Blocking post text strings with mod security

asked Oct 8, 2013 in Security by rooby (560 points)
Hi all
I have installed the mod sec on my cPanel server. I also installed common rules on my cPanel server.  Now I need to be able to block a defacement bot . This bit is currently  modifying  the files through an unknown defect in a file. An identifying section of script appends to some files with the text string "b88007"

so I want to block this string  in the query URLs with the mod security used for interim measure . can anyone please help me achieve this?
Thanks all

1 Answer

0 like 0 dislike
answered Oct 8, 2013 by TopNet (10,360 points)
Add this code to your modsec config file:
SecRule REQUEST_METHOD "post" "deny,chain,status:500,id:9379635"
SecRule REQUEST_HEADERS " b88007"

To later track this run 'stat' on a modified file. Using the change and modify times find the times in the access log (domlog). This will deny any POST request with that string