The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsec cause Access denied with code 406

Discussion in 'Security' started by Mahmoud Alesali, Feb 15, 2016.

  1. Mahmoud Alesali

    Mahmoud Alesali Registered

    Joined:
    Feb 15, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    Hello,
    I have a VPS with root access at Inmotionhosting
    I have a website Joomla 3.4.8 cause with modSec to httpd fail
    this message from server
    Code:
    The service "httpd" appears to be down.
    
    Server
    
    somthinher.inmotionhosting.com
    
    Primary IP Address
    
    172.81.xxx.xxx
    
    Service Name
    
    httpd
    
    Service Status
    
    failed 
    
    Notification
    
    The service "httpd" appears to be down.
    
    Service Check Method
    
    The system failed to connect to this service's TCP/IP port.
    
    Reason
    
    Timeout while trying to get data from service: Died
    
    Number of Restart Attempts
    
    1
    
    Startup Log
    
    AH00316: WARNING: MaxRequestWorkers of 512 is not an integer multiple of
    ThreadsPerChild of 25, decreasing to nearest multiple 500,
    for a maximum of 20 servers.
    
    Log Messages
    
    [Sun Feb 14 10:35:41.618454 2016] [:error] [pid 19361:tid 140384013326080] [client 37.106.131.184] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^sqlmap" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line "160"] [id "13424"] [msg "Request from SQLMap blocked"] [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "example.com.sa"] [uri "/en/index.php/american-diploma"] [unique_id "VsCezaxRd4wAAEuhnfUAAAIT"]
    [Sun Feb 14 10:35:41.384297 2016] [:error] [pid 19325:tid 140384002836224] [client 37.106.131.184] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^sqlmap" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line "160"] [id "13424"] [msg "Request from SQLMap blocked"] [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "example.com.sa"] [uri "/en/index.php/american-diploma"] [unique_id "VsCezaxRd4wAAEt9qT8AAAHU"]
    [Sun Feb 14 10:35:41.149219 2016] [:error] [pid 19288:tid 140384283518720] [client 37.106.131.184] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^sqlmap" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line "160"] [id "13424"] [msg "Request from SQLMap blocked"] [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "example.com.sa"] [uri "/en/index.php/american-diploma"] [unique_id "VsCezaxRd4wAAEtYZ6kAAAGA"]
    [Sun Feb 14 10:35:40.912636 2016] [:error] [pid 19263:tid 140383992346368] [client 37.106.131.184] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^sqlmap" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line "160"] [id "13424"] [msg "Request from SQLMap blocked"] [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "example.com.sa"] [uri "/en/index.php/american-diploma"] [unique_id "VsCezKxRd4wAAEs-U2EAAAFV"]
    [Sun Feb 14 10:35:40.676218 2016] [:error] [pid 19256:tid 140383971366656] [client 37.106.131.184] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^sqlmap" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line "160"] [id "13424"] [msg "Request from SQLMap blocked"] [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "example.com.sa"] [uri "/en/index.php/american-diploma"] [unique_id "VsCezKxRd4wAAEs4SHUAAAEX"]
    Please help me to solve this problem

    also this message
    Code:
    Memory Information
    
    Used
    
    6.57 GB
    
    Available
    
    1.21 GB
    
    Installed
    
    1.5 GB
    
    Load Information
    
    0.00 0.00 0.08
    
    Uptime
    
    4 days, 23 hours, 28 minutes, and 44 seconds
    
    IOStat Information
    
    avg-cpu: %user %nice %system %iowait %steal %idle 1.44 0.00 0.11 0.08 0.00 98.37 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
    
    Top Processes
    
    PID
    
    Owner
    
    CPU %
    
    Memory %
    
    Command
    
    6058
    
    mysql
    
    5.05
    
    4.83
    
    /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/lib/mysql/vps18314.inmotionhosting.com.err --open-files-limit=10000 --pid-file=/var/lib/mysql/vps18314.inmotionhosting.com.pid
    
    965
    
    root
    
    3.75
    
    0.64
    
    /usr/local/cpanel/scripts/restartsrv_pureftpd --check --notconfigured-ok
    
    929
    
    root
    
    0.20
    
    1.20
    
    tailwatchd - chkservd - ftpd check
    
    13716
    
    root
    
    0.03
    
    1.99
    
    spamd child
    
    27063
    
    root
    
    0.02
    
    0.25
    
    /usr/local/cpanel/3rdparty/perl/514/bin/spamd --daemonize --allowed-ips=127.0.0.1 --max-children=20 --max-conn-per-child=150 --pidfile=/var/run/spamd.pid -i127.0.0.1
    
     
    #1 Mahmoud Alesali, Feb 15, 2016
    Last edited by a moderator: Feb 15, 2016
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    I think you will have to monitor your server and http service error logs file. You can find out the exact root cause of this httpd issues with the httpd error logs file.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Pattern match "^sqlmap" at REQUEST_HEADERS:User-Agent

    ^^ This means someone is trying to SQL inject / attack your site(s). It is a good thing this was blocked and you should not allow it. SQLMap is a very useful tool for both security professionals and attackers to find SQL injection attack vectors.

    The 2nd block you pasted regarding services is not necessarily a security issue. I would refer to the link that cPanelMichael provided above to troubleshoot high load.
     
Loading...

Share This Page