URL injections information

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, along with checking the process tree (ps -efl or ps -auwx).
You may also want to check out http://www.chkrootkit.org/ and http://www.rootkit.nl/ as tools which should be used in addition to checking the directories and process tree.
Please use “ls -lab” for checking directories as sometimes compromised servers will have hidden files that a regular “ls” will not show.

(see http://en.wikipedia.org/wiki/Remote_File_Inclusion )

1) Installing some apache modules like mod_security and configuring it to prevent $GET requests (this is what happened from your server this time).
2) In order to prevent URL injection you can also :
# Turn off fopen url wrappers
# Disable wget / fetch / lynx binaries
3) Make use of all the utilities provided to you in the Security section of your WHM
4) You can also follow the steps outlined at : http://www.topwebhosts.org/tools/apf-bfd-ddos-rootkit.php
5) Schedule regular security audits on a timely basis – either monthly or weekly – where you can run chkrootkit and rkhunter and scan for vulnerabilities.

Leave a Comment