Modsecurity hit internal 127.0.0.1

leonep

Well-Known Member
Nov 18, 2014
189
13
68
Pescara
cPanel Access Level
Root Administrator
HI,
I am wondering what are this hit from 127.0.0.1 from modsecurity.
I have a lot of triggering event about

920340: Request Containing Content, but Missing Content-Type header
933150: PHP Injection Attack: High-Risk PHP Function Name Found
930130: Restricted File Access Attempt
920170: GET or HEAD Request with Body Content.
920420: Request content type is not allowed by policy
930100: Path Traversal Attack (/../)

in apache logs i can't see file or user account triggering event. this is an example:

[Mon Jan 24 09:26:48.782424 2022] [:error] [pid 1690141:tid 47157052811008]
[client 127.0.0.1:54586] [client 127.0.0.1]
ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME.
[file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"]
[line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"]
[data "Matched Data: /.env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"]
[tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"]
[tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "xx.xx.xx.xx"] [uri "/.env"]
[unique_id "Ye5iyO_W8qvYLc0i0kihTgAAAZM"]



What can I do to investigate better?
thanks for help
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,629
363
cPanel Access Level
Root Administrator
Hey there! I have the exact same entries on my machine, although my "client" field has the source IP address instead of localhost. Do you have any proxy tools installed on that machine that could cause Apache to not receive the correct client IP?