# @(#) $Id$ # # OSSEC Linux Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online # at: http://www.ossec.net/en/licensing.html # # [Application name] [any or all] [reference] # type:; # # Type can be: # - f (for file or directory) # - p (process running) # - d (any file inside the directory) # # Additional values: # For the registry , use "->" to look for a specific entry and another # "->" to look for the value. # For files, use "->" to look for a specific value in the file. # # Values can be preceeded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true). $php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; # PHP checks [PHP - Register globals are enabled] [any] [http://www.ossec.net/wiki] f:$php.ini -> r:^register_globals = On; # PHP checks [PHP - Expose PHP is enabled] [any] [] f:$php.ini -> r:^expose_php = On; # PHP checks [PHP - Allow URL fopen is enabled] [any] [] f:$php.ini -> r:^allow_url_fopen = On; # PHP checks [PHP - Safe mode disabled] [any] [] f:$php.ini -> r:^safe_mode = Off; # PHP checks [PHP - Displaying of errors is enabled] [any] [] f:$php.ini -> r:^display_errors = On; # PHP checks - consider open_basedir && disable_functions ## Looking for common web exploits (might indicate that you are owned). ## Using http://www.ossec.net/wiki/index.php/WebAttacks_links as a reference. [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links] d:$web_dirs -> ^echo$ -> r: ^id.txt$ -> r: ^irc.txt$ -> r: ^stringa.txt -> r: ^cmd1.gif$ -> r: ^mambo1.txt$|^hai.txt$|^iyes.txt$ -> r: ^57.txt$ -> r: ^r57.txt -> r: ^evilx$ -> r: ^cmd$ -> r: ^root.gif -> r: ^bn.txt -> r: ^kk.txt -> r: ^graba.txt -> r: ^no.txt -> r: ^ddos.pl -> r: ^rox.txt -> r: ^lila.jpg -> r: ^safe.txt -> r: ^rootlab.jpg -> r: ^tool25.dat -> r: ^sela.txt -> r: ^zero.txt -> r: ^paged.gif -> r: ^hh.txt -> r: ^metodi.txt -> r: ^idpitbull.txt -> r: ^echo.txt -> r: ^ban.gif -> r: ^c.txt -> r: ^gay.txt -> r: ^genlog.txt$ -> r: ^safe$ -> r: ^safe3$ -> r: ^tool25.txt$ -> r: ^test.txt$ -> r: ^safeon.txt$ -> r: ^.yop$; [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links] d:$web_dirs -> ^id$; [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links] d:$web_dirs -> ^.ssh$; [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links] d:$web_dirs -> ^...$; [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links] d:$web_dirs -> ^.shell$; # EOF #