| Summary | ModSecurity Access denied with code 503 on shell.png |
| Queue | Horde Groupware Webmail Edition |
| Queue Version | 1.2.8 |
| Type | Enhancement |
| State | Rejected |
| Priority | 1. Low |
| Owners | |
| Requester | cor3huis (at) gmail (dot) com |
| Created | 12/01/2010 (5330 days ago) |
| Due | |
| Updated | 12/20/2010 (5311 days ago) |
| Assigned | |
| Resolved | 12/20/2010 (5311 days ago) |
| Milestone | |
| Patch | No |
Priority ⇒ 1. Low
(validly) is instead controlled by a program, maybe a handful of Horde
admins are running, that objects to our personal naming scheme?
I'd rather not be held hostage by the way some unknown group of people
think that files should be named.
State ⇒ Feedback
overly broad and inflexible. I'm not convinced.
Priority ⇒ 2. Medium
Patch ⇒ No
Milestone ⇒
Queue ⇒ Horde Groupware Webmail Edition
Summary ⇒ ModSecurity Access denied with code 503 on shell.png
Type ⇒ Enhancement
State ⇒ New
Generic Attempt to run rootkit
ModSecurity: Access denied with code 503 (phase 2). Pattern match
"/(?:(?:linuxdaybot|suntzu|shell_vup|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\\.(?:txt|php))"
at
WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit"]
[data "/shell.png"] [severity "CRITICAL"
For the file .../horde/themes/silver/graphics/shell.png
YES, a perfectly normal file no problem, however names in modsecurity
give allerts in ModSecurity if installed on an Apache server
A quickfix would be to rename the file from shell.png to e.g. shll.png
and theme code referring to the name.