Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Understanding Mod_Security

Discussion in 'Security' started by GaryT, Aug 11, 2010.

  1. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    320
    Likes Received:
    3
    Trophy Points:
    68
    I get the odd email with roughly the same IP.

    Its all mumbo jumbo and I cannot pin point what they exactly tried to do:

    The email is:

    Code:
    Time:     Wed Aug 11 13:09:57 2010 +0100
    IP:       ***.***.***.*** (US/United States/www.whois.sc)
    Failures: 5 (mod_security)
    Interval: 300 seconds
    Blocked:  Permanent Block
    
    Log entries:
    
    [Wed Aug 11 13:09:50 2010] [error] [client ***.***.***.***] ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))']
    [Wed Aug 11 13:09:50 2010] [error] [client ***.***.***.***] ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))']
    [Wed Aug 11 13:09:51 2010] [error] [client ***.***.***.***] ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))']
    [Wed Aug 11 13:09:51 2010] [error] [client ***.***.***.***] ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))']
    [Wed Aug 11 13:09:51 2010] [error] [client ***.***.***.***] ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))']
    
    Some explanations will be much appreciated

    I have Changed SSH port - Blocked root login - enabled Apache mod_userdir Tweak, PHP open_basedir Tweak, use litespeed php, csf installed and so on
     
    #1 GaryT, Aug 11, 2010
    Last edited: Aug 11, 2010
  2. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Coralville, Iowa USA
    cPanel Access Level:
    Root Administrator
    mod_security uses Apache to block set access types (commands or otherwise) that are done via a browser. The other things you've done don't specifically deal with Apache (I have Changed SSH port - Blocked root login, csf installed and so on). mod_security specifically deals with Apache and attempts for a connection to run a series of queries or commands to exploit a site.

    It really doesn't matter specifically what they are trying to do as the rule you have in place in mod_security prevented the IP from doing the activity. This activity appears to indicate they were trying to run commands like passwd or telnet or uname on the machine. There's such a broad list of or options in the mod_security rule that we have no way to know exactly what they did run on your machine.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    320
    Likes Received:
    3
    Trophy Points:
    68
    Thanks Miraenda

    So all I know is that Mod_Security is working and blocked what ever they attempted.
     
  4. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Coralville, Iowa USA
    cPanel Access Level:
    Root Administrator
    Correct, you simply know that mod_security is working, and that it did block the IP which matched that set mod_security rule in that instance (not the exact command used by the IP that was blocked).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    423
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Further investigation could be done by searching access logs for hits from the blocked IP. Any access log entries showing a status 403 could be requests which mod_security blocked.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice