how to block a string using mod security
Hello,
How can I block specific string of php code on my server using mod_security ?
example of php code :
- Removed -
I want to block any php code that have .$r76 or $r76, these code was used to spam.
-
How exactly do you wish to block it? Block the upload of the file, or block requests to the file? Normally ModSecurity blocks things like user agents, URIs, file names, referring URLs, stuff in the HTTP headers, request body, post data, etc. It doesn't exactly look at the files in your website themselves. I don't know of a way to say "block requests to a file if the file contains said string." 0 -
I actually want to know : how to block the upload of the files and how to block the request to the files 0 -
Blocking the upload is trickier. You could look into using the inspectfile function assuming clamav picks up the files as malicious:
This will log all the POST data to the modsec audit log. When you find a request made to one of the malicious files, assuming it was a POST request, you'll have the request body and user agent, which are very useful in making a rule to block further access to the files. That all said, you should really be focusing on securing or re-installing the infected application, not on blocking requests to an already infected site.0
Please sign in to leave a comment.
Comments
3 comments