Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ModSecurity - Domain listed not mine

Discussion in 'Security' started by cuzzmunger, Mar 9, 2019.

Tags:
  1. cuzzmunger

    cuzzmunger Member

    Joined:
    Apr 28, 2017
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    Hi There,
    I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones?

    Any help appreciated.
    Kim.


    OWASP3
    Hits List


    2019-03-10 13:24:29 example.com 201.198.xxx.xx NOTICE 400
    920310: Request Has an Empty Accept Header

    Request:
    GET /autodiscover/autodiscover.xml
    Action Description:
    Warning.
    Justification:
    Match of "pm AppleWebKit Android Business Enterprise Entreprise" against "REQUEST_HEADERS:User-Agent" required.
     
    #1 cuzzmunger, Mar 9, 2019
    Last edited by a moderator: Mar 10, 2019
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    129
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The host column with the domain name in your example is client supplied in the Request Header...
    Host: domainname.com

    A good client sets it to the domain the client was accessing when the request was made.
    A bad client can set it to anything.

    The 400 Response Status was set by apache in response to a Bad Request (not complying with the http protocol)
    Once this Response Status is set Apache will respond with 400.shtml is it exists (it will not serve /autodiscover/autodiscover.xml)
    That happened before Modsecurity parsed the request.

    Modsecurity then parsed the request, hit rule 920310.
    The Justification log is a bit obscure, but if you read rule 920310 it has the chained logic of...
    If the http header named Accept: IS empty
    AND
    the http header named User-Agent: IS NOT (AppleWebKit OR Android OR Business OR Enterprise OR Entreprise)

    The severity of this hit is NOTICE which means this rule has no blocking effect to the request but does log it.
    Hits to other rules by the same request may still cause Modsecurity to deny it.
     
    cPanelMichael likes this.
  3. cuzzmunger

    cuzzmunger Member

    Joined:
    Apr 28, 2017
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    Thank you! The thing is it keeps happening?
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,285
    Likes Received:
    2,155
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @cuzzmunger,

    Do any of it's DNS entries resolve to your server's IP address?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cuzzmunger

    cuzzmunger Member

    Joined:
    Apr 28, 2017
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    No I don't think so. I wondered if there is a link to one of my sites or not but cant find any reason.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,285
    Likes Received:
    2,155
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Feel free to open a support ticket if you'd like for us to take a quick look to see if there's anything obvious leading to those requests as it pertains to the cPanel & WHM software. Post the ticket number here and I'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice