Mod_security isnt working : Joomla sites are getting hacked ?

[vivek]

Hello

I have a good set of Mod_security 1.9 rules. But when I swap the webserver, ie, when I run Apache , I will get lot of IP block mails from the firewall. From that, I can see the IP address as well as the domain name. But when I switch to litespeed, it is not working with mod security rules. and not reporting the errors in error_log file such that the CSF can read it.

Recently one of my client's site which was a Joomla site, got hacked. I checked the account and found 10 copies of c99.php files as well as a file called sniper.php files. ClamAV antivirus found this as trojans.

Why c99 and snipper codes worked with litespeed+modsec ? I am sure it will not work in the case of apache+modsec

My question is , Why litespeed isnt processing modsec.conf ?
I know the the old version of lsws worked with modsec, but why the new version isnt working with it?

I am using enterprise version since 3+ months now.

My server is handling around 300 http connections ( 500+ on peak time )
I am sure litespeed isnt working with modesec+CSF because when I change to apache, I can see it apache is working fine with those set of rules.

Vivek

 

[mistwang]

We need more specific information to investigate this.
The Request URL and security rule that should work but not.
We can try it on your server with mod_security log enabled.

 

[vivek]

We need more specific information to investigate this.
The Request URL and security rule that should work but not.
We can try it on your server with mod_security log enabled.

PMed you the server login. Please check it.

Regards
Vivek

 

[mistwang]

Please send me an example URL along with the mod_security rule that should block it. However, it has not been blocked in your server environment, and we can reliably reproduce it on your server, then I will start investigate.

Without those information, I don't know where to start.

 

[vivek]

Please send me an example URL along with the mod_security rule that should block it. However, it has not been blocked in your server environment, and we can reliably reproduce it on your server, then I will start investigate.

Without those information, I don't know where to start.

Hello

I just uploaded a c99 script to my account. I can see litespeed is not working with modsec in this case.

I changed to apache and it blocked the script.

PMing you the details.

Vivek

 

[mistwang]

checking it now.

 

[mistwang]

OK, find a problem with handling "SecFilter" directive, the request URI has not been checked. Uploaded 3.3.11 release package, and it works properly now.

If you find any other issue mod_security rules, please let us know.

 

[vivek]

OK, find a problem with handling "SecFilter" directive, the request URI has not been checked. Uploaded 3.3.11 release package, and it works properly now.

If you find any other issue mod_security rules, please let us know.

Thank you
I think there are also some other rules other than secFilter, which arent working. I will let you know when I get more info.

Vivek

 

[vivek]

secFilter is not working again,

Litespeed Web Server Enterprise v4.0b1 :

 

[anewday]

Hope George didn't forget to apply all bugfixes (from 3.3 versions) to the beta, I'm waiting for beta2 to test it.

 

[vivek]

hey george
any update on secFilter ??