The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod security gone crazy after /var/lib/mysql restore

Discussion in 'Security' started by Silver_2000, Oct 31, 2009.

  1. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    recently had to restore the /var/lib/mysql folder and its contents

    since then a number of websites and accounts are complaining that they are seeing errors when doing things that are prefectly normal and that didnt trigger modsec rules before the restore

    I have ended up commenting out all 3 of the "Check decodings" rules as they have each started causing issues.
    The users are simply trying to post similies to a forum, or reply to a post on a forum.

    The thing Im wondering about is what changed when I restored the sql data ?
    Any ideas would be welcome

    Thanks
    Doug
     
  2. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    any ideas ?

    Seems that one mod sec rule after another is impacting the users
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,465
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Strange.

    You mention the users, but not that it happens to you yourself doing the same thing. I'd uncomment them again and try it yourself (posting as they are trying to do that fails) to be sure its all users and not just some. I can't recall the name of the smilie thing I've seen in logs many times, but its malware.

    Edit, I think this was the one I'm referring to.

    google.com/search?hl=en&q=search.sweetim+smileys+malware%3F

    The owner of that site will be by shortly I suppose.
    forums.spybot.info/showthread.php?t=16087
     
  4. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    I never saw the issue when I tried to reproduce it but thats not a surprise

    Its impacting a number of users on a number of forums on the server

    Nothing traceable in common among them
    Its happening when they try to do a PM and when they try to attach a smilie

    I assume its the built in smilies BUT if it spyware or an add on then a bunch of people have it at once

    the common thread seems to be the mysql restore. All the problems started that day
     
  5. Tsafarog

    Tsafarog Member

    Joined:
    Oct 23, 2009
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    Is it a vbulletin forum?
     
  6. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Yes the server houses approx 8 vbulletin forums and it was happening to at least 3 or the 8 so far
     
  7. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    the help is great
    Often just thinking through the problem so you can describe it in a forum post is enough to get a new conclusion

    IN this case my remaining question is what changed ?

    These VB installs have been on the same server for years
    Mod security has been on for years

    The ruleset hasnt changed

    the only thing that changed is the restore of the sql databases

    Im wondering if it could be some strange sql permissions issue that is somehow ruffling the feathers of modsecurity ?

    Ive ended up commenting out 4 rules that prior to the restore didnt seem to cause any problems
     
  8. Tsafarog

    Tsafarog Member

    Joined:
    Oct 23, 2009
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    It is a common problem with Mod_security2 and vbulletin. Tomorrow (when i get to my office) i can post some links from Vbulletin forums explaining some hiccups that occur with vbulletin when Mod_security2 is on. Keep in mind that Mod_sec2 will ignore .htaccess rules.

    I have had the same problems as well with some of my forums. For now i have deactivated the mod_sec2 for the directories that these forums exist by editing modsec2.conf (i havent had any issues after applying the below):

    Code:
    <IfModule mod_security2.c>
    <Directory /home/*****/public_html/vb>
    SecRuleEngine Off
    SecruleInheritance Off
    </Directory>
    </IfModule>
    I warn you thou that i am still studing about the rule syntax and i suggest you make your own researh before applying any rules.

    Hope i helped
     
    #8 Tsafarog, Nov 2, 2009
    Last edited: Nov 2, 2009
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,465
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I happen to have this link as it's in a private message I sent to the author of the thread back in 2007, the post has since been updated, not at my request of course but to make clear what modsecurity is, etc...

    [Any Version] Forbidden and Not acceptable errors?

    I disagree with the idea of disabling modsecurity for the entire site, and PMed him to ask him why he suggests it. As most of us here, I host vBulletin forums, owner as well of vBulletin forums, and I'm not disabling modsecurity for them specifically like this for anyone, not a chance. They block comment spammers and worse, every day. More strict is better, IMHO.

    I had a list of the rules that were problematic but cannot locate it, ATM to comment on here. But, they were rulesets for an older version of mod_security and Apache 1.X. that I removed or commented out for reasons like editing templates in VB as one example where we experienced problems.

    Those 3 Check decodings rules you mention you commented out, are not commented out on my server. And I've got many additional sets of rules called from the modsec2.conf file via an include.

    I'm not seeing this problem here other than what I mentioned earlier in the thread. That's not to say there's not a problem, but I'm not seeing it and I'm locked down very tight I feel.


    I'm wondering this as well. Might be worth your while to put in a ticket to cPanel support and let them come by for a peek. But, you mention you can post or do whatever these others are having problems with, and you don't have the problem. Right?

    In that case I would try and narrow it down a bit more to how many users exactly have problems, grab the IPs if it's only a small handful, and check your logs closer for clues. Try and find some relation to the problems if only a few on the forums are having them.

    Disable security? I want too much, not too little. And you can never have enough security...

    BTW, the reply to my PM was:

    SMF forums suggest this as well.


    Uh huh...
     
    #9 Infopro, Nov 2, 2009
    Last edited: Nov 2, 2009
Loading...

Share This Page