The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Security Log Entry

Discussion in 'Security' started by morphey, Aug 31, 2015.

  1. morphey

    morphey Member
    PartnerNOC

    Joined:
    Mar 13, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hello,

    the problem is solving but since that day I turn out several attempted attacks by IP cPanel:

    Code:
    [Mon Aug 31 09:22:03 2015] [error] [client 208.74.125.50] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/modsec/20_asl_useragents.conf"] [line "180"] [id "330039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl).  Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "autodiscover.xxxxxxxx.xxx"] [uri "/cgi-sys/autodiscover.cgi"] [unique_id "VeQAmy4cBQsAACZROUcAAAAw"]
    
    we are sure that there are other problems?
     
    #1 morphey, Aug 31, 2015
    Last edited: Aug 31, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case CPANEL-268 is open to address the issue where autoconfig/autodiscover.cpanel.net needs to set a User-Agent string to avoid being blocked by the Atomicorp WAF Mod_Security rules. This rule ID is documented at:

    https://www.atomicorp.com/wiki/index.php/WAF_330039

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    In addition to the information provided above by Michael, the requests are not attacks. They are legitimate requests from cPanel servers that happen to use a User-Agent that Atomicorp blocks by default. I reported this in the past and as Michael stated CPANEL-268 is open to address this. In the mean time if your server has a file at /etc/asl/whitelist you can add the cPanel autodiscover IP addresses to that file and restart apache, or temporarily disable rule 330039 in your ModSecurity configuration.
     
Loading...

Share This Page