modsecurity rule 1234123436

kernow · Nov 10, 2013

Hi,
We frequently get rule 1234123436 reported, We can disable it of course but wondered if anyone can tell us if the message below is a attempt at reading the config file to hack or part of the normal cart process:

/cart.php?a=byroe&templatefile=../../../configuration.php%00 HTTP/1.1

Access denied with code 406 (phase 2). Found 1 byte(s) in ARGS:templatefile outside range: 1-255. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "1234123436"] [msg "Invalid character in request"] [severity "WARNING"]

quizknows · Nov 11, 2013

That is a malicious request.

kernow · Nov 11, 2013

quizknows said:
That is a malicious request.

Thanks for the info quizknows !

cPanelMichael · Nov 12, 2013

Hello

Yes, you will typically see those requests from bots that attempt search the Internet for websites that are open to exploits.

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
A	Google bot triggering OWASP modsecurity rule 949110	Security	6	Jan 17, 2023
U	Modsecurity Rule for AWS Block	Security	1	Feb 15, 2022
U	OWASP ModSecurity Core Rule Set V3.0 notifications	Security	3	Oct 8, 2020
M	ModSecurity false-positive with ConfigServer cXs ModSecurity rule	Security	3	Sep 15, 2020
M	ModSecurity rules triggered but not blocking the attacker	Security	5	Jul 6, 2020

Search

Search

modsecurity rule 1234123436

kernow

Well-Known Member

quizknows

Well-Known Member

kernow

Well-Known Member

cPanelMichael

Administrator