Issue
A notification message from Imunify360 Advisor is received:
"The following users disabled "ModSecurity" via changes in .htaccess file: {username}. Please comment/remove either "SecFilterEngine Off" or "SecFilterScanPOST Off" in their .htaccess files
Environment
- Imunify360
- Apache
Solution
Remove the directives, such as SecFilterEngine
and SecFilterScanPost
from the user's .htaccess
files. Configuration files in user's paths should not look like this:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
As in this case, the filtering engine is disabled and this state is considered unsafe, such files should be deleted or modified accordingly. If some plugins modify these files, consider adjusting those as well.
These directives can be used to avoid antivirus detections, so if such changes were done without the user's knowledge, it is worth creating a ticket to conduct a malware investigation. The initial warning will show you the name of the affected user but will not be updated with the new usernames. To make sure ModSdcurity protection is enabled, it may be required to check .htaccess
files on the server. Providing that /home
is the server's web root, it is possible to find such files with:
webpath='/home/'; find $webpath -type f -name ".htaccess" -exec \
grep -H -iPo '^\s*(?!#\s*)SecFilter(?:Engine|ScanPOST)\s*Off\b' {} \;
The above command allow briefly recon the state of ModSecurity Engine for the sites and its folders. The files found with this command should be revised or cleaned manually, most of the times those files can be deleted though. It is recomended to backup files if automation like sed is going to be used:
webpath='/home/'; find $webpath -type f -name ".htaccess" -exec \
grep -iPl '^\s*(?!#\s*)SecFilter(?:Engine|ScanPOST)\s*Off\b' {} \; \
2>/dev/null | xargs tar -Pczf ~/htaccesses_$RANDOM.tar.gz
While the following command can be used to change the relevant directives in htaccess files from Off to On:
webpath='/home/'; find $webpath -type f -name ".htaccess" \
-exec sed -i '/^[^#]*\(SecFilterEngine\|SecFilterScanPOST\)\s*Off/ I s// \1 On/g' {} \;
Sed will add two whitespaces at the begining of the changed directive.
As soon as a full background scan will report no suspicious .htaccess
were detected, the status will be changed with API request. Please note, that the new status and the Advisor update will not be delivered immediately. Since the Malware scanner can no longer detect SMW-SUS-20410-php.exploit.htaccess
signature types in configuration files, it may require up to two days before the status changes.
Cause
This message advises removing SecFilterEngine|SecFilterScanPost Off
directives from .htaccess
, to enable ModSecurity. It disappears after a new background scan can not find maliciously modified .htaccess
files.
Comments
0 comments
Please sign in to leave a comment.