403 Permission Errors

bburnett · **403 Permission Errors -** 03-11-2006, 08:30 PM

When I try to submit a trouble ticket I get a 403 error after pressing the submit button.

bburnett · **403 Permission error -** 03-11-2006, 08:33 PM

When I try to submit this info, in this forum I get a page that just says NO:

Here is what I am submitting in the trouble ticket:

On server four; I have a client who started getting a 403 error on a page titled:
in_a_nut_shell .php. I discovered if I renamed the file in_a_nut_shell2 .php that it worked. I then tried changing permissions, removing frontpage extensions, looking a . htaccess etc. with no luck.

Then I noticed that if you request any file that ends in shell. php you get this error. I presume something has been set up for security purposes. Hopefully it can be handled a different way.

We can rename the file if we have to I suppose....

bburnett · **SHELLdotPHP -** 03-11-2006, 08:36 PM

It seems that whenever I put SHELLdotPHP (lower case with dot as a period) in the comments and press submit I get a page that just says NO.

Jim · 03-11-2006, 11:25 PM

That is a dangerous file to be uploading to the server no matter what you name it, but naming it that would likely get your site defaced quickly.

bburnett · 04-18-2006, 07:05 PM

The thing is the file wasn't actually called SHELLdotPHP but rather IN_A_NUTSHELLdotPHP

Jim · 04-18-2006, 10:36 PM

It is the pattern shell . php that is triggering the 403 error. shell . php is a script which hackers can put onto the server using some domains insecure script and use to further try to compromise the system. tmp is usually the first place they put the script because that partition is the easiest place to handle the files since all users on the server have access to tmp.

Unless we know exactly what scripts are running at all times and know that they are kept updated to close security holes as they are discovered (which is impossible) I have to depend on mod_security to block insecure scripts from being used to hack the servers. What happens is, someone runs a search at google for a known insecure script. Finds it and uses it to upload files to the server. mod_security has taken instances of scripts being abused on all of our servers from about one a day, to zero in a year. We use a whole laundry list of mod_security rules, many of which can be found here:
http://www.gotroot.com/downloads/ftp...ity/rules.conf
(but we don't use all of them).
More about the firewall can be found here
http://www.gotroot.com/tiki-index.ph...security+rules

Its an indispensible tool for keeping the servers secure.