Mod_security isnt working : Joomla sites are getting hacked ?

Discussion in 'Install/Configuration' started by vivek, Apr 20, 2008.

  1. vivek

    vivek Well-Known Member


    I have a good set of Mod_security 1.9 rules. But when I swap the webserver, ie, when I run Apache , I will get lot of IP block mails from the firewall. From that, I can see the IP address as well as the domain name. But when I switch to litespeed, it is not working with mod security rules. and not reporting the errors in error_log file such that the CSF can read it.

    Recently one of my client's site which was a Joomla site, got hacked. I checked the account and found 10 copies of c99.php files as well as a file called sniper.php files. ClamAV antivirus found this as trojans.

    Why c99 and snipper codes worked with litespeed+modsec ? I am sure it will not work in the case of apache+modsec

    My question is , Why litespeed isnt processing modsec.conf ?
    I know the the old version of lsws worked with modsec, but why the new version isnt working with it?

    I am using enterprise version since 3+ months now.

    My server is handling around 300 http connections ( 500+ on peak time )
    I am sure litespeed isnt working with modesec+CSF because when I change to apache, I can see it apache is working fine with those set of rules.

  2. mistwang

    mistwang LiteSpeed Staff

    We need more specific information to investigate this.
    The Request URL and security rule that should work but not.
    We can try it on your server with mod_security log enabled.
  3. vivek

    vivek Well-Known Member

    PMed you the server login. Please check it.

  4. mistwang

    mistwang LiteSpeed Staff

    Please send me an example URL along with the mod_security rule that should block it. However, it has not been blocked in your server environment, and we can reliably reproduce it on your server, then I will start investigate.

    Without those information, I don't know where to start.
  5. vivek

    vivek Well-Known Member


    I just uploaded a c99 script to my account. I can see litespeed is not working with modsec in this case.

    I changed to apache and it blocked the script.

    PMing you the details.

  6. mistwang

    mistwang LiteSpeed Staff

    checking it now.
  7. mistwang

    mistwang LiteSpeed Staff

    OK, find a problem with handling "SecFilter" directive, the request URI has not been checked. Uploaded 3.3.11 release package, and it works properly now.

    If you find any other issue mod_security rules, please let us know.
  8. vivek

    vivek Well-Known Member

    Thank you
    I think there are also some other rules other than secFilter, which arent working. I will let you know when I get more info.

  9. vivek

    vivek Well-Known Member

    secFilter is not working again,

    Litespeed Web Server Enterprise v4.0b1 :
  10. anewday

    anewday Moderator

    Hope George didn't forget to apply all bugfixes (from 3.3 versions) to the beta, I'm waiting for beta2 to test it.
    Last edited: Apr 29, 2008
  11. vivek

    vivek Well-Known Member

    hey george
    any update on secFilter ??

Share This Page