Top

Tag Archives | rules

Drupal – Remote Code Execution (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3

This vulnerability discovered Drupal security team one weeks ago, a highly critical (20/25 NIST rank), (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3. This vulnerability continues Drupalgeddon 2 and allow an unauthenticated attacker to perform remote code execution. An exploitation method was published a few days ago for this vulnerability which allows attacker in the server execute […]

Continue Reading

Whitelist rule with LocationMatch

Sometimes you need disable ModSecurity rules in specific url or program, because it causes false positives. This tutorial we show how you can whitelist rule or rules with apache LocationMatch directive. LocationMatch examples WordPress admin <locationmatch “/wp-(admin|login)/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> phpmyadmin <locationmatch “/phpmyadmin/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> Depend your server configuration, like […]

Continue Reading

Log POST data with ModSecurity

Sometimes you may need to log all POST requests to debug or make ModSecurity rules to protect Web Server. For this you need that you have ModSecurity installed on server. Log POST data This simple rule logging all POST request data to ModSecurity AuditLog. SecRule REQUEST_METHOD “POST” \ “id:800000,phase:2,t:none,pass,nolog,auditlog,msg:’Malware.Expert – Log POST data'” This cause […]

Continue Reading

Ban with ModSecurity HTTP or HTTPS requests 404 Response code

This tutorial we want Ban with ModSecurity IP addresses for specific time with ModSecurity that causes multiple 404 errors on the web site. Ban with ModSecurity Depend you Apache/Nginx and PHP configuration, you may use phase:1 with rule 4000 & 4002. Also you need enable SecResponseBodyAccess On to ModSecurity configuration files. SecAction “phase:2,initcol:ip=%{REMOTE_ADDR},id:’4000′,pass,nolog” SecRule RESPONSE_STATUS […]

Continue Reading

Install ModSecurity with Apache on Ubuntu 16.04 LTS

In this guide we will see how to install ModSecurity Web Application Firewall (WAF) to secure your apache web server. You need an Apache Web Server installed on your Ubuntu 16.04 LTS before you proceed with installation of ModSecurity WAF. Installing Apache To install Apache on your Ubuntu, issue following commands $ sudo apt-get update […]

Continue Reading

Why choose Malware Expert Commercial ModSecurity Rules ?

No matter how well a web server is configured, it is useless if it’s not properly secured. It’s a famous saying, ‘a chain is as strong as its weakest link’. As a system admin you have to address all vulnerabilities of your server. Since one single untreated vulnerability will be exploited by an attacker and […]

Continue Reading

How SecRemoteRules working ?

ModSecurity SecRemoteRules directive allows the user to load rules from a remote server. Requirements Internet connection ModSecurity at least 2.9.x How SecRemoteRules Works 1. When HTTP daemon starts, it loads the configuration files. 2. Configuration files have the SecRemoteRules directive, which tries to connect the Remote Server load rules. 3. When the connection is created […]

Continue Reading

Proc.php trying injecting header.php files

When this malware successful uploaded customer website and access it GET request, it’s trying search backward files and folder, searching header.php files. indexEditor When all folders and files searched and header.php files founded, it tries the patch malicious code to header.php file. Malicious code In begin this malware have CODE which added wanted file’s: Final […]

Continue Reading

Patchman

Hosting providers suffer on a daily basis from the consequences of the many security vulnerabilities found in commonly used CMS’s such as WordPress, Drupal and Joomla. Patchman Patchman detects these vulnerabilities and is able to safely patch them without assistance from your customer. Because of our unique approach, you can also be rest assured that […]

Continue Reading

Find and disable ModSecurity rule with SecRuleRemoveById

In this article we show how to find and disable ModSecurity rule that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing […]

Continue Reading