Bugtraq mailing list archives
Re: Sanity Worm Concepts
From: Paul Laudanski <zx () castlecops com>
Date: Wed, 29 Dec 2004 20:03:42 -0500 (EST)
On 29 Dec 2004, Andy Fewtrell wrote:
I have not tested these methods but after discussing them with eth00, we both think it was better to post this to bugtraq in the hopes it may help other people prevent future attacks from new variations of this worm and help development of fixes to prevent future problems. While this worm currently uses perl it can be obviously re-written to avoid obvious mod_security (and other) rules. I could write proof of concept versions of the sanity worm but I feel it would be better to leave this out of the post. For those more interested in the mod_security rules: SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "perl " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "nc " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp" SecFilterSelective THE_REQUEST "cd /var/tmp"
Hi Andy, I have a concern with these filters in that they will may potentially catch quite a few false positives. In addition to the first one coming from modsecurity.org, I've added a couple more: SecFilterSelective ARG_highlight %27 SecFilterSelective ARG_highlight %2527 SecFilter "visualcoders\.net/spy\.gif\?\&cmd" SecFilter ":/" SecFilter "'" Source: http://castlecops.com/article-5642-nested-0-0.html Your filters I see as good for those who are ultra paranoid. Because they are looking at THE_REQUEST, and if say "wget " is found in it, it'll be 406'd. THE_REQUEST: http://modules.apache.org/doc/Intro_API_Prog.html "the_request - string which just contains the first line of the request. (e.g. "GET /index.html HTTP/1.0")" If that is correct, then filtering on those custom keywords can indeed spawn some false positives. The biggest issues as I see it are the use of ' and/or :/ in the_request. Unless a website is doing redirects, aka: http://example.com/redirect.jsp?http://example.net/index.html Then I don't see a real need to include the ":/" (or "://"). The other aspect to it is the tick mark "'", such an integral component to SQL injections, or even escaping shell commands. Using the mod_security filter I provided above, it has stopped over 300,000 attacks in a 55 hour period. I've provided some examples, with some analysis of what other alternatives can be used. But the big one I think is the mod_security filters. -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy.
Current thread:
- Sanity Worm Concepts Andy Fewtrell (Dec 29)
- Re: Sanity Worm Concepts Paul Laudanski (Dec 30)