Shutting down out-bound socket ...
2010-07-21 01:38:07.792 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] HttpIOLink::handleEvents() events=17!
2010-07-21 01:38:07.792 [DEBUG] [184.193.59.46:59568-0#MY-DOMAIN.com] Close socket ...

screenshot from admin panel Request Filter
grab.by/grabs/6082dddb30bf07cfe7fb187fe2e721de.png

[NiteWave]

best to upgrade to 4.0.15

[luky]

I know, but it has turned out to force to work for me

Quote:

Action:log,deny,status:403

[J.T.]

Couple of questions regarding this.

1. How can we check whether the server may have already been compromised before upgrading or applying the mod sec rule?

2. If we don't log in to the LSWS admin UI we wouldn't know there's an update. Even if we did, it doesn't exactly highlight the update as urgent/crucial. Some updates recently were just for some control panel integration so I waited on those. It would be really handy if there was an RSS feed to monitor this type of news (without having to subscribe to every forum thread, then filter them). I don't see a feed on the news items, which would have been perfect. Can you please consider this point and let us know how best to be fed updates?