« WASC WHID Semi-Annual Report for 2010: July - December | Main | Detecting Malice with ModSecurity: Open Proxy Abuse »

17 March 2011

Comments

This is really really useful. I'm really liking this set of contributions from SpiderLabs. Thanks so much!

Questions:

(1) Will this really not work with Mod Sec 2.5.13?

(2) Also, if I do upgrade to 2.6, what would be the rule to investigate the URLs *posted* against

(a) RBLs such as SpamHaus or URIBL
(b) Google SafeBrowsing malware check

Not by "args" of the URI, but by posts (REQUEST_METHOD?). Thanks so much!

@Mustafa - proper removal of malicious code is highly dependent upon how the code is being included within your site. For instance, if the attack vector is Malvertising, then the malicious code isn't even on your site but an affiliate's site. There are also reports of compromising of PHP conf files and different plugin software for apps like WordPress. So, there is no easy remediation response. There is a another new capability within ModSecurity v2.6 - content manipulation where you can actually alter inbound/outbound body content. The new operator is called @rsub -
http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#rsub

It allows you to edit live HTTP streams so it would be possible to create a new rule that would strip out this malicious code in the interim while you track down the infection vector.

@Timothy - fixed typo, should be "validation-based system"

What is a "valation-based mechanism"?

Thank for the information.

What is the best way so that I can proceed to get rid of this malware? I'm using centos

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment