Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod_Security Log Entry

Discussion in 'Security' started by morphey, Aug 31, 2015.

  1. morphey

    morphey Member
    PartnerNOC

    Joined:
    Mar 13, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Italy
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hello,

    the problem is solving but since that day I turn out several attempted attacks by IP cPanel:

    Code:
    [Mon Aug 31 09:22:03 2015] [error] [client 208.74.125.50] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/modsec/20_asl_useragents.conf"] [line "180"] [id "330039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl).  Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "autodiscover.xxxxxxxx.xxx"] [uri "/cgi-sys/autodiscover.cgi"] [unique_id "VeQAmy4cBQsAACZROUcAAAAw"]
    
    we are sure that there are other problems?
     
    #1 morphey, Aug 31, 2015
    Last edited: Aug 31, 2015
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Internal case CPANEL-268 is open to address the issue where autoconfig/autodiscover.cpanel.net needs to set a User-Agent string to avoid being blocked by the Atomicorp WAF Mod_Security rules. This rule ID is documented at:

    https://www.atomicorp.com/wiki/index.php/WAF_330039

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    In addition to the information provided above by Michael, the requests are not attacks. They are legitimate requests from cPanel servers that happen to use a User-Agent that Atomicorp blocks by default. I reported this in the past and as Michael stated CPANEL-268 is open to address this. In the mean time if your server has a file at /etc/asl/whitelist you can add the cPanel autodiscover IP addresses to that file and restart apache, or temporarily disable rule 330039 in your ModSecurity configuration.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice