mod_sec & apache error logs ssl:info entries

[jeffschips]

Hello.

I'm receiving a large amount of the following types of log entries in my apache error_log. Wondering what the best course of action is and what does the ssl:info entry mean - is this an attacker trying to find the port on which ssl is operating? I have csf and mod_security.

[Sat Sep 05 03:42:58.640018 2020] [ssl:info] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] AH01964: Connection to child 213 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 03:42:58.872228 2020] [:error] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] [client 20XX:aXX:c3XX::a747:XXc0] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\\\\[To Parent Directory\\\\]<\\\\/[Aa]><br>)" at RESPONSE_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "30"] [id "950130"] [rev "2"] [msg "Directory Listing"] [data "Matched Data: <title>Index of /</title>\\x0a </head>\\x0a <body>\\x0a<h1>Index of found within RESPONSE_BODY: <!DOCTYPE HTML PUBLIC \\x22-//W3C//DTD HTML 3.2 Final//EN\\x22>\\x0a<html>\\x0a <head>\\x0a  <title>Index of /</title>\\x0a </head>\\x0a <body>\\x0a<h1>Index of /</h1>\\x0a  <table>\\x0a   <tr><th valign=\\x22top\\x22>&nbsp;</th><th><a href=\\x22?C=N;O=D\\x22>Name</a></th><th><a href=\\x22?C=M;O=A\\x22>Last modified</a></th><th><a href=\\x22?C=S;O=A\\x22>Size</a></th><th><a href=\\x22?C=D;O=A\\x22>Description</a></th><..."] [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-disclosure"]  [hostname "xxxxxxxxxx.com"] [uri "/"] [unique_id "X1NBgnKk4DVpdfujct-QRAAAANU"]
[Sat Sep 05 03:42:58.872322 2020] [core:info] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] AH00128: File does not exist: /home/xxxxxxxxxx.com/public_html/xxxxxxxxxx.com/403.shtml
[Sat Sep 05 03:42:58.872572 2020] [:error] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] [client 20XX:aXX:c3XX::a747:XXc0] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "39"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 4): Directory Listing"] [tag "event-correlation"] [hostname "xxxxxxxxxx.com"] [uri "/"] [unique_id "X1NBgnKk4DVpdfujct-QRAAAANU"]
[Sat Sep 05 03:43:43.667189 2020] [ssl:info] [pid 3990:tid 47740772775680] [client 20XX:aXX:c3XX::a747:XXc0:61263] AH01964: Connection to child 200 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 03:44:15.340332 2020] [ssl:info] [pid 3990:tid 47740755965696] [client 20XX:aXX:c3XX::a747:XXc0:55074] AH01964: Connection to child 192 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 03:44:15.670722 2020] [core:info] [pid 3990:tid 47740755965696] [client 20XX:aXX:c3XX::a747:XXc0:55074] AH00128: File does not exist: /home/xxxxxxxxxx.com/public_html/XXXXXXX/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php


[Sat Sep 05 21:16:43.836770 2020] [ssl:info] [pid 11056:tid 47740847396608] [client 20XX:aXX:c3XX::a747:XXc0:57137] AH01964: Connection to child 395 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:17:16.630967 2020] [ssl:info] [pid 11056:tid 47740857902848] [client 20XX:aXX:c3XX::a747:XXc0:51899] AH01964: Connection to child 400 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:17:50.328790 2020] [ssl:info] [pid 11056:tid 47740866307840] [client 20XX:aXX:c3XX::a747:XXc0:61847] AH01964: Connection to child 404 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:18:24.025547 2020] [ssl:info] [pid 11056:tid 47740762269440] [client 20XX:aXX:c3XX::a747:XXc0:53424] AH01964: Connection to child 387 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:18:56.531811 2020] [ssl:info] [pid 10943:tid 47740774876928] [client 20XX:aXX:c3XX::a747:XXc0:63596] AH01964: Connection to child 73 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:19:28.263850 2020] [ssl:info] [pid 11056:tid 47740851599104] [client 20XX:aXX:c3XX::a747:XXc0:53002] AH01964: Connection to child 397 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:20:00.411424 2020] [ssl:info] [pid 11056:tid 47740866307840] [client 20XX:aXX:c3XX::a747:XXc0:60225] AH01964: Connection to child 404 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:20:33.626445 2020] [ssl:info] [pid 11056:tid 47740874712832] [client 20XX:aXX:c3XX::a747:XXc0:65404] AH01964: Connection to child 408 established (server xxxxxxxxxx.com:443)
goes on for hundreds of entries. . .

 

[andrew.n]

These entries seems to be harmless for me. Have you changed anything in Apache settings? looks like the log level is set to info where everything is being logged.

 

[jeffschips]

Thanks Andrew.

Indeed it is set to info. What would you recommend given that I am running csf which needs to read logs to respond. As well, you don't think it's unusual that one ip address generates nearly thousands of entries such as:

[Sat Sep 05 21:18:56.531811 2020] [ssl:info] [pid 10943:tid 47740774876928] [client 20XX:aXX:c3XX::a747:XXc0:63596] AH01964: Connection to child 73 established (server xxxxxxxxxx.com:443)

I view my logs frequently and have never seen quiet so many entries form one ip address. Do you have any insight into what the [ssl:info] tag means?

Thanks and I hope you are safe and healthy.

 

[andrew.n]

Well the info tag means that it's showing what is going on in the background i.e connections to the server and such. If you see like thousands of entries it is seems to be unusual indeed. Do you experience higher than normal load averages as well? If you check Apache Status under WHM do you see many connections from the same IP? What does it do? different pages or visiting the same page?

Sorry it's just a bit hard to pin-point the issue without actually seeing this behaviour.

 

[jeffschips]

I just checked Apache Status but it's only giving current connecitons. This activity happened yesterday.

 

[andrew.n]

ah right. Is it happening regularly or just once in the past? If its regular is it at the same time or random?

 

[jeffschips]

Once in the past as far as I can tell. I generally get csf reports when this kind of activity happens. What's even stranger is that actual ipv6, the real one, 2002:a747:c3c0::a747:c3c0 seems to be an internet router. Different ip search engines produce different results.

 

[jeffschips]

Webupdates

Tool that allows to add new objects and edit or delete existing objects in the RIPE Database

apps.db.ripe.net

 

[andrew.n]

I'm not sure to be frank. Maybe @cPanelLauren has some more insight on this

 

[cPanelLauren]

Really it's difficult to pinpoint these without access to the server and the ability to see the whole picture.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!