Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod_sec Rule Problem / Apache2

Discussion in 'EasyApache' started by procam, Jun 7, 2007.

  1. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    166
    Can one of you mod_sec gurus please point me down the right path this problem is driving me insane~~

    Customer has shoutbox on their website and when someone tries to post a url into shoutbox and post it the following is recorded to the log and the post does not work at all.... I cant figure out which of my mod_sec rules is doin this to stop the problem Please help ..... :confused:


    ==bdc1ae2b==============================
    Request: domain.com xx.xxx.xx.xx - - [07/Jun/2007:07:47:44 --0700] "POST /forum/index.php?s=&autocom=shoutbox&code=ajax&cmd=postshout&lastshoutid=188 HTTP/1.1" 406 427 "http://www.domain.com/forum/index.php?act=idx" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4" -1cB1kL5hpsAAB7nId8AAAAh "-"
    Handler: x-httpd-php
    ----------------------------------------
    POST /forum/index.php?s=&autocom=shoutbox&code=ajax&cmd=postshout&lastshoutid=188 HTTP/1.1
    Host: www.domain.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Referer: http://www.domain.com/forum/index.php?act=idx
    Content-Length: 62
    Cookie: pass_hash=f0691baae62101cb76fb05b4197a37c8; ipb-myass-div=312,85; member_id=1; anonlogin=-1; rte-sidepanel=open; collapseprefs=welcome; forum_read=a%3A15%3A%7Bi%3A47%3Bi%3A0%3Bi%3A6%3Bi%3A1181187803%3Bi%3A49%3Bi%3A0%3Bi%3A19%3Bi%3A0%3Bi%3A20%3Bi%3A1181170735%3Bi%3A22%3Bi%3A1181158078%3Bi%3A58%3Bi%3A1179778973%3Bi%3A60%3Bi%3A1180494248%3Bi%3A11%3Bi%3A0%3Bi%3A12%3Bi%3A0%3Bi%3A35%3Bi%3A1180768104%3Bi%3A62%3Bi%3A1181005909%3Bi%3A61%3Bi%3A1180901466%3Bi%3A43%3Bi%3A1180906464%3Bi%3A64%3Bi%3A1181044749%3B%7D; session_id=7df963e9e3fb04a29bbe3dbcb266c90e; mqtids=%2C; modtids=%2C; ipb_admin_session_id=2877cda3aa21ca7f1108b0903ca8b36d; ibspeak_size=90; topicsread=a%3A1%3A%7Bi%3A6429%3Bi%3A1181227332%3B%7D; __utmz=67768462.1180653886.15.3.utmccn=(referral)|utmcsr=domain.com|utmcct=/forum/index.php|utmcmd=referral; __utma=67768462.57639937.1178574371.1181097516.1181160544.18; __utmc=67768462
    Pragma: no-cache
    Cache-Control: no-cache
    mod_security-action: 406
    mod_security-message: Access denied with code 406. Pattern match "(cmd|command)=.*(cd|\\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |whoami|\\./|killall |rm \\-[a-z|A-Z])" at REQUEST_URI [severity "EMERGENCY"]
     
  2. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    166
    check your domain logs and see what is the post.
     
  3. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    166
    I already thought of that there is no information in the domains logs as the activity was halted not processed.
     
  4. morfargekko

    morfargekko Member

    Joined:
    Jul 3, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    Hi , serch Your mod_sec rule for :"cmd|command)=.*(cd|\\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |whoami|\\./|killall |rm \\-[a-z|A-Z])" and disable that rule just for testing.

    It seams to me that it is a very strict rule which I dont have. :confused:
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    The last poster is right on target with this ...
    Code:
    "(cmd|command)=.*(cd|\\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |whoami|\\./|killall |rm \\-[a-z|A-Z])"
    The above is the rule pattern that is being triggered.

    Search through your mod_security rule file(s) for the above pattern and just simply
    comment out the line or lines related to that particular rule.
     
  6. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    166
    Thanks Spiral ~:cool:
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice