S.a Arkadaşlar
Lolipop.php (crsf ) Hakkında bilginize İhtiyacım var şimdi Örneğin sunucuda bulunan bir sitenin ftp ulaşıp o ftp üzerinden sunucudaki bütün php sitelere index basabiliyorlar
Lolipop.php (crsf ) Nasıl Engel olabilirim disable veMod Security fayda etmiyor
Önüne geçemiyoruz yardım ve bilgilerinizi Paylaşırsanız
Disable Komutlarım
shell_exec,get,ini_set,ini_get_all,hopenbasedir,system,dl,passthru,cat,cut,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,escapeshellcmd,escapeshellarg,show_source,posix_mkfifo,mysql_list_dbs,get_current_user,getmyuid,pconnect,link,symlink,pcntl_exec,ini_alter,leak,apache_child_terminate,posix_kill,posix_setpgid,posix_setsid,posix_setuid,posix_getpwuid,proc_terminate,syslog,fpassthru,stream_select,socket_select,socket_create,socket_create_listen,socket_create_pair,socket_listen,socket_accept,socket_bind,socket_strerror,pcntl_fork,pcntl_signal,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,openlog,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual,user_dir,ini_restore,error_log,dl,pfsockopen,syslog,readlink,leak,proc_nice,proc_terminate,pcntl_exec,cat,etc,ln,ın,cut
Mod Security 2 Kural Zincirlerim
# ROOKYTLERYMYZ YcYN KORUMA
# ---------------------------------------------
SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php)" \
"chain,id:390144,rev:3,severity:2,msg:'Command shell attack: Generic Attempt to remote include command shell'"
SecRule REQUEST_URI "=(https?|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php)" \
"chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.( c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm |html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\ .(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|h tm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tm l)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|comm and)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|c ommand)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd |command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&? (cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\ w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS:Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"
SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"
#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{sys tem"
SecRule REQUEST_URI "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI "/scan1\.0/scan/"
SecRule REQUEST_URI "test\.txt\?&"
#30dec
SecRule REQUEST_URI "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI "/php\.txt\?"
#1 jan
SecRule REQUEST_URI "/sql\.txt\?"
SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI "/docLib/cmd\.asp"
SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
# ROOKYT BYTTY
Lolipop.php (crsf ) Hakkında bilginize İhtiyacım var şimdi Örneğin sunucuda bulunan bir sitenin ftp ulaşıp o ftp üzerinden sunucudaki bütün php sitelere index basabiliyorlar
Lolipop.php (crsf ) Nasıl Engel olabilirim disable veMod Security fayda etmiyor
Önüne geçemiyoruz yardım ve bilgilerinizi Paylaşırsanız
Disable Komutlarım
shell_exec,get,ini_set,ini_get_all,hopenbasedir,system,dl,passthru,cat,cut,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,escapeshellcmd,escapeshellarg,show_source,posix_mkfifo,mysql_list_dbs,get_current_user,getmyuid,pconnect,link,symlink,pcntl_exec,ini_alter,leak,apache_child_terminate,posix_kill,posix_setpgid,posix_setsid,posix_setuid,posix_getpwuid,proc_terminate,syslog,fpassthru,stream_select,socket_select,socket_create,socket_create_listen,socket_create_pair,socket_listen,socket_accept,socket_bind,socket_strerror,pcntl_fork,pcntl_signal,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,openlog,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual,user_dir,ini_restore,error_log,dl,pfsockopen,syslog,readlink,leak,proc_nice,proc_terminate,pcntl_exec,cat,etc,ln,ın,cut
Mod Security 2 Kural Zincirlerim
# ROOKYTLERYMYZ YcYN KORUMA
# ---------------------------------------------
SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php)" \
"chain,id:390144,rev:3,severity:2,msg:'Command shell attack: Generic Attempt to remote include command shell'"
SecRule REQUEST_URI "=(https?|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php)" \
"chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.( c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm |html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\ .(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|h tm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tm l)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|comm and)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|c ommand)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd |command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&? (cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\ w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS:Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"
SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"
#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{sys tem"
SecRule REQUEST_URI "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI "/scan1\.0/scan/"
SecRule REQUEST_URI "test\.txt\?&"
#30dec
SecRule REQUEST_URI "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI "/php\.txt\?"
#1 jan
SecRule REQUEST_URI "/sql\.txt\?"
SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI "/docLib/cmd\.asp"
SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
# ROOKYT BYTTY