Skip to main content

[proxy:error] Sites not opening

Vs Nu
Sat Oct 17 15:04:10.038426 2020] [proxy_http:error] [pid 31538:tid 47892371080960] (70007)The timeout specified has expired: [client servermainip:56415] AH01102: error reading status line from remote server serverhostname:80 [Sat Oct 17 15:04:10.128915 2020] [proxy:error] [pid 31538:tid 47892371080960] [client servermainip:56415] AH00898: Error reading from remote server returned by /502.shtml [Sat Oct 17 15:04:10.150431 2020] [proxy_http:error] [pid 26557:tid 47892356372224] (70007)The timeout specified has expired: [client servermainip:56438] AH01102: error reading status line from remote server serverhostname:80 [Sat Oct 17 15:04:10.179863 2020] [proxy:error] [pid 26557:tid 47892356372224] [client servermainip:56438] AH00898: Error reading from remote server returned by /502.shtml [Sat Oct 17 15:04:10.515504 2020] [proxy_http:error] [pid 24825:tid 47892689078016] (70007)The timeout specified has expired: [client servermainip:56432] AH01102: error reading status line from remote server serverhostname:80 [Sat Oct 17 15:04:10.532435 2020] [proxy_http:error] [pid 30831:tid 47892360574720] (70007)The timeout specified has expired: [client servermainip:56441] AH01102: error reading status line from remote server serverhostname:80 [Sat Oct 17 15:04:10.537252 2020] [proxy:error] [pid 24825:tid 47892689078016] [client servermainip:56432] AH00898: Error reading from remote server returned by /ggflxz/uia-(insurance).html [Sat Oct 17 15:04:10.537277 2020] [proxy:error] [pid 30831:tid 47892360574720]
I'm getting the following error in apache error log and sites does not resolve at this time,Once i restart the apache it started working how can i fix this issue ? Even when i change the account IP Address it was showing default page seems like its not reflecting somewhere in the server config

Comments

25 comments

Date Votes
  • AtlantisStargate
    Had the same issue, for some reason my VirutalHosts got messed up after updating to the latest version of cPanel. Are you or have you been using Engintron? We are talking about it causing the initial error, over at their forums. Over 200 people have the same issue.
    0
  • kodeslogic
    It appears that (70007)The timeout specified has expired: [client servermainip:56415] AH01102 This can be due to connectiontimeout and timeout values for ProxyPass in the apache config file.
    0
  • Vs Nu
    It appears that (70007)The timeout specified has expired: [client servermainip:56415] AH01102 This can be due to connectiontimeout and timeout values for ProxyPass in the apache config file.

    What changes i need to do ?
    0
  • cPanelLauren
    @Vs Nu Before I can advise you on this, I do think it's important to understand what is causing this if you are using Engintron, as suggested by @AtlantisStargate I would strongly urge you to disable it and rebuilt the apache configuration, then run Apache to determine if it's still experiencing the issue. There was (though fixed now) an issue with the Live Stream Transfer, though that should be resolved.
    0
  • Vs Nu
    I
    @Vs Nu Before I can advise you on this, I do think it's important to understand what is causing this if you are using Engintron, as suggested by @AtlantisStargate I would strongly urge you to disable it and rebuilt the apache configuration, then run Apache to determine if it's still experiencing the issue. There was (though fixed now) an issue with the Live Stream Transfer, though that should be resolved.

    Im not using engintron..Only Apache is running The issue is happening when i do IP change to any account
    0
  • cPanelLauren
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
    0
  • Vs Nu
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!

    Sorry as My Sr is in Vacation I cant share the Logins in ticket without My Sr Permission If you can send me commands i can paste the outputs
    0
  • AtlantisStargate
    Please post your findings. This error has started popping up on my server after I used the transfer tool to transfer a package from my server to another. After the site was reenabled on my server this error started popping up. Now at first it seemed like it was Engintrons issue, but I have since disabled Enginton, rebuilt the Apache config, and I had to manually modify a few lines in my /etc/apache2/conf/httpd.conf ServerName MyDomainName ServerAlias mail.MyDomainName www.MyDomainName ProxyPass " DocumentRoot /home/mydomain.com/public_html ServerAdmin webmaster@mydomain.com UseCanonicalName Off After removing the ProxyPass in httpd.conf everything started working normally again, for a week. Today the error became active again and I can see that this is yet again in my httpd.conf
    0
  • Vs Nu
    Do i need to remove these lines ProxyPass "
    0
  • cPanelLauren
    You shouldn't be editing the apache configuration manually at all, ever. Modifications made directly to the apache configuration will not stay. What I would suggest doing after Engintron was removed was running the following: Create a copy of the current apache conf: mv /etc/apache2/conf/httpd.conf{,.bk}
    rebuild the apache configuration /scripts/rebuildhttpdconf
    restart apache /scripts/restartsrv_httpd
    0
  • AtlantisStargate
    @cPanelLauren Did what you wrote but, the ProxyPass is yet again in the httpd.conf and the error continues. Any ideas why this is inserted here? In my case, the server specified as the ProxyPass is my backup server that was never connected to this primary server except for the TransferTool that moved this specific site that is having issues. Sometimes visitors even get the error saying "This webpage has been moved to a different server", while it's doing this. My problem is that my licence is provided by my VPS provider (Contabo) and if I open a ticket within WHM and grant you SSH access I get an error that my licence is maintained by Contabo, where I get answers only via email as: "this error means nothing", "sometimes cPanel is just like that", etc... Since I have 21 servers using cPanel and only one issue I'm kinda disappointed in answers they are providing that is why I'm seeking assistance here.
    0
  • cPanelLauren
    There are a couple of these cases that are fixed in v92 awaiting a patch to v90. Based on your issue I believe it sounds like CPANEL-33877 Live Transfer can lead to infinite proxy loop resulting in Apache DOS - Multi-Server Variant The workaround for this is listed as following: In order to fix the issue, you can use the following one liner to remove the proxy configurations:
    cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done
    Then you may need to do a full hard stop and start of apache. A graceful restart may not be sufficient: /scripts/restartsrv_apache --stop
    /scripts/restartsrv_apache --start
    My problem is that my licence is provided by my VPS provider (Contabo) and if I open a ticket within WHM and grant you SSH access I get an error that my licence is maintained by Contabo, where I get answers only via email as: "this error means nothing", "sometimes cPanel is just like that", etc...

    You should be able to continue on to open a ticket when you see that warning. It is true that it exists as your license provider *should* be assisting you. But in the event they do not or will not, you are still welcome to open a ticket with us.
    0
  • AtlantisStargate
    Hi Lauren, thank you for your reply. After inputting the command, stopping and starting Apache now ModSecurity seems to have lost it: [CODE=bash][root@atlantis ~]# /scripts/restartsrv_apache --start Waiting for "httpd" to start ""waiting for "httpd" to initialize "finished. Service Status httpd (/usr/sbin/httpd -k start) is running as root with PID 19950 (systemd+/proc check method). Startup Log Oct 23 08:05:46 MyServerHostname.com systemd[1]: Starting Apache web server managed by cPanel EasyApache... Oct 23 08:05:48 MyServerHostname.com systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory Oct 23 08:05:48 MyServerHostname.com systemd[1]: Started Apache web server managed by cPanel EasyApache. Log Messages Oct 23 08:05:48 atlantis systemd: Started Apache web server managed by cPanel EasyApache. Oct 23 08:05:48 atlantis systemd: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory Oct 23 08:05:46 atlantis systemd: Starting Apache web server managed by cPanel EasyApache... Oct 23 08:05:39 atlantis systemd: Stopped Apache web server managed by cPanel EasyApache. Oct 23 08:05:36 atlantis systemd: Stopping Apache web server managed by cPanel EasyApache... [Fri Oct 23 08:05:48.991819 2020] [mpm_event:notice] [pid 19950:tid 47639635899456] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations [Fri Oct 23 08:05:48.535583 2020] [:notice] [pid 19947:tid 47639635899456] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured. [Fri Oct 23 08:04:41.153958 2020] [mpm_event:notice] [pid 3010:tid 47029765264448] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations [Fri Oct 23 08:04:32.486994 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/index.php"> [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"> [Fri Oct 23 08:04:31.118331 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/.env"> [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"> [Fri Oct 23 08:04:31.117362 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/.env"> [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"> [Fri Oct 23 05:39:17.143852 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"> [Fri Oct 23 05:39:17.142016 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/shop/.env"> [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"> [Fri Oct 23 05:39:17.140199 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /shop/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/shop/.env"> [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"> [Fri Oct 23 05:39:13.217090 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"> [Fri Oct 23 05:39:13.216616 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/public/.env"> [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"> [Fri Oct 23 05:39:13.216160 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted FileAccess Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /public/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/public/.env"> [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"> [Fri Oct 23 05:39:06.283973 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"> [Fri Oct 23 05:39:06.283250 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/system/.env"> [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"> [Fri Oct 23 05:39:06.282644 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /system/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4">[hostname "websitehostname.com"> [uri "/system/.env"> [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"> [Fri Oct 23 05:39:01.557438 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"> [Fri Oct 23 05:39:01.556760 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/blog/.env"> [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"> [Fri Oct 23 05:39:01.556120 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /blog/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/blog/.env"> [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"> [Fri Oct 23 05:38:54.922115 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"> [Fri Oct 23 05:38:54.921543 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/sites/.env"> [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"> [Fri Oct 23 05:38:54.921144 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /sites/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/sites/.env"> [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"> [Fri Oct 23 05:38:50.138391 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"> [Fri Oct 23 05:38:50.137841 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/vendor/.env"> [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"> [Fri Oct 23 05:38:50.136859 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /vendor/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/vendor/.env"> [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"> [Fri Oct 23 05:38:44.312762 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"> [Fri Oct 23 05:38:44.312217 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/admin/.env"> [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"> [Fri Oct 23 05:38:44.311641 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted FileAccess Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /admin/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/admin/.env"> [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"> [Fri Oct 23 05:38:40.768196 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"> [Fri Oct 23 05:38:40.767715 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/test/.env"> [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"> [Fri Oct 23 05:38:40.767295 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted FileAccess Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /test/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4">[hostname "websitehostname.com"> [uri "/test/.env"> [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"> [Fri Oct 23 05:38:32.567022 2020] [:error] [pid 28304:tid 47030092912384] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"> [Fri Oct 23 05:38:32.530017 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/laravel/.env"> [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"> [Fri Oct 23 05:38:32.509057 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /laravel/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/laravel/.env"> [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"> [Fri Oct 23 05:38:28.905184 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"> [Fri Oct 23 05:38:28.904631 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/api/.env"> [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"> [Fri Oct 23 05:38:28.904023 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /api/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/api/.env"> [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"> [Fri Oct 23 05:38:25.617594 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"> [Fri Oct 23 05:38:25.616952 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/.env"> [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"> httpd started successfully.
    All IP's listed above are part of the Cloudflare's public network so I felt no need to change 80 IP's :). These errors are now present every time I restart apache.
    0
  • Vs Nu
    There are a couple of these cases that are fixed in v92 awaiting a patch to v90. Based on your issue I believe it sounds like CPANEL-33877 Live Transfer can lead to infinite proxy loop resulting in Apache DOS - Multi-Server Variant The workaround for this is listed as following: In order to fix the issue, you can use the following one liner to remove the proxy configurations:
    cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done
    Then you may need to do a full hard stop and start of apache. A graceful restart may not be sufficient: /scripts/restartsrv_apache --stop
    /scripts/restartsrv_apache --start
    You should be able to continue on to open a ticket when you see that warning. It is true that it exists as your license provider *should* be assisting you. But in the event they do not or will not, you are still welcome to open a ticket with us.

    Im running litespeed,I hope i can run these command while litespeed is active
    0
  • cPanelLauren
    Im running litespeed,I hope i can run these command while litespeed is active

    If you're running litespeed it's a different issue entirely since litespeed doesn't support proxy pass. You must open a ticket to resolve this as I've suggested already.
    0
  • cPanelLauren
    Hi Lauren, thank you for your reply. After inputting the command, stopping and starting Apache now ModSecurity seems to have lost it: [CODE=bash][root@atlantis ~]# /scripts/restartsrv_apache --start Waiting for "httpd" to start ""waiting for "httpd" to initialize "finished. Service Status httpd (/usr/sbin/httpd -k start) is running as root with PID 19950 (systemd+/proc check method). Startup Log Oct 23 08:05:46 MyServerHostname.com systemd[1]: Starting Apache web server managed by cPanel EasyApache... Oct 23 08:05:48 MyServerHostname.com systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory Oct 23 08:05:48 MyServerHostname.com systemd[1]: Started Apache web server managed by cPanel EasyApache. Log Messages Oct 23 08:05:48 atlantis systemd: Started Apache web server managed by cPanel EasyApache. Oct 23 08:05:48 atlantis systemd: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory Oct 23 08:05:46 atlantis systemd: Starting Apache web server managed by cPanel EasyApache... Oct 23 08:05:39 atlantis systemd: Stopped Apache web server managed by cPanel EasyApache. Oct 23 08:05:36 atlantis systemd: Stopping Apache web server managed by cPanel EasyApache... [Fri Oct 23 08:05:48.991819 2020] [mpm_event:notice] [pid 19950:tid 47639635899456] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations [Fri Oct 23 08:05:48.535583 2020] [:notice] [pid 19947:tid 47639635899456] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured. [Fri Oct 23 08:04:41.153958 2020] [mpm_event:notice] [pid 3010:tid 47029765264448] AH00489: Apache/2.4.46 (cPanel) OpenSSL/1.1.1h mod_bwlimited/1.4 configured -- resuming normal operations [Fri Oct 23 08:04:32.486994 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/index.php"> [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"> [Fri Oct 23 08:04:31.118331 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/.env"> [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"> [Fri Oct 23 08:04:31.117362 2020] [:error] [pid 28304:tid 47030090811136] [client 162.158.79.86:19454] [client 162.158.79.86] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/.env"> [unique_id "X5Jyb@DFhp-6thg0GeudvwAAAQs"> [Fri Oct 23 05:39:17.143852 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"> [Fri Oct 23 05:39:17.142016 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/shop/.env"> [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"> [Fri Oct 23 05:39:17.140199 2020] [:error] [pid 28519:tid 47030172931840] [client 172.69.170.43:20532] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /shop/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/shop/.env"> [unique_id "X5JQZZNTYNHqe4aiB9gZugAAAFI"> [Fri Oct 23 05:39:13.217090 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"> [Fri Oct 23 05:39:13.216616 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/public/.env"> [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"> [Fri Oct 23 05:39:13.216160 2020] [:error] [pid 28304:tid 47030175033088] [client 172.69.170.123:35202] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted FileAccess Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /public/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/public/.env"> [unique_id "X5JQYeDFhp-6thg0GeuVBwAAARM"> [Fri Oct 23 05:39:06.283973 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"> [Fri Oct 23 05:39:06.283250 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/system/.env"> [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"> [Fri Oct 23 05:39:06.282644 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.43:10058] [client 172.69.170.43] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /system/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4">[hostname "websitehostname.com"> [uri "/system/.env"> [unique_id "X5JQWpNTYNHqe4aiB9gZtAAAAEw"> [Fri Oct 23 05:39:01.557438 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"> [Fri Oct 23 05:39:01.556760 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/blog/.env"> [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"> [Fri Oct 23 05:39:01.556120 2020] [:error] [pid 28519:tid 47030183438080] [client 172.69.170.67:58732] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /blog/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/blog/.env"> [unique_id "X5JQVZNTYNHqe4aiB9gZrgAAAFc"> [Fri Oct 23 05:38:54.922115 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"> [Fri Oct 23 05:38:54.921543 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/sites/.env"> [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"> [Fri Oct 23 05:38:54.921144 2020] [:error] [pid 28261:tid 47030177134336] [client 172.69.170.97:14440] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /sites/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/sites/.env"> [unique_id "X5JQTl37ZSj3xEMOrgsssQAAANQ"> [Fri Oct 23 05:38:50.138391 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"> [Fri Oct 23 05:38:50.137841 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/vendor/.env"> [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"> [Fri Oct 23 05:38:50.136859 2020] [:error] [pid 28519:tid 47030170830592] [client 172.69.170.97:9824] [client 172.69.170.97] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /vendor/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/vendor/.env"> [unique_id "X5JQSpNTYNHqe4aiB9gZqwAAAFE"> [Fri Oct 23 05:38:44.312762 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"> [Fri Oct 23 05:38:44.312217 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/admin/.env"> [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"> [Fri Oct 23 05:38:44.311641 2020] [:error] [pid 28519:tid 47030074001152] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted FileAccess Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /admin/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/admin/.env"> [unique_id "X5JQRJNTYNHqe4aiB9gZpwAAAEM"> [Fri Oct 23 05:38:40.768196 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"> [Fri Oct 23 05:38:40.767715 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/test/.env"> [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"> [Fri Oct 23 05:38:40.767295 2020] [:error] [pid 28519:tid 47030162425600] [client 172.69.170.123:56270] [client 172.69.170.123] ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted FileAccess Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /test/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4">[hostname "websitehostname.com"> [uri "/test/.env"> [unique_id "X5JQQJNTYNHqe4aiB9gZpgAAAE0"> [Fri Oct 23 05:38:32.567022 2020] [:error] [pid 28304:tid 47030092912384] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"> [Fri Oct 23 05:38:32.530017 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/laravel/.env"> [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"> [Fri Oct 23 05:38:32.509057 2020] [:error] [pid 28304:tid 47030036178688] [client 172.69.170.68:47328] [client 172.69.170.68] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /laravel/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/laravel/.env"> [unique_id "X5JQOODFhp-6thg0GeuU8wABDA0"> [Fri Oct 23 05:38:28.905184 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded(Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"> [Fri Oct 23 05:38:28.904631 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Access denied with code 403 (phase2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/api/.env"> [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"> [Fri Oct 23 05:38:28.904023 2020] [:error] [pid 28519:tid 47030092912384] [client 172.69.170.67:63822] [client 172.69.170.67] ModSecurity: Warning. Matched phrase "/.env" atREQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"> [line "49"> [id "930130"> [rev "1"> [msg "Restricted File Access Attempt"> [data "Matched Data: /.env found within REQUEST_FILENAME: /api/.env"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "7"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-lfi"> [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"> [tag "WASCTC/WASC-33"> [tag "OWASP_TOP_10/A4"> [tag "PCI/6.5.4"> [hostname "websitehostname.com"> [uri "/api/.env"> [unique_id "X5JQNJNTYNHqe4aiB9gZoQAAAEw"> [Fri Oct 23 05:38:25.617594 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"> [line "37"> [id "980130"> [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt"> [tag "event-correlation"> [hostname "websitehostname.com"> [uri "/403.shtml"> [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"> [Fri Oct 23 05:38:25.616952 2020] [:error] [pid 28260:tid 47030185539328] [client 172.69.170.123:40130] [client 172.69.170.123] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "websitehostname.com"> [uri "/.env"> [unique_id "X5JQMVGO2qsbPOK0Ios0KAAAAJg"> httpd started successfully.
    All IP's listed above are part of the Cloudflare's public network so I felt no need to change 80 IP's :). These errors are now present every time I restart apache.

    I'm not aware if that's normal or not when using the suggested workaround. If you don't want to disable the offending rule I'd suggest opening a ticket so that we can look into the issue more closely
    0
  • Vs Nu
    cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done
    @cPanelLauren I hope it will run for all the cP users 1 by 1 by doing an apache restart hope I'm right ?
    0
  • Tarun Khanna
    cut -d":" -f1 /etc/trueuserowners | while read user;do whmapi1 unset_all_service_proxy_backends username=$user;done
    @cPanelLauren I hope it will run for all the cP users 1 by 1 by doing an apache restart hope I'm right ?

    can u break up the command ? how to use it in ssh
    0
  • cPRex Jurassic Moderator
    Hey there, @Tarun Khanna ! There shouldn't be a need to break up that command at all as that would run in SSH just by copy and pasting. If you have trouble, just ask!
    0
  • Vs Nu
    can u break up the command ? how to use it in ssh

    It will run for all users which will take long time to complete and for each and every run it will restart the apache so which will make the sites to down You can grep the the proxypass in httpd.conf file and take those usernames which has enabled for proxypass and run the command only for those users
    0
  • Tarun Khanna
    It will run for all users which will take long time to complete and for each and every run it will restart the apache so which will make the sites to down You can grep the the proxypass in httpd.conf file and take those usernames which has enabled for proxypass and run the command only for those users

    Not understand. After using transfer tool outgoing mails are not working.
    0
  • Tarun Khanna
    Hey there, @Tarun Khanna ! There shouldn't be a need to break up that command at all as that would run in SSH just by copy and pasting. If you have trouble, just ask!

    Check screenshot . Nothing Happened.
    0
  • cPRex Jurassic Moderator
    @Tarun Khanna - I'm not sure why that wouldn't be working well on your system. If you are having issues with that command and seeing problems with outbound email, it might be best to put in a ticket with our team as there may be issues with other areas of the system.
    0
  • Vs Nu
    Check screenshot . Nothing Happened.

    Remove the ; from that command at the end which should work
    0
  • WasChristine
    Check screenshot . Nothing Happened.

    The "while read" loop appears to be missing a "done" at the end of it, which signifies that the loop should stop there. You should be able to get this to run by adding "done" at the end of this line, so it will look something along the lines of: cut -d ":" -f1 /etc/trueuserowners | while read user ; do whmapi1 unset_all_service_proxy_backends username=$user ; done
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post