The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_security is being triggered

Discussion in 'Security' started by hyder95, Jun 10, 2016.

Tags:
  1. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    My mod_security is being triggered from last couple of days for few sites. Even the server's IP is also comes in host name in some triggered list.
    Here are the details of few attacks :

    Code:
    1-
    Host:  Sitename.com
    Request:                 GET /hudsykdommer-t-%C3%C3%83%C6%92%C3%82%C2%AF%C3%83%E2%80%9A%C3%82%C2%BF%C3%83%E2%80%9A%C3%82%C2%BD%E2%C3%83%C6%92%C3%82%C2%AF%C3%83%E2%80%9A%C3%82%C2%BF%C3%83%E2%80%9A%C3%82%C2%BD%A6-talgcyste.html
    Action Description:  Access denied with code 406 (phase 2).
    Justification:           Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME.
    Rule ID:                  1234123439: UTF8 Encoding Abuse Attack Attempt.
    
    [Thu Jun 09 17:09:14 2016] [error] [client 207.46.13.155] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "16"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "1234123439"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "Sitename.com"] [uri "/hudsykdommer-t-\\xc3\\xef\\xbf\\xbd-telangiektasier.html"] [unique_id "V1lcakAPm3wAAGvlWxoAAAAF"]
    
    2-
    Host: My Server's
    Request:                   GET /
    Action Description:    Access denied with code 406 (phase 2).
    Justification:             Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required.
    Rule ID:                    1234123429 Request Indicates an automated program explored the site.
    
    [Fri Jun 10 00:26:08 2016] [error] [client 31.184.195.114] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "58"] [id "1234123429"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "Server IP"] [uri "/cgi-bin/cgi_wrapper/cgi_wrapper"]
    
    
    What those attacks shows and Is this ignore able thing or do i need to take action and how can we with this ??

    Thank You.
     
    #1 hyder95, Jun 10, 2016
    Last edited by a moderator: Jun 10, 2016
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Which ModSec rules are you using.
    To me, this looks like ModSec is doing it's job, are you saying that this is a false positive ?
     
  3. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    No, I don't know what exactly is this, I am asking to you guys is that normal thing ??

    Thank You.
     
  4. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    modsec and regexp are ugly. This is quite common, unfortunately. You'll need to weed out, and fine tune rules like this
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The log entry below "Rule ID" will tell you information about the URL accessed, the rule it broke, a description of the rule, and rule number. This helps you to evaluate if it's a false positive, or if it successfully blocked an attack. The following document explains how to manage to your ModSecurity rules from Web Host Manager:

    ModSecurity Tools - Documentation - cPanel Documentation

    Thank you.
     
Loading...

Share This Page