28,000 users with 'firstname' field altered, no support response.

[Blueberry3.14]

How do I change back the first name from DISASTER?

I have still whmcs because I bought an expensive theme that cannot use with anything else.

 

I would restore the database from a backup.

[Shazan]

Surely.

 

Thank you very much

[rob2]

Blueberry3.14,

 

can i ask how to setup the mod security rule ?

 

i had install Mod Security and ConfigServer ModSecurity Control - cmc on my whm/cpanel server,

 

 

1. create a files 99_zzz_custom.conf and save it at /usr/local/apache/conf/

 

2. add "Include /usr/local/apache/conf/99_zzz_custom.conf" at WHM>> Mod Security >>Edit Config

 

3. and paste all the following into /usr/local/apache/conf/99_zzz_custom.conf and save.is it correct ?

 

 

thank you

 

 

SecRule REQUEST_HEADERS:User-Agent "(?:\b(??:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
       "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"

# SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite"         "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1500007"
SecAction phase:2,pass,nolog,id:999501,skipAfter:959001
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \
       "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \
       "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
       "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
#
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class"         "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1500008"

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"

SecRule REQUEST_URI|ARGS|REQUEST_BODY "AES_ENCRYPT" "id:31337,phase:4,log,deny,msg:'WHMCS Fail'"

[ebmocwen]

rob2,

Looks about right, you can test the rule is working:

http://www.yourdomain.co.uk/?p="AES_ENCRYPT=0"

If you get a 503 (or redirected to an Apache error page) then the rule is active.

[rob2]

ebmocwen,it stay at the same page without any error....

[rob2]

i try to only put

 

SecRule REQUEST_URI|ARGS|REQUEST_BODY "AES_ENCRYPT" "id:31337,phase:4,log,deny,msg:'WHMCS Fail'"

 

 

and try http://www.mydomain/?p="AES_ENCRYPT=0"

 

it shows 403 now,is it correct ?

[ebmocwen]

Yes, if you are getting a 403 then this rule is working correctly. You can test by removing AES_ENCRYPT from your URL and loading the page, without it, it should load fine. This proves the rule is working.

[bear]

403 is a good result to get from that. Means it stopped it as a "forbidden" request.

[quicklyweb]

Yeah above mod sec rules did not work for me for some reason. I will possibly disable new orders and registration until further notice. i had to delete the whole site and template. Since i have lost my confidence in WHMCS script.

[alinford]

Worked for me. Thanks for posting this.

[quicklyweb]

It is finally working for me

 

Thank you

[Blueberry3.14]

Blueberry3.14,

 

can i ask how to setup the mod security rule ?

 

i had install Mod Security and ConfigServer ModSecurity Control - cmc on my whm/cpanel server,

 

 

1. create a files 99_zzz_custom.conf and save it at /usr/local/apache/conf/

 

2. add "Include /usr/local/apache/conf/99_zzz_custom.conf" at WHM>> Mod Security >>Edit Config

 

3. and paste all the following into /usr/local/apache/conf/99_zzz_custom.conf and save.is it correct ?

 

 

thank you

 

{snipped code}

 

You can do it that way, though I've always found it easier to just add custom rules to the modsec2.user.conf.

[alinford]

You can do it that way, though I've always found it easier to just add custom rules to the modsec2.user.conf.

This is how I did it.

[rob2]

Yes, if you are getting a 403 then this rule is working correctly. You can test by removing AES_ENCRYPT from your URL and loading the page, without it, it should load fine. This proves the rule is working.

 

does it mean if i apply the mod security and get the 403 error,even i do not upgrade to 5.1.10,it is fine ?

[Dicko_md]

Hi.

 

I got hit by this today. I manually put back all the first names from Disaster back to their original names. I have disabled new customers and upgraded to 5.2.8.

 

How do I add this Mod Security and ConfigServer ModSecurity Control into WHM as I dont have it ? Could some body please point me in right directions for either doing via easy apache or ssh ?

 

Think I need to add the rule ASAP ?

 

Thanks in Advance Martyn

Edited October 6, 2013 by Dicko_md

[Blueberry3.14]

does it mean if i apply the mod security and get the 403 error,even i do not upgrade to 5.1.10,it is fine ?

 

Definitely upgrade, in addition to adding the Mod_Security rule.

 

- - - Updated - - -

 

Hi.

 

I got hit by this today. I manually put back all the first names from Disaster back to their original names. I have disabled new customers and upgraded to 5.2.8.

 

How do I add this Mod Security and ConfigServer ModSecurity Control into WHM as I dont have it ? Could some body please point me in right directions for either doing via easy apache or ssh ?

 

Think I need to add the rule ASAP ?

 

Thanks in Advance Martyn

 

You can get the ConfigServer ModSecurity Control, then add the rule into modsec2.user.conf. It's extra assurance.

[Dicko_md]

Hi

 

Thanks for that. Im still new to ssh. Please could you tell me how to upload the file and then extract it ?

I have the tgz file

 

scp c:/cmc/cmc.tgz root@server1:root/cmc

 

Is this correct ? Im thinking the root@ or server 1 is wrong.

 

regards

martyn

Edited October 6, 2013 by Dicko_md

[Dicko_md]

Hi

 

I managed to get the mod installed and copied in the rules (below) to the page and saved modsec2.user.conf.

 

SecRule REQUEST_HEADERS:User-Agent "(?:\b(??:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \

"chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"

# SQL injection

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1500007"

SecAction phase:2,pass,nolog,id:999501,skipAfter:959001

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \

"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \

"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \

"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

#

SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1500008"

 

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \

"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"

 

SecRule REQUEST_URI|ARGS|REQUEST_BODY "AES_ENCRYPT" "id:31337,phase:4,log,deny,msg:'WHMCS Fail'"

Include /usr/local/apache/conf/modsec2.whitelist.conf

 

Is that it as when I try http://www.yourdomain.co.uk/?p="AES_ENCRYPT=0" (with my domain name changed) it still goes through to my website.

 

regards

 

martyn

Edited October 6, 2013 by Dicko_md
added info

[ebmocwen]

Is that it as when I try http://www.yourdomain.co.uk/?p="AES_ENCRYPT=0" (with my domain name changed) it still goes through to my website.

 

You should get a 403 error, it should not go through to your site - otherwise the rule is not working.

[Dicko_md]

could you explain how to add the rules but you can still see the web page when I run the above link.

 

Thanks

 

Martyn

[Blueberry3.14]

scp c:/cmc/cmc.tgz root@server1:root/cmc

 

Is this correct ? Im thinking the root@ or server 1 is wrong.

 

More than likely it is, yes.

 

- - - Updated - - -

 

could you explain how to add the rules but you can still see the web page when I run the above link.

 

Thanks

 

Martyn

 

Ask in the CSF scripts forum.