URL injections information

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, along with checking the process tree (ps -efl or ps -auwx).
You may also want to check out http://www.chkrootkit.org/ and http://www.rootkit.nl/ as tools which should be used in addition to checking the directories and process tree.
Please use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.
(see http://en.wikipedia.org/wiki/Remote_File_Inclusion )

1) Installing some apache modules like mod_security and configuring it to prevent $GET requests (this is what happened from your server this time).
2) In order to prevent URL injection you can also :
# Turn off fopen url wrappers
# Disable wget / fetch / lynx binaries
3) Make use of all the utilities provided to you in the Security section of your WHM
4) You can also follow the steps outlined at : http://www.topwebhosts.org/tools/apf-bfd-ddos-rootkit.php
5) Schedule regular security audits on a timely basis - either monthly or weekly - where you can run chkrootkit and rkhunter and scan for vulnerabilities.

Esta resposta foi útil?

 Imprimir este Artigo

Leia também

DoS: looking at open connections

Here is a command line to run on your server if you think your server is under attack. It prints...

SPAM

What is Spam? Would you like to... Print this pagePrint this page Email this pageEmail this...

Rootkit help

RootKit -- Spyware and Junkware detection and removal toolGo to Rootkit Hunter homepage, and...

My server has been blocked by Abuse. What do I do?

Generally the abuse department will not block your server unless one of the following...

Chrootkit help

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.#Change to rootsu...