ModSecurity rules triggered but not blocking the attacker

Operating System & Version
CENTOS 7.8
cPanel & WHM Version
v88.0.11

masterross

Well-Known Member
Apr 7, 2004
73
5
158
Hi,

Just saw that ModSecurity rules are triggered but not blocking the attacker?
In the /usr/local/apache/logs/error_log I see:

Code:
[Mon Jul 06 11:45:30.605637 2020] [:error] [pid 14579:tid 47073841063680] [client 50.87.144.91:37724] [client 50.87.144.91] ModSecurity: Warning. Pattern match "(?i:(?:\\\\s*?(?:exec|execute).*?(?:\\\\W)xp_cmdshell)|(?:[\\"'`]\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`];?\\\\s*?(?:select|union|having)\\\\b\\\\s*?[^\\\\s])|(?:\\\\wiif ..." at ARGS:s. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "61"] [id "942190"] [rev "2"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union all select found within ARGS:s: e9df86de0cc5b1f99884715e695722da '-6863 union all select CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)1,1,1,1#"] [severity "CRITICAL"][ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.mobinuke.com"] [uri "/activity.php"] [unique_id "XwLkqnDNqLQBB@MMoe6MvQAAAA0"]
But I dont see the attacker being "Access denied"

Any idea why?

Thank you!
 

masterross

Well-Known Member
Apr 7, 2004
73
5
158
I just uninstalled and installed OWASP again and now is working!
The case is solved!
 
Last edited:

fuzzylogic

Well-Known Member
Nov 8, 2014
154
95
78
cPanel Access Level
Root Administrator
The log line you posted is only one of many mod-security rule hits for that http request.
If you run the command...
Code:
grep -n 'XwLkqnDNqLQBB@MMoe6MvQAAAA0' /usr/local/apache/logs/error_log
you will see the other log lines for that request, all with identical timestamps and unique_id and with consecutive line numbers in the log.

The second last mod-security rule hit log line, rule [id "949110"], will have the text...
Code:
ModSecurity: Access denied with code 403 (phase 2)
 
  • Like
Reactions: cPanelLauren