URL injections information

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, along with checking the process tree (ps -efl or ps -auwx).
You may also want to check out http://www.chkrootkit.org/ and http://www.rootkit.nl/ as tools which should be used in addition to checking the directories and process tree.
Please use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.
(see http://en.wikipedia.org/wiki/Remote_File_Inclusion )

1) Installing some apache modules like mod_security and configuring it to prevent $GET requests (this is what happened from your server this time).
2) In order to prevent URL injection you can also :
# Turn off fopen url wrappers
# Disable wget / fetch / lynx binaries
3) Make use of all the utilities provided to you in the Security section of your WHM
4) You can also follow the steps outlined at : http://www.topwebhosts.org/tools/apf-bfd-ddos-rootkit.php
5) Schedule regular security audits on a timely basis - either monthly or weekly - where you can run chkrootkit and rkhunter and scan for vulnerabilities.

هل كانت المقالة مفيدة ؟

 طباعة

اقرأ أيضاً :

Brute Force Detection

BFD -- Brute Force Detection BFD is a shell script which parses security logs and detects...

SPAM

What is Spam? Would you like to... Print this pagePrint this page Email this pageEmail this...

Rootkit help

RootKit -- Spyware and Junkware detection and removal toolGo to Rootkit Hunter homepage, and...

My server has been blocked by Abuse. What do I do?

Generally the abuse department will not block your server unless one of the following...

What does MALWARE mean?

For the Wikipedia definition of Malware, please see http://en.wikipedia.org/wiki/MalwareMalware...