[proxy:error] Sites not opening

Vs Nu · Oct 17, 2020

Code:

Sat Oct 17 15:04:10.038426 2020] [proxy_http:error] [pid 31538:tid 47892371080960] (70007)The timeout specified has expired: [client servermainip:56415] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.128915 2020] [proxy:error] [pid 31538:tid 47892371080960] [client servermainip:56415] AH00898: Error reading from remote server returned by /502.shtml
[Sat Oct 17 15:04:10.150431 2020] [proxy_http:error] [pid 26557:tid 47892356372224] (70007)The timeout specified has expired: [client servermainip:56438] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.179863 2020] [proxy:error] [pid 26557:tid 47892356372224] [client servermainip:56438] AH00898: Error reading from remote server returned by /502.shtml
[Sat Oct 17 15:04:10.515504 2020] [proxy_http:error] [pid 24825:tid 47892689078016] (70007)The timeout specified has expired: [client servermainip:56432] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.532435 2020] [proxy_http:error] [pid 30831:tid 47892360574720] (70007)The timeout specified has expired: [client servermainip:56441] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.537252 2020] [proxy:error] [pid 24825:tid 47892689078016] [client servermainip:56432] AH00898: Error reading from remote server returned by /ggflxz/uia-(insurance).html
[Sat Oct 17 15:04:10.537277 2020] [proxy:error] [pid 30831:tid 47892360574720]

I'm getting the following error in apache error log and sites does not resolve at this time,Once i restart the apache it started working

how can i fix this issue ?

Even when i change the account IP Address it was showing default page seems like its not reflecting somewhere in the server config

AtlantisStargate · Oct 18, 2020

Had the same issue, for some reason my VirutalHosts got messed up after updating to the latest version of cPanel.

Are you or have you been using Engintron? We are talking about it causing the initial error, over at their forums. Over 200 people have the same issue.

kodeslogic · Oct 18, 2020

It appears that (70007)The timeout specified has expired: [client servermainip:56415] AH01102

This can be due to connectiontimeout and timeout values for ProxyPass in the apache config file.

Vs Nu · Oct 18, 2020

kodeslogic said:
It appears that (70007)The timeout specified has expired: [client servermainip:56415] AH01102

This can be due to connectiontimeout and timeout values for ProxyPass in the apache config file.

What changes i need to do ?

cPanelLauren · Oct 19, 2020

@Vs Nu

Before I can advise you on this, I do think it's important to understand what is causing this if you are using Engintron, as suggested by @AtlantisStargate I would strongly urge you to disable it and rebuilt the apache configuration, then run Apache to determine if it's still experiencing the issue. There was (though fixed now) an issue with the Live Stream Transfer, though that should be resolved.

Vs Nu · Oct 19, 2020

I

cPanelLauren said:
@Vs Nu

Before I can advise you on this, I do think it's important to understand what is causing this if you are using Engintron, as suggested by @AtlantisStargate I would strongly urge you to disable it and rebuilt the apache configuration, then run Apache to determine if it's still experiencing the issue. There was (though fixed now) an issue with the Live Stream Transfer, though that should be resolved.

Im not using engintron..Only Apache is running

The issue is happening when i do IP change to any account

cPanelLauren · Oct 19, 2020

Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.

Thanks!

Vs Nu · Oct 19, 2020

cPanelLauren said:
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.

Thanks!

Sorry as My Sr is in Vacation I cant share the Logins in ticket without My Sr Permission If you can send me commands i can paste the outputs

AtlantisStargate · Oct 22, 2020

Please post your findings. This error has started popping up on my server after I used the transfer tool to transfer a package from my server to another. After the site was reenabled on my server this error started popping up.

Now at first it seemed like it was Engintrons issue, but I have since disabled Enginton, rebuilt the Apache config, and I had to manually modify a few lines in my /etc/apache2/conf/httpd.conf

<VirtualHost MyServersIP:80>
ServerName MyDomainName
ServerAlias mail.MyDomainName www.MyDomainName
<Location "/">
ProxyPass "https://newcpaneladdress.com"
ProxyPreserveHost on
</Location>
DocumentRoot /home/mydomain.com/public_html
ServerAdmin [email protected]
UseCanonicalName Off

After removing the ProxyPass in httpd.conf everything started working normally again, for a week. Today the error became active again and I can see that this is yet again in my httpd.conf

Vs Nu · Oct 22, 2020

Do i need to remove these lines

ProxyPass "https://newcpaneladdress.com"
ProxyPreserveHost on

cPanelLauren · Oct 22, 2020

You shouldn't be editing the apache configuration manually at all, ever. Modifications made directly to the apache configuration will not stay. What I would suggest doing after Engintron was removed was running the following:

Create a copy of the current apache conf:

Code:

mv /etc/apache2/conf/httpd.conf{,.bk}

rebuild the apache configuration

Code:

/scripts/rebuildhttpdconf

restart apache

Code:

/scripts/restartsrv_httpd

AtlantisStargate · Oct 22, 2020

@cPanelLauren

Did what you wrote but, the ProxyPass is yet again in the httpd.conf and the error continues.
Any ideas why this is inserted here? In my case, the server specified as the ProxyPass is my backup server that was never connected to this primary server except for the TransferTool that moved this specific site that is having issues. Sometimes visitors even get the error saying "This webpage has been moved to a different server", while it's doing this.

My problem is that my licence is provided by my VPS provider (Contabo) and if I open a ticket within WHM and grant you SSH access I get an error that my licence is maintained by Contabo, where I get answers only via email as: "this error means nothing", "sometimes cPanel is just like that", etc...

Since I have 21 servers using cPanel and only one issue I'm kinda disappointed in answers they are providing that is why I'm seeking assistance here.

cPanelLauren · Oct 22, 2020

There are a couple of these cases that are fixed in v92 awaiting a patch to v90. Based on your issue I believe it sounds like CPANEL-33877 Live Transfer can lead to infinite proxy loop resulting in Apache DOS - Multi-Server Variant

The workaround for this is listed as following:

In order to fix the issue, you can use the following one liner to remove the proxy configurations:

Code:

cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done

Then you may need to do a full hard stop and start of apache. A graceful restart may not be sufficient:

Code:

/scripts/restartsrv_apache --stop

Code:

/scripts/restartsrv_apache --start

AtlantisStargate said:
My problem is that my licence is provided by my VPS provider (Contabo) and if I open a ticket within WHM and grant you SSH access I get an error that my licence is maintained by Contabo, where I get answers only via email as: "this error means nothing", "sometimes cPanel is just like that", etc...

You should be able to continue on to open a ticket when you see that warning. It is true that it exists as your license provider *should* be assisting you. But in the event they do not or will not, you are still welcome to open a ticket with us.

AtlantisStargate · Oct 23, 2020

Hi Lauren, thank you for your reply. After inputting the command, stopping and starting Apache now ModSecurity seems to have lost it:

Bash:

[root@atlantis ~]# /scripts/restartsrv_apache --start
Waiting for “httpd” to start ……waiting for “httpd” to initialize ………finished.

Service Status
        httpd (/usr/sbin/httpd -k start) is running as root with PID 19950 (systemd+/proc check method).

Startup Log
        Oct 23 08:05:46 MyServerHostname.com systemd[1]: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Started Apache web server managed by cPanel EasyApache.

Log Messages
        Oct 23 08:05:48 atlantis systemd: Started Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:48 atlantis systemd: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:46 atlantis systemd: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:39 atlantis systemd: Stopped Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:36 atlantis systemd: Stopping Apache web server managed by cPanel EasyApache...
        [Fri Oct 23 08:05:48.991819 2020] [mpm_event:notice] [pid 19950:tid 47639635899456] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:05:48.535583 2020] [:notice] [pid 19947:tid 47639635899456] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
        [Fri Oct 23 08:04:41.153958 2020] [mpm_event:notice] [pid 3010:tid 47029765264448] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:04:32.486994 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/index.php"] [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"]
        [Fri Oct 23 08:04:31.118331 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"]
        [Fri Oct 23 08:04:31.117362 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"]
        [Fri Oct 23 05:39:17.143852 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.142016 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.140199 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /shop/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:13.217090 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216616 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216160 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /public/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:06.283973 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.283250 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.282644 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /system/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:01.557438 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556760 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556120 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /blog/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:38:54.922115 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921543 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921144 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /sites/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:50.138391 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.137841 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.136859 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /vendor/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:44.312762 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.312217 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.311641 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /admin/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:40.768196 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767715 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767295 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /test/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:32.567022 2020] [:error] [pid 28304:tid 47030092912384] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.530017 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.509057 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /laravel/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:28.905184 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904631 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904023 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /api/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:25.617594 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]
        [Fri Oct 23 05:38:25.616952 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]

httpd started successfully.

All IP's listed above are part of the Cloudflare's public network so I felt no need to change 80 IP's

.

These errors are now present every time I restart apache.

Vs Nu · Oct 23, 2020

cPanelLauren said:
There are a couple of these cases that are fixed in v92 awaiting a patch to v90. Based on your issue I believe it sounds like CPANEL-33877 Live Transfer can lead to infinite proxy loop resulting in Apache DOS - Multi-Server Variant

The workaround for this is listed as following:

In order to fix the issue, you can use the following one liner to remove the proxy configurations:

Code:

cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done

Then you may need to do a full hard stop and start of apache. A graceful restart may not be sufficient:

Code:

/scripts/restartsrv_apache --stop

Code:

/scripts/restartsrv_apache --start

You should be able to continue on to open a ticket when you see that warning. It is true that it exists as your license provider *should* be assisting you. But in the event they do not or will not, you are still welcome to open a ticket with us.

Im running litespeed,I hope i can run these command while litespeed is active

cPanelLauren · Oct 23, 2020

Vs Nu said:
Im running litespeed,I hope i can run these command while litespeed is active

If you're running litespeed it's a different issue entirely since litespeed doesn't support proxy pass. You must open a ticket to resolve this as I've suggested already.

cPanelLauren · Oct 23, 2020

AtlantisStargate said:

Hi Lauren, thank you for your reply. After inputting the command, stopping and starting Apache now ModSecurity seems to have lost it:

Bash:

[root@atlantis ~]# /scripts/restartsrv_apache --start
Waiting for “httpd” to start ……waiting for “httpd” to initialize ………finished.

Service Status
        httpd (/usr/sbin/httpd -k start) is running as root with PID 19950 (systemd+/proc check method).

Startup Log
        Oct 23 08:05:46 MyServerHostname.com systemd[1]: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Started Apache web server managed by cPanel EasyApache.

Log Messages
        Oct 23 08:05:48 atlantis systemd: Started Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:48 atlantis systemd: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:46 atlantis systemd: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:39 atlantis systemd: Stopped Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:36 atlantis systemd: Stopping Apache web server managed by cPanel EasyApache...
        [Fri Oct 23 08:05:48.991819 2020] [mpm_event:notice] [pid 19950:tid 47639635899456] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:05:48.535583 2020] [:notice] [pid 19947:tid 47639635899456] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
        [Fri Oct 23 08:04:41.153958 2020] [mpm_event:notice] [pid 3010:tid 47029765264448] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:04:32.486994 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/index.php"] [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"]
        [Fri Oct 23 08:04:31.118331 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"]
        [Fri Oct 23 08:04:31.117362 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"]
        [Fri Oct 23 05:39:17.143852 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.142016 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.140199 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /shop/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:13.217090 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216616 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216160 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /public/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:06.283973 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.283250 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.282644 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /system/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:01.557438 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556760 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556120 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /blog/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:38:54.922115 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921543 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921144 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /sites/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:50.138391 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.137841 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.136859 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /vendor/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:44.312762 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.312217 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.311641 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /admin/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:40.768196 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767715 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767295 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /test/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:32.567022 2020] [:error] [pid 28304:tid 47030092912384] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.530017 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.509057 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /laravel/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:28.905184 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904631 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904023 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /api/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:25.617594 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]
        [Fri Oct 23 05:38:25.616952 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]

httpd started successfully.

All IP's listed above are part of the Cloudflare's public network so I felt no need to change 80 IP's

.

These errors are now present every time I restart apache.

I'm not aware if that's normal or not when using the suggested workaround. If you don't want to disable the offending rule I'd suggest opening a ticket so that we can look into the issue more closely

Vs Nu · Oct 27, 2020

Code:

cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done

@cPanelLauren I hope it will run for all the cP users 1 by 1 by doing an apache restart hope I'm right ?

Tarun Khanna · Nov 11, 2020

Vs Nu said:
Code:

cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done

@cPanelLauren I hope it will run for all the cP users 1 by 1 by doing an apache restart hope I'm right ?

can u break up the command ? how to use it in ssh

cPRex · Nov 11, 2020

Hey there, @Tarun Khanna !

There shouldn't be a need to break up that command at all as that would run in SSH just by copy and pasting. If you have trouble, just ask!

Thread starter	Similar threads	Forum	Replies	Date
	Apache log shows proxy_fcgi: error	Web Servers and Applications	1	Dec 14, 2017
M	polling, proxy_fcgi:error, httpd errors	Web Servers and Applications	1	Oct 15, 2017
N	proxy_fcgi error	Web Servers and Applications	8	Aug 21, 2017
W	proxy_fcgi:error timeout expired	Web Servers and Applications	1	Jan 29, 2017
R	cPanel Proxy Sub-domains stop Working Without error or specific causes [case 73365]	Web Servers and Applications	12	Jun 29, 2013

[proxy:error] Sites not opening

Well-Known Member

Member

Well-Known Member

Well-Known Member

Product Owner II

Well-Known Member

Product Owner II

Well-Known Member

Member

Well-Known Member

Product Owner II

Member

Product Owner II

Member

Well-Known Member

Product Owner II

Product Owner II

Well-Known Member

Registered

Jurassic Moderator