The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_sec Rule Problem / Apache2

Discussion in 'EasyApache' started by procam, Jun 7, 2007.

  1. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Can one of you mod_sec gurus please point me down the right path this problem is driving me insane~~

    Customer has shoutbox on their website and when someone tries to post a url into shoutbox and post it the following is recorded to the log and the post does not work at all.... I cant figure out which of my mod_sec rules is doin this to stop the problem Please help ..... :confused:


    ==bdc1ae2b==============================
    Request: domain.com xx.xxx.xx.xx - - [07/Jun/2007:07:47:44 --0700] "POST /forum/index.php?s=&autocom=shoutbox&code=ajax&cmd=postshout&lastshoutid=188 HTTP/1.1" 406 427 "http://www.domain.com/forum/index.php?act=idx" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4" -1cB1kL5hpsAAB7nId8AAAAh "-"
    Handler: x-httpd-php
    ----------------------------------------
    POST /forum/index.php?s=&autocom=shoutbox&code=ajax&cmd=postshout&lastshoutid=188 HTTP/1.1
    Host: www.domain.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Referer: http://www.domain.com/forum/index.php?act=idx
    Content-Length: 62
    Cookie: pass_hash=f0691baae62101cb76fb05b4197a37c8; ipb-myass-div=312,85; member_id=1; anonlogin=-1; rte-sidepanel=open; collapseprefs=welcome; forum_read=a%3A15%3A%7Bi%3A47%3Bi%3A0%3Bi%3A6%3Bi%3A1181187803%3Bi%3A49%3Bi%3A0%3Bi%3A19%3Bi%3A0%3Bi%3A20%3Bi%3A1181170735%3Bi%3A22%3Bi%3A1181158078%3Bi%3A58%3Bi%3A1179778973%3Bi%3A60%3Bi%3A1180494248%3Bi%3A11%3Bi%3A0%3Bi%3A12%3Bi%3A0%3Bi%3A35%3Bi%3A1180768104%3Bi%3A62%3Bi%3A1181005909%3Bi%3A61%3Bi%3A1180901466%3Bi%3A43%3Bi%3A1180906464%3Bi%3A64%3Bi%3A1181044749%3B%7D; session_id=7df963e9e3fb04a29bbe3dbcb266c90e; mqtids=%2C; modtids=%2C; ipb_admin_session_id=2877cda3aa21ca7f1108b0903ca8b36d; ibspeak_size=90; topicsread=a%3A1%3A%7Bi%3A6429%3Bi%3A1181227332%3B%7D; __utmz=67768462.1180653886.15.3.utmccn=(referral)|utmcsr=domain.com|utmcct=/forum/index.php|utmcmd=referral; __utma=67768462.57639937.1178574371.1181097516.1181160544.18; __utmc=67768462
    Pragma: no-cache
    Cache-Control: no-cache
    mod_security-action: 406
    mod_security-message: Access denied with code 406. Pattern match "(cmd|command)=.*(cd|\\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |whoami|\\./|killall |rm \\-[a-z|A-Z])" at REQUEST_URI [severity "EMERGENCY"]
     
  2. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    check your domain logs and see what is the post.
     
  3. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    I already thought of that there is no information in the domains logs as the activity was halted not processed.
     
  4. morfargekko

    morfargekko Member

    Joined:
    Jul 3, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi , serch Your mod_sec rule for :"cmd|command)=.*(cd|\\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |whoami|\\./|killall |rm \\-[a-z|A-Z])" and disable that rule just for testing.

    It seams to me that it is a very strict rule which I dont have. :confused:
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    The last poster is right on target with this ...
    Code:
    "(cmd|command)=.*(cd|\\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |whoami|\\./|killall |rm \\-[a-z|A-Z])"
    The above is the rule pattern that is being triggered.

    Search through your mod_security rule file(s) for the above pattern and just simply
    comment out the line or lines related to that particular rule.
     
  6. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Thanks Spiral ~:cool:
     
Loading...

Share This Page