Rockforduk

Active Member
May 5, 2016
41
4
8
London
cPanel Access Level
Root Administrator
Hi Everyone,
I have moved to a new server and my Modsec is playing havoc with my Wordpress websites. I have whitelisted and awful lot of rules but one in particular is causing a problem. I use the Wordpress App on my phone to update my blog but Modsec is still blocking it even after i have whitelisted the rule how can i fix his please?

240335 [13/May/2016:23:41:29 +0100]
Operator EQ matched 0 at IP. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "1204"] [id "240335"] [rev "3"] [msg "COMODO WAF: XML-RPC Attack Identified from My IP Address (+1 hits since last alert) (CVE-2013-0235)"]


Request: POST /xmlrpc.php
Action Description: Access denied with code 403 (phase 2).
Justification: Operator EQ matched 0 at IP.

Any help would be much appreciated on this.

Thanks

Rockforduk
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I'm wondering if that rule is overly restrictive on xmlrpc.php. Since xmlrpc.php is so heavily attacked I would not be surprised.

Also, it is possible that IP data is logged in /var/cpanel/secdatadir/ip.dir and ip.pag. If those files exist you can clear temp data by deleting them and restarting apache. This will reset counts on brute force based rules.

Taking a look at the 32_Apps_OtherApps.conf file, there is a section for xmlrpc but I don't see how it accounts for legitimate requests. Mind you I'm only taking a quick look at it, however, you may need to whitelist some other rule IDs.

Sadly since you're on a phone I'm assuming you don't have a static IP address. It would be safer / more preferable to do an IP based whitelist but that is probably not an option.

If it were me, I would whitelist the rules 240334 and 240336 as well, clear out ip.dir / ip.pag, restart apache, and see where that gets you.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello,

Feel free to update this thread with the outcome after trying the solution suggested by quizknows in the previous response.

Thank you.