[proxy:error] Sites not opening

Operating System & Version
Cloudlinux 7.8
cPanel & WHM Version
90.0.15

Vs Nu

Well-Known Member
Jul 17, 2015
75
4
58
India
cPanel Access Level
Root Administrator
Code:
Sat Oct 17 15:04:10.038426 2020] [proxy_http:error] [pid 31538:tid 47892371080960] (70007)The timeout specified has expired: [client servermainip:56415] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.128915 2020] [proxy:error] [pid 31538:tid 47892371080960] [client servermainip:56415] AH00898: Error reading from remote server returned by /502.shtml
[Sat Oct 17 15:04:10.150431 2020] [proxy_http:error] [pid 26557:tid 47892356372224] (70007)The timeout specified has expired: [client servermainip:56438] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.179863 2020] [proxy:error] [pid 26557:tid 47892356372224] [client servermainip:56438] AH00898: Error reading from remote server returned by /502.shtml
[Sat Oct 17 15:04:10.515504 2020] [proxy_http:error] [pid 24825:tid 47892689078016] (70007)The timeout specified has expired: [client servermainip:56432] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.532435 2020] [proxy_http:error] [pid 30831:tid 47892360574720] (70007)The timeout specified has expired: [client servermainip:56441] AH01102: error reading status line from remote server serverhostname:80
[Sat Oct 17 15:04:10.537252 2020] [proxy:error] [pid 24825:tid 47892689078016] [client servermainip:56432] AH00898: Error reading from remote server returned by /ggflxz/uia-(insurance).html
[Sat Oct 17 15:04:10.537277 2020] [proxy:error] [pid 30831:tid 47892360574720]
I'm getting the following error in apache error log and sites does not resolve at this time,Once i restart the apache it started working

how can i fix this issue ?

Even when i change the account IP Address it was showing default page seems like its not reflecting somewhere in the server config
 
Last edited by a moderator:
Oct 18, 2020
6
2
3
Slovenia
cPanel Access Level
Root Administrator
Had the same issue, for some reason my VirutalHosts got messed up after updating to the latest version of cPanel.

Are you or have you been using Engintron? We are talking about it causing the initial error, over at their forums. Over 200 people have the same issue.
 

kodeslogic

Well-Known Member
Apr 26, 2020
52
14
83
IN
cPanel Access Level
Root Administrator
It appears that (70007)The timeout specified has expired: [client servermainip:56415] AH01102

This can be due to connectiontimeout and timeout values for ProxyPass in the apache config file.
 

Vs Nu

Well-Known Member
Jul 17, 2015
75
4
58
India
cPanel Access Level
Root Administrator
It appears that (70007)The timeout specified has expired: [client servermainip:56415] AH01102

This can be due to connectiontimeout and timeout values for ProxyPass in the apache config file.
What changes i need to do ?
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
@Vs Nu

Before I can advise you on this, I do think it's important to understand what is causing this if you are using Engintron, as suggested by @AtlantisStargate I would strongly urge you to disable it and rebuilt the apache configuration, then run Apache to determine if it's still experiencing the issue. There was (though fixed now) an issue with the Live Stream Transfer, though that should be resolved.
 

Vs Nu

Well-Known Member
Jul 17, 2015
75
4
58
India
cPanel Access Level
Root Administrator
I
@Vs Nu

Before I can advise you on this, I do think it's important to understand what is causing this if you are using Engintron, as suggested by @AtlantisStargate I would strongly urge you to disable it and rebuilt the apache configuration, then run Apache to determine if it's still experiencing the issue. There was (though fixed now) an issue with the Live Stream Transfer, though that should be resolved.
Im not using engintron..Only Apache is running

The issue is happening when i do IP change to any account
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

Vs Nu

Well-Known Member
Jul 17, 2015
75
4
58
India
cPanel Access Level
Root Administrator
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
Sorry as My Sr is in Vacation I cant share the Logins in ticket without My Sr Permission If you can send me commands i can paste the outputs
 
Oct 18, 2020
6
2
3
Slovenia
cPanel Access Level
Root Administrator
Please post your findings. This error has started popping up on my server after I used the transfer tool to transfer a package from my server to another. After the site was reenabled on my server this error started popping up.

Now at first it seemed like it was Engintrons issue, but I have since disabled Enginton, rebuilt the Apache config, and I had to manually modify a few lines in my /etc/apache2/conf/httpd.conf

<VirtualHost MyServersIP:80>
ServerName MyDomainName
ServerAlias mail.MyDomainName www.MyDomainName
<Location "/">
ProxyPass "https://newcpaneladdress.com"
ProxyPreserveHost on

</Location>
DocumentRoot /home/mydomain.com/public_html
ServerAdmin [email protected]
UseCanonicalName Off

After removing the ProxyPass in httpd.conf everything started working normally again, for a week. Today the error became active again and I can see that this is yet again in my httpd.conf
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
You shouldn't be editing the apache configuration manually at all, ever. Modifications made directly to the apache configuration will not stay. What I would suggest doing after Engintron was removed was running the following:

Create a copy of the current apache conf:
Code:
mv /etc/apache2/conf/httpd.conf{,.bk}
rebuild the apache configuration
Code:
/scripts/rebuildhttpdconf
restart apache
Code:
/scripts/restartsrv_httpd
 
Oct 18, 2020
6
2
3
Slovenia
cPanel Access Level
Root Administrator
@cPanelLauren

Did what you wrote but, the ProxyPass is yet again in the httpd.conf and the error continues.
Any ideas why this is inserted here? In my case, the server specified as the ProxyPass is my backup server that was never connected to this primary server except for the TransferTool that moved this specific site that is having issues. Sometimes visitors even get the error saying "This webpage has been moved to a different server", while it's doing this.

My problem is that my licence is provided by my VPS provider (Contabo) and if I open a ticket within WHM and grant you SSH access I get an error that my licence is maintained by Contabo, where I get answers only via email as: "this error means nothing", "sometimes cPanel is just like that", etc...

Since I have 21 servers using cPanel and only one issue I'm kinda disappointed in answers they are providing that is why I'm seeking assistance here.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
There are a couple of these cases that are fixed in v92 awaiting a patch to v90. Based on your issue I believe it sounds like CPANEL-33877 Live Transfer can lead to infinite proxy loop resulting in Apache DOS - Multi-Server Variant

The workaround for this is listed as following:

In order to fix the issue, you can use the following one liner to remove the proxy configurations:



Code:
cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done


Then you may need to do a full hard stop and start of apache. A graceful restart may not be sufficient:



Code:
/scripts/restartsrv_apache --stop
Code:
/scripts/restartsrv_apache --start
My problem is that my licence is provided by my VPS provider (Contabo) and if I open a ticket within WHM and grant you SSH access I get an error that my licence is maintained by Contabo, where I get answers only via email as: "this error means nothing", "sometimes cPanel is just like that", etc...
You should be able to continue on to open a ticket when you see that warning. It is true that it exists as your license provider *should* be assisting you. But in the event they do not or will not, you are still welcome to open a ticket with us.
 
Oct 18, 2020
6
2
3
Slovenia
cPanel Access Level
Root Administrator
Hi Lauren, thank you for your reply. After inputting the command, stopping and starting Apache now ModSecurity seems to have lost it:

Bash:
[[email protected] ~]# /scripts/restartsrv_apache --start
Waiting for “httpd” to start ……waiting for “httpd” to initialize ………finished.

Service Status
        httpd (/usr/sbin/httpd -k start) is running as root with PID 19950 (systemd+/proc check method).

Startup Log
        Oct 23 08:05:46 MyServerHostname.com systemd[1]: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Started Apache web server managed by cPanel EasyApache.

Log Messages
        Oct 23 08:05:48 atlantis systemd: Started Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:48 atlantis systemd: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:46 atlantis systemd: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:39 atlantis systemd: Stopped Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:36 atlantis systemd: Stopping Apache web server managed by cPanel EasyApache...
        [Fri Oct 23 08:05:48.991819 2020] [mpm_event:notice] [pid 19950:tid 47639635899456] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:05:48.535583 2020] [:notice] [pid 19947:tid 47639635899456] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
        [Fri Oct 23 08:04:41.153958 2020] [mpm_event:notice] [pid 3010:tid 47029765264448] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:04:32.486994 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/index.php"] [unique_id "[email protected]"]
        [Fri Oct 23 08:04:31.118331 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "[email protected]"]
        [Fri Oct 23 08:04:31.117362 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "[email protected]"]
        [Fri Oct 23 05:39:17.143852 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.142016 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.140199 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /shop/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:13.217090 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216616 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216160 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /public/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:06.283973 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.283250 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.282644 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /system/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:01.557438 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556760 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556120 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /blog/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:38:54.922115 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921543 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921144 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /sites/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:50.138391 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.137841 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.136859 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /vendor/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:44.312762 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.312217 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.311641 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /admin/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:40.768196 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767715 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767295 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /test/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:32.567022 2020] [:error] [pid 28304:tid 47030092912384] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.530017 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.509057 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /laravel/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:28.905184 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904631 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904023 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /api/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:25.617594 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]
        [Fri Oct 23 05:38:25.616952 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]

httpd started successfully.
All IP's listed above are part of the Cloudflare's public network so I felt no need to change 80 IP's :).

These errors are now present every time I restart apache.
 

Vs Nu

Well-Known Member
Jul 17, 2015
75
4
58
India
cPanel Access Level
Root Administrator
There are a couple of these cases that are fixed in v92 awaiting a patch to v90. Based on your issue I believe it sounds like CPANEL-33877 Live Transfer can lead to infinite proxy loop resulting in Apache DOS - Multi-Server Variant

The workaround for this is listed as following:

In order to fix the issue, you can use the following one liner to remove the proxy configurations:



Code:
cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done


Then you may need to do a full hard stop and start of apache. A graceful restart may not be sufficient:



Code:
/scripts/restartsrv_apache --stop
Code:
/scripts/restartsrv_apache --start

You should be able to continue on to open a ticket when you see that warning. It is true that it exists as your license provider *should* be assisting you. But in the event they do not or will not, you are still welcome to open a ticket with us.
Im running litespeed,I hope i can run these command while litespeed is active
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
Im running litespeed,I hope i can run these command while litespeed is active
If you're running litespeed it's a different issue entirely since litespeed doesn't support proxy pass. You must open a ticket to resolve this as I've suggested already.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
Hi Lauren, thank you for your reply. After inputting the command, stopping and starting Apache now ModSecurity seems to have lost it:

Bash:
[[email protected] ~]# /scripts/restartsrv_apache --start
Waiting for “httpd” to start ……waiting for “httpd” to initialize ………finished.

Service Status
        httpd (/usr/sbin/httpd -k start) is running as root with PID 19950 (systemd+/proc check method).

Startup Log
        Oct 23 08:05:46 MyServerHostname.com systemd[1]: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:48 MyServerHostname.com systemd[1]: Started Apache web server managed by cPanel EasyApache.

Log Messages
        Oct 23 08:05:48 atlantis systemd: Started Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:48 atlantis systemd: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
        Oct 23 08:05:46 atlantis systemd: Starting Apache web server managed by cPanel EasyApache...
        Oct 23 08:05:39 atlantis systemd: Stopped Apache web server managed by cPanel EasyApache.
        Oct 23 08:05:36 atlantis systemd: Stopping Apache web server managed by cPanel EasyApache...
        [Fri Oct 23 08:05:48.991819 2020] [mpm_event:notice] [pid 19950:tid 47639635899456] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:05:48.535583 2020] [:notice] [pid 19947:tid 47639635899456] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
        [Fri Oct 23 08:04:41.153958 2020] [mpm_event:notice] [pid 3010:tid 47029765264448] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations
        [Fri Oct 23 08:04:32.486994 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/index.php"] [unique_id "[email protected]"]
        [Fri Oct 23 08:04:31.118331 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "[email protected]"]
        [Fri Oct 23 08:04:31.117362 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "[email protected]"]
        [Fri Oct 23 05:39:17.143852 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.142016 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:17.140199 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /shop/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/shop/.env"] [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"]
        [Fri Oct 23 05:39:13.217090 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216616 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:13.216160 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /public/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/public/.env"] [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"]
        [Fri Oct 23 05:39:06.283973 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.283250 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:06.282644 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /system/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/system/.env"] [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"]
        [Fri Oct 23 05:39:01.557438 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556760 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:39:01.556120 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /blog/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/blog/.env"] [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"]
        [Fri Oct 23 05:38:54.922115 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921543 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:54.921144 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /sites/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/sites/.env"] [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"]
        [Fri Oct 23 05:38:50.138391 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.137841 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:50.136859 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /vendor/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/vendor/.env"] [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"]
        [Fri Oct 23 05:38:44.312762 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.312217 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:44.311641 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /admin/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/admin/.env"] [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"]
        [Fri Oct 23 05:38:40.768196 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767715 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:40.767295 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted FileAccess Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /test/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"][hostname "websitehostname.com"] [uri "/test/.env"] [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"]
        [Fri Oct 23 05:38:32.567022 2020] [:error] [pid 28304:tid 47030092912384] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.530017 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:32.509057 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /laravel/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/laravel/.env"] [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"]
        [Fri Oct 23 05:38:28.905184 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904631 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:28.904023 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /api/.env"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "websitehostname.com"] [uri "/api/.env"] [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"]
        [Fri Oct 23 05:38:25.617594 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"] [tag "event-correlation"] [hostname "websitehostname.com"] [uri "/403.shtml"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]
        [Fri Oct 23 05:38:25.616952 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "websitehostname.com"] [uri "/.env"] [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"]

httpd started successfully.
All IP's listed above are part of the Cloudflare's public network so I felt no need to change 80 IP's :).

These errors are now present every time I restart apache.
I'm not aware if that's normal or not when using the suggested workaround. If you don't want to disable the offending rule I'd suggest opening a ticket so that we can look into the issue more closely