Google bot triggering OWASP modsecurity rule 949110

aeroweb

Well-Known Member
Jun 4, 2004
74
2
158
Last few days we have been noticing that Google crawler IP's (i.e. 66.249.xxx.xxx) have stared being blocked by the OWASP modsecurity rules. This is not an isolated case, we have many servers and the same issues has been seen across all of them. Previously we had no issues like this related to the OWASP rules and Google crawler. I pasted the information on the blocking below.

Has anyone else noticed this happeneing on their servers?

[Tue Jan 17 07:27:50.151353 2023] [:error] [pid 26431:tid 47538366150400] [client 66.249.65.152:44811] [client 66.249.65.152] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.redacted.com"] [uri "/"] [unique_id "Y8aURs22p6M8oG4bTN6gewAAAJg"]
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,329
2,102
363
cPanel Access Level
Root Administrator
Hey there! This isn't a new thing, as this happens with people once in a while when ModSecurity gets overly protective. Here is a similar thread from 10 years ago:


It's best to just adjust ModSecurity to not block that traffic.
 

ciao70

Well-Known Member
Nov 3, 2006
147
29
178
Hi,

Check the Modsecurity log carefully, because there is probably some other rule that triggers the 949110
 

aeroweb

Well-Known Member
Jun 4, 2004
74
2
158
Thanks for the info, much appreciated.

The strange thing is, we've used modsecurity with the OWASP rules setup on our servers for years now. And yes, we would occasionally get false positives and see the Google Bot being blocked over the years, however in the last 3 days or so we've gotten hundreds of blocks which is very unusual. Do you know if anything has changed recently, have any of the OWASP rules been updated?

Thanks
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,329
2,102
363
cPanel Access Level
Root Administrator
You can check and see if there has been an update to the package through the /var/log/dnf.rpm.log log file. On my personal machine, the last OWASP update was Jan 5:

Code:
2023-01-05T05:34:47-0500 SUBDEBUG Upgrade: ea-modsec2-rules-owasp-crs-3.3.4-1.1.2.cpanel.x86_64
 

aeroweb

Well-Known Member
Jun 4, 2004
74
2
158
I do not have a dnf.rpm.log file. I checked the yum.log files and its not in there.

I also checked /etc/apache2/conf.d/modsec_vendor_configs/OWASP3 but it appears that the rule files here get updated daily when cPanel runs its update cron.
 

aeroweb

Well-Known Member
Jun 4, 2004
74
2
158
After further review of both the mod-security logs and Apache logs it appears that the Googlebot is actually triggering rule: 942100 "sql injection attack detected via libinjection"

The Google bot seems to be hitting the servers with hundreds of GET requests against WordPress websites using the build in WordPress search feature (/?s=). See below.

Code:
GET  /?s=%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9E-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%96%A6DD96%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1-%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9Efdxpr-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%96%A6DD96%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1td3t-%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9Ebebzt-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1epvh
 
Last edited:
  • Like
Reactions: cPRex