Google bot triggering OWASP modsecurity rule 949110

aeroweb

• January 17, 2023 06:39

Last few days we have been noticing that Google crawler IP's (i.e. 66.249.xxx.xxx) have stared being blocked by the OWASP modsecurity rules. This is not an isolated case, we have many servers and the same issues has been seen across all of them. Previously we had no issues like this related to the OWASP rules and Google crawler. I pasted the information on the blocking below. Has anyone else noticed this happeneing on their servers? [Tue Jan 17 07:27:50.151353 2023] [:error] [pid 26431:tid 47538366150400] [client [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname " [uri "/"> [unique_id "Y8aURs22p6M8oG4bTN6gewAAAJg">

• 

  cPRex Jurassic Moderator

  • January 17, 2023 15:35

  Hey there! This isn't a new thing, as this happens with people once in a while when ModSecurity gets overly protective. Here is a similar thread from 10 years ago:

  0
• 

  ciao70

  • January 17, 2023 16:51

  Hi, Check the Modsecurity log carefully, because there is probably some other rule that triggers the 949110

  0
• 

  aeroweb

  • January 17, 2023 16:56

  Thanks for the info, much appreciated. The strange thing is, we've used modsecurity with the OWASP rules setup on our servers for years now. And yes, we would occasionally get false positives and see the Google Bot being blocked over the years, however in the last 3 days or so we've gotten hundreds of blocks which is very unusual. Do you know if anything has changed recently, have any of the OWASP rules been updated? Thanks

  0
• 

  cPRex Jurassic Moderator

  • January 17, 2023 17:07

  You can check and see if there has been an update to the package through the /var/log/dnf.rpm.log log file. On my personal machine, the last OWASP update was Jan 5: 2023-01-05T05:34:47-0500 SUBDEBUG Upgrade: ea-modsec2-rules-owasp-crs-3.3.4-1.1.2.cpanel.x86_64
  

  0
• 

  aeroweb

  • January 17, 2023 22:02

  I do not have a dnf.rpm.log file. I checked the yum.log files and its not in there. I also checked /etc/apache2/conf.d/modsec_vendor_configs/OWASP3 but it appears that the rule files here get updated daily when cPanel runs its update cron.

  0
• 

  aeroweb

  • January 17, 2023 22:14

  After further review of both the mod-security logs and Apache logs it appears that the Googlebot is actually triggering rule: 942100 "sql injection attack detected via libinjection" The Google bot seems to be hitting the servers with hundreds of GET requests against WordPress websites using the build in WordPress search feature (/?s=). See below. GET /?s=%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9E-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%96%A6DD96%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1-%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9Efdxpr-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%96%A6DD96%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1td3t-%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9Ebebzt-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1epvh
  

  0

Please sign in to leave a comment.