Topic: modsecurity precaution to php warning

[blasto]

Hi,
first of all this lounge seems to be pretty neat and good looking here is my question:
I've been running a mambo site (xp+apache+php+mysql+mambo) for a while without any problems, as site became more popular I've installed the modsecurity module to increase the security. I'm using it with bundled rules and nowadays I'm reading some php warning messages from apache error.log, like;

[client 195.140.135.146] PHP Warning: main(http://ess.trix.net/therules.dat): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden\r\n in http://dustaush.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13
[client 195.140.135.146] PHP Warning: main(): Failed opening 'http://ess.trix.net/therules.dat' for inclusion (include_path='.;c:\\php4\\pear') in http://dustaush.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13

[client 200.67.229.226] PHP Warning: main(?/includes/HTML_toolbar.php): failed to open stream: No such file or directory in \\www\\contenttab.php on line 13
[client 200.67.229.226] PHP Fatal error: main(): Failed opening required '?/includes/HTML_toolbar.php' (include_path='.;c:\\php4\\pear') in \\www\\contenttab.php on line 13

How should I define modsecurity new rules to match these patterns and deny them before php gives warnings and fatal errors? thanks

[James Blond]

I don't know how the config from mod_security is, but to fight the symtoms:

in your php.ini you can turn off the displaying off errors caused by PHP
display_errors = off
For your security log the errors

log_errors = On
error_log = C:\logs\myphperror.log

This prevent PHP to send errors.

Second idea is to change the errordocuments from Apache

ErrorDocument 401 /thefive/index.php
ErrorDocument 403 /thefive/index.php
ErrorDocument 404 /thefive/index.php

How does the config of mod_security look?

[blasto]

hi,
those warning and error messages are already from apache error.log file, nothing is printed out to the browser. the log points that these are attacks and carried on by some bot or someone, I'm asking how to prevent these attacks with modsecurity... BTW those urls (dustaush.com , ess.trix.net) do not belong to me, I guess they are what is called cross sites, hosting some kind of compromised code to redirect attacks.. below is my modsecurity config which catches most of the similar type of crossite attacks.
thanks...

<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog c:/inet/logs/security.log

## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"

## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"

# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"

## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
#Common windows extensions that could be bad, comment out what you can use
SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.inf|\.mdb|\.mde|\.msi|\.reg|\.scr)"
</IfModule>