AdminUser.wOrdpress.cOm

You can use the following command to list all the loaded modules in apache (both DSO and Static)
———-

apachectl -t -D DUMP_MODULES

———-

The output will be something like
———
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
auth_passthrough_module (shared)
bwlimited_module (shared)
php5_module (shared)
fcgid_module (shared)
proxy_module (shared)
———

Here is the Mod Security 2 Default Rules and IDs. May be useful if you want to deactivate any specific rule.
————————————–
marketing.conf

10005 - Marketing Default Action
10006 - Google robot activity
10007 - Yahoo robot activity
10008 - MSN robot activity

http_policy.conf

60031 - HTTP Policy Default Action
60032 - Allow only POST,GET,HEAD Requests
60033 - Block CONNECT / TRACE Requests
60010 - Restrict Content Types For Posts
60034 - Restrict HTTP Protocol Versions
60035 - File extension request restrictions
60036 - Allow Only Certain Extensions

generic_attacks.conf

50002 - Generic Attacks Default Action
50009 - Session Fixation Cookie Mangling ?
50007 - Blind SQL Injection Attack
50903 - Blind SQL Injection Attack
50904 - Blind SQL Injection Attack
50001 - SQL Injection Attack
50905 - SQL Injection Attack
50906 - SQL Injection Attack
50004 - Cross-site Scripting (XSS) Attack
50005 - Remote File Access Attempt
50002 - System Command Access
50006 - System Command Injection
50008 - Injection of Undocumented ColdFusion Tags
50010 - LDAP Injection Attack
50011 - SSI injection Attack
50013 - PHP Injection Attack

bad_robots.conf

90900 - Bad Robots Default Action
90002 - Block Known Bot Scanners
90901 - Block Known Bot Scanners
90902 - Block Known Bot Scanners
90012 - Rogue Site Crawlers
90011 - Automated Site Crawler

outbound.conf

70001 - Outbound Filter Default Action
70002 - Statistic Software Information Leak
70003 - SQL Information Leakage
70004 - IIS Information Leakage
70007 - Zope Information Leakage
70008 - Cold Fusion Information Leakage
70009 - PHP Information Leakage
70010 - ISA server existence revealed
70012 - Microsoft Word document properties leakage
70013 - Directory Listings Turned OFF !!
70011 - File or Directory Names Leakage
70014 - ASP/JSP source code leakage
70903 - ASP/JSP source code leakage
70015 - PHP source code leakage
70016 - Cold Fusion source code leakage
70901 - IIS Application Not Available
70118 - IIS Application Not Available

protocol_violations.conf

60007 - Protocol Violations Default Action
60008 - Request Missing a Host Header
60009 - Request Missing a User Agent Header
60015 - Request Missing an Accept Header
60016 - Non Numeric Content-Length Header
60017 - Host header is a numeric IP address
60011 - Block GET or HEAD requests with bodies
60012 - POST request must have a Content-Length header
60013 - ModSecurity does not support transfer encodings
50107 - URL Encoding Abuse Attack
50801 - UTF8 Encoding Abuse Attack
60014 - Proxy access attempt
60015 - Request Missing an Accept Header Byte Range
60901 - Localized Byte Range Check

trojans.conf

50920 - Trojans Default Action
50111 - Possible malicious file upload
50921 - Possible malicious file upload
50922 - Possible malicious file upload

Got root rule ids

Got Root Mod Security 2 Rules - /gotroot/

apache2-rules.conf

400050 - Apache 2 Rules Default Action

jitp.conf

300051 - Just In Time Patches Default Action
390000 - Awstats.pl probe
390080 - Tests For Valid X-Forwarded Header

jitp2.conf

300051 - Just In Time Patches Default Action
390000 - Awstats.pl probe
390070 - Generic phpbb_root_path exploit
390075 - Generic mosConfig_absolute_path File Inclusion Vulnerability
390076 - Generic mosConfig_absolute_path File Inclusion Vulnerability
390083 - tikiwiki XSS Vulnerability
390082 - tikiwiki Remote File Inclusion Vulnerability
390039 - vwar_root remote/local file inclusion
390001 - aWebBB XSS attack on post.php
390002 - aWebBB XSS attack on editac.php
390003 - aWebBB XSS attack on register.php
390004 - aWebBB XSS attack / aWebBB SQL attack
390005 - aWebBB SQL attack
390006 - phpBB cur_password XSS attack
390007 - PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
390008 - Claroline <= 1.7.4 scormExport.inc.php remote command vuln
390009 - Claroline <= 1.7.4 scormExport.inc.php remote command vuln
390010 - Claroline <= 1.7.4 XSS attack
390011 - aWebNews XSS attack
390012 - aWebBBNewsSQL attack
390013 - aWebBBNewsSQL attack
390014 - aWebAPP XSS attack
390015 - qliteNEws SQL injection attack
390016 - RedCMS SQL Injection
390017 - RedCMS SQL Injection
390018 - RedCMS XSS attack
390019 - Oxygen SQL Injection
390020 - Mantis XSS attack
390021 - Oxygen SQL Injection
390022 - Mantis XSS attack
390023 - PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection
390024 - Sourceworkshop newsletter SQL Injection Vulnerability
390025 - X-Changer SQL Injection Vulnerability
390025 - X-Changer SQL Injection Vulnerability
390026 - X-Changer XSS Vulnerability
390027 - Null news Multiple SQL Injection Vulnerabilities
390028 - Null news Multiple SQL Injection Vulnerabilities
390029 - Null news Multiple SQL Injection Vulnerabilities
390030 - PHPLiveHelper 1.8 remote command execution Xploit
390031 - Pixel Motion Blog SQL Injection Vulnerabilities
390032 - Pixel Motion Blog SQL Injection Vulnerabilities
390033 - Nuked-Klan SQL Injection Vulnerability
390035 - TFT Gallery passwd Exposure of User Credentials
390036 - Nuked-Klan SQL Injection Vulnerability
390037 - WEBalbum Local File Inclusion Vulnerability
390038 - G-Book g_message Script Insertion Vulnerability
390039 - PHPMyChat exploit
390040 - Horde Help Module Remote Execution
390041 - Internet PhotoShow Remote File Inclusion Exploit
390042 - Censtore.cgi exploit
390043 - quizz.pl exploit
390044 - phpinfo.cgi command execution
390045 - phpRaid phpbb_root_path File Inclusion Vulnerability
390046 - openEngine template Parameter Local File Inclusion Vulnerability
390047 - ISPConfig go_info[server][classes_root] File Inclusion
390048 - ManageEngine OpManager searchTerm Cross-Site Scripting
390049 - AliPAGER ubild Cross-Site Scripting and SQL Injection
390050 - MxBB Portal pafileDB Module module_root_path File Inclusion
390051 - Jadu CMS register.php Cross-Site Scripting Vulnerabilities
390052 - OpenFAQ q Parameter Script Insertion Vulnerability
390053 - phpBB foing Module phpbb_root_path File Inclusion
390054 - Sugar Suite sugarEntry Parameter Security Bypass
390055 - Sugar Suite sugarEntry Parameter Security Bypass
390056 - Sugar Suite sugarEntry Parameter Security Bypass
390057 - Sugar Suite exploit
390058 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390059 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390060 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390061 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390062 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390063 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390095 - TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390064 - WordPress shell injection Vulnerability
390065 - Nucleus arbitrary remote inclusion exploit
390066 - Horde passthru exploit
390067 - CMS-Bandits spaw_root File Inclusion Vulnerability
390068 - phpBB Blend Portal System Module phpbb_root_path File Inclusion
390069 - Admanager Pro exploit
390071 - Bible Portal Project destination File Inclusion Vulnerability
390072 - Flipper Poll root_path File Inclusion Vulnerability
390073 - PictureDis Products lang Parameter File Inclusion Vulnerability
390074 - Joomla/Mambo Weblinks blind SQL injection
390076 - Generic m2f_root_path File Inclusion Vulnerability
390077 - Generic PHP download incddir File Inclusion Vulnerability
390078 - SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability
390079 - PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability
390080 - Tests For Valid X-Forwarded Header

recons.conf

350001 - Recons Default Action
350000 - Gravity Board Google Recon attempt
350001 - SilverNews Google Recon attempt
350002 - PHPBB 2.0 Google Recon attempt
350003 - PHPFreeNews Google Recon attempt
350004 - /cgi-bin/guery Google Recon attempt
350005 - tiki-edit Google Recon attempt
350006 - wps_shop.cgi Google Recon attempt
350007 - edit_blog.php Google Recon attempt
350008 - passwd.txt Google Recon attempt
350008 - admin.mdb Google Recon attempt

rootkits.conf

390143 - Root Kits Default Action
390144 - Generic Attempt to install rootkit in Horde
390145 - Generic Attempt to install rootkit

rules.conf

340001 - Got Root Rules Default Action
340000 - Enforce proper HTTP requests
340002 - Generic rule for allowed characters
340004 - Dis-allowed Transfer Encoding
340007 - deny TRACE method
300002 - XSS insertion into headers
300003 - Don’t accept chunked encodings
330003 - Code injection via content length
300004 - generic recursion signatures
300005 - generic recursion signatures
300006 - generic bogus path sigs
330001 - Generic PHP exploit signatures
330002 - Generic PHP exploit signatures
300008 - Generic PHP exploit pattern
300010 - generic XSS PHP attack types
300011 - Prevent SQL injection in cookies
300012 - Prevent SQL injection in UA
300013 - Generic filter to prevent SQL injection attacks
300014 - Generic SQL sigs
300015 - Generic SQL sigs
300016 - Generic SQL sigs
380015 - Meta character SQL injection
300017 - Generic command line attack filter
300018 - Generic PHP code injection protection via ARGS
300040 - Generic PHP code injection protection in URI

useragents.conf

380001 - User Agents Default Action
380000 - Addresses With No HTTP_Accept

————————————————
Ref: http://osdir.com/ml/apache.mod-securityuser/2006-11/msg00148.html

By default, Telnet client. is not enabled in Windows Vista. . You can enable it by the following steps:

1. Click Start then select Control Panel.
2. Select Programs and Features.
3. Select Turn Windows features on or off.
4. Select the Telnet Client option.
5. Click OK.
6. A dialog box will appear to confirm installation. The telnet command should now be available.

On servers with MySQL 4.0.x, after a fresh installation of smf using Fantastico, while accessing forum, you might see “unknown system variable ‘names’”

It appears to be caused by this code in SMF:

// Most database systems have not set UTF-8 as their default input charset.
if (isset($db_character_set) && preg_match(’~^\w+$~’, $db_character_set) === 1)
db_query(”
SET NAMES $db_character_set”, __FILE__, __LINE__);

The simple fix for this is to open your Settings.php file and remove the following line from the end of the file: $db_character_set = ‘utf8′;

When logging into squirrelmail on a cpanel server, I received the following error:

ERROR: Connection dropped by IMAP server

To fix this:

chown -R USERNAME:mail /home/USERNAME/mail/
chown -R USERNAME:mail /homeUSERNAME//etc/

Where USERNAME is his cPanel username

Enter the command:
strings `which php` | grep ./configure | sed s#”‘”#”"#g

Login to the old server as root and enter the following

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -dport 80 -j DNAT –to-destination 1.2.3.4:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Here the new ip address is 1.2.3.4. Now all the traffic to port 80 will get redirected to port 80 of 1.2.3.4.

(assuming that you do not have other iptables rules blocking access to port 80 )

If you want to redirect traffic to other ports such as for email POP, IMAP, or SSL , you can simply add in additional iptables rules.

For example to have POP3 redirection, you can add in an additional rule like this:

iptables -t nat -A PREROUTING -p tcp –dport 110 -j DNAT –to-destination 1.2.3.4:110

You may find this helpful while server migration

Yo!

Finally I managed to connect to the net using my laptop. DHCP server was not giving an IP from the lease when I try to connect
from my lappy. I found out the issue - my ISP was blocking the mac address of my laptops network card - why - who knows ! :p

So ? I thought I will change the mac. Here is a how to which I think could be useful to someone else too.

Manually set your MAC address for your network card.
—————————————————–

Edit the /etc/network/interfaces file. You can choose to use a different editor if you’d like.

sudo gedit /etc/network/interfaces

or

sudo vim /etc/network/interfaces

You should see the line for your network interface, which is usually eth0. If you have dhcp enabled, it will look like this:

auto eth0
iface eth0 inet dhcp

Just add another line below it to make it look something like this:

auto eth0
iface eth0 inet dhcp
hwaddress ether 01:05:03:04:0B:06

you can change the part after “ether” to some other balue, in the same format

Now restart networking

sudo /etc/init.d/networking restart

===========
Lazy ?

There is a tool availab le for Ubuntu to automate this - macchanger

To install
——-
sudo apt-get install macchanger

usage:
macchanger eth1
Now check the man page of macchanger for usage instructions, there are some interesting options out there.

Subject: [SA28835] Linux Kernel “vmsplice()” System Call Vulnerabilities
Date: Tuesday 12 February 2008
From: Secunia Security Advisories
———————————————————————-

TITLE:
Linux Kernel “vmsplice()” System Call Vulnerabilities

SECUNIA ADVISORY ID:
SA28835

VERIFY ADVISORY:
http://secunia.com/advisories/28835/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information, Privilege escalation, DoS

WHERE:
Local system

OPERATING SYSTEM:
Linux Kernel 2.6.x
http://secunia.com/product/2719/

DESCRIPTION:
Some vulnerabilities have been reported in the Linux Kernel, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service), disclose potentially sensitive information, and gain
escalated privileges.

The vulnerabilities are caused due to the missing verification of
parameters within the “vmsplice_to_user()”,
“copy_from_user_mmap_sem()”, and “get_iovec_page_array()” functions
in fs/splice.c before using them to perform certain memory
operations. This can be exploited to e.g. read or write to arbitrary
kernel memory via a specially crafted “vmsplice()” system call.

Successful exploitation allows attackers to e.g. gain “root”
privileges.

Note: The affected system call first appeared in version 2.6.17.

SOLUTION:
Update to version 2.6.23.16 or 2.6.24.2.

PROVIDED AND/OR DISCOVERED BY:
Wojciech Purczynskiof iSEC Security Research and qaaz

ORIGINAL ADVISORY:
iSEC Security Research:
http://www.isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txt

qaaz:
http://milw0rm.com/exploits/5092
http://milw0rm.com/exploits/5093

———————————————————————-

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

———————————————————————-

http://tnerual.eriogerg.free.fr/vimqrc.html