Hi,
Just saw that ModSecurity rules are triggered but not blocking the attacker?
In the /usr/local/apache/logs/error_log I see:
But I dont see the attacker being "Access denied"
Any idea why?
Thank you!
Just saw that ModSecurity rules are triggered but not blocking the attacker?
In the /usr/local/apache/logs/error_log I see:
Code:
[Mon Jul 06 11:45:30.605637 2020] [:error] [pid 14579:tid 47073841063680] [client 50.87.144.91:37724] [client 50.87.144.91] ModSecurity: Warning. Pattern match "(?i:(?:\\\\s*?(?:exec|execute).*?(?:\\\\W)xp_cmdshell)|(?:[\\"'`]\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`];?\\\\s*?(?:select|union|having)\\\\b\\\\s*?[^\\\\s])|(?:\\\\wiif ..." at ARGS:s. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "61"] [id "942190"] [rev "2"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union all select found within ARGS:s: e9df86de0cc5b1f99884715e695722da '-6863 union all select CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)1,1,1,1#"] [severity "CRITICAL"][ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.mobinuke.com"] [uri "/activity.php"] [unique_id "XwLkqnDNqLQBB@MMoe6MvQAAAA0"]
Any idea why?
Thank you!