mailing list archives
Re: Sanity Worm Concepts
From: Paul Laudanski <zx () castlecops com>
Date: Wed, 29 Dec 2004 20:03:42 -0500 (EST)
On 29 Dec 2004, Andy Fewtrell wrote:
I have not tested these methods but after discussing them with eth00, we
both think it was better to post this to bugtraq in the hopes it may
help other people prevent future attacks from new variations of this
worm and help development of fixes to prevent future problems. While
this worm currently uses perl it can be obviously re-written to avoid
obvious mod_security (and other) rules. I could write proof of concept
versions of the sanity worm but I feel it would be better to leave this
out of the post.
For those more interested in the mod_security rules:
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "perl "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "nc "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"
Hi Andy, I have a concern with these filters in that they will may
potentially catch quite a few false positives.
In addition to the first one coming from modsecurity.org, I've added a
SecFilterSelective ARG_highlight %27
SecFilterSelective ARG_highlight %2527
Your filters I see as good for those who are ultra paranoid. Because they
are looking at THE_REQUEST, and if say "wget " is found in it, it'll be
"the_request - string which just contains the first line of the request.
(e.g. "GET /index.html HTTP/1.0")"
If that is correct, then filtering on those custom keywords can indeed
spawn some false positives. The biggest issues as I see it are the use of
' and/or :/ in the_request. Unless a website is doing redirects, aka:
Then I don't see a real need to include the ":/" (or "://"). The other
aspect to it is the tick mark "'", such an integral component to SQL
injections, or even escaping shell commands.
Using the mod_security filter I provided above, it has stopped over
300,000 attacks in a 55 hour period. I've provided some examples, with
some analysis of what other alternatives can be used. But the big one I
think is the mod_security filters.
Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.