PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

DoS by Mod Security and a simple string?

From: Adrian Crenshaw <irongeek () irongeek com>
Date: Wed, 19 Sep 2012 14:16:10 -0400
Hi all,
   Not sure how many sites this would even effect. I found a site that uses
Mod_Security, with this as one of the rules:


SecRule RESPONSE_BODY
"(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web
shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis
klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.|
rhtools\b)|ph(?:p(?:(?:
commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft
windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft
corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org -
indexer and read|haxplor)er|php(?:konsole|
shell)|c99shell)\b|aventgrup\.<br>))" \

"phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor
access',id:'10000001',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"


It seems to be from:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_45_trojans.conf

The issue is, if some content is served up that has something like c99shell
or /c99shell/ (or any string as far as I can tell that has c99shell and
does not have an alphanumeric concatenated on each end) in it, the page
will return a 404. This becomes an denial of service issue it this rule is
used on a site that takes user submitted content, and the user types in
c99shell. Imagine typing this in the title of a forum post and having the
forum start to 404 threads/sub forums. I'm not sure how wide spread this
rule is, and I have yet to find a forum to test on, but I can show you two
sites that must be using the rule (or one close to it) because they will
404 if you put /c99shell/ in your user agent string:

http://www.thismachine.info/
http://www.irongeek.com/browserinfo.php

Anyone know how wide spread the rule is, and a forum or blog with comments
I can test on? I know Dreamhost seems to use this rule in at least some of
its shared environments.

Thanks,
Adrian
http://www.irongeek.com
-- 
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset
Maugham
"The ability to Google can be a serviceable substitute for technical
knowledge." ~ Adrian D. Crenshaw




-- 
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset
Maugham
"The ability to Google can be a serviceable substitute for technical
knowledge." ~ Adrian D. Crenshaw

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: