Drupal – Remote Code Execution (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3

This vulnerability discovered Drupal security team one weeks ago, a highly critical (20/25 NIST rank), (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3. This vulnerability continues Drupalgeddon 2 and allow an unauthenticated attacker to perform remote code execution. An exploitation method was published a few days ago for this vulnerability which allows attacker in the server execute … Read more

Whitelist rule with LocationMatch

Tutorial

Sometimes you need disable ModSecurity rules in specific url or program, because it causes false positives. This tutorial we show how you can whitelist rule or rules with apache LocationMatch directive. LocationMatch examples WordPress admin <locationmatch “/wp-(admin|login)/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> phpmyadmin <locationmatch “/phpmyadmin/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> Depend your server configuration, like … Read more

Log POST data with ModSecurity

Tutorial

Sometimes you may need to log all POST requests to debug or make ModSecurity rules to protect Web Server. For this you need that you have ModSecurity installed on server. Log POST data This simple rule logging all POST request data to ModSecurity AuditLog. SecRule REQUEST_METHOD “POST” \ “id:800000,phase:2,t:none,pass,nolog,auditlog,msg:’Malware.Expert – Log POST data'” This cause … Read more

Ban with ModSecurity HTTP or HTTPS requests 404 Response code

Tutorial

This tutorial we want Ban with ModSecurity IP addresses for specific time with ModSecurity that causes multiple 404 errors on the web site. Ban with ModSecurity Depend you Apache/Nginx and PHP configuration, you may use phase:1 with rule 4000 & 4002. Also you need enable SecResponseBodyAccess On to ModSecurity configuration files. SecAction “phase:2,initcol:ip=%{REMOTE_ADDR},id:’4000′,pass,nolog” SecRule RESPONSE_STATUS … Read more

Install ModSecurity with Apache on Ubuntu 16.04 LTS

Tutorial

In this guide we will see how to install ModSecurity Web Application Firewall (WAF) to secure your apache web server. You need an Apache Web Server installed on your Ubuntu 16.04 LTS before you proceed with installation of ModSecurity WAF. Installing Apache To install Apache on your Ubuntu, issue following commands $ sudo apt-get update … Read more

Why choose Malware Expert Commercial ModSecurity Rules ?

ModSecurity

No matter how well a web server is configured, it is useless if it’s not properly secured. It’s a famous saying, ‘a chain is as strong as its weakest link’. As a system admin you have to address all vulnerabilities of your server. Since one single untreated vulnerability will be exploited by an attacker and … Read more

How SecRemoteRules working ?

Tutorial

ModSecurity SecRemoteRules directive allows the user to load rules from a remote server. Requirements Internet connection ModSecurity at least 2.9.x How SecRemoteRules Works 1. When HTTP daemon starts, it loads the configuration files. 2. Configuration files have the SecRemoteRules directive, which tries to connect the Remote Server load rules. 3. When the connection is created … Read more

Proc.php trying injecting header.php files

Malware details

When this malware successful uploaded customer website and access it GET request, it’s trying search backward files and folder, searching header.php files. indexEditor When all folders and files searched and header.php files founded, it tries the patch malicious code to header.php file. Malicious code In begin this malware have CODE which added wanted file’s: Final … Read more

Patchman

patchman

Hosting providers suffer on a daily basis from the consequences of the many security vulnerabilities found in commonly used CMS’s such as WordPress, Drupal and Joomla. Patchman Patchman detects these vulnerabilities and is able to safely patch them without assistance from your customer. Because of our unique approach, you can also be rest assured that … Read more

Find and disable ModSecurity rule with SecRuleRemoveById

Find and disable ModSecurity rule

In this article we show how to find and disable ModSecurity rule that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing … Read more