Mod_Security Log Entry
Hello,
the problem is solving but since that day I turn out several attempted attacks by IP cPanel:
we are sure that there are other problems?
[Mon Aug 31 09:22:03 2015] [error] [client 208.74.125.50] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/modsec/20_asl_useragents.conf"> [line "180"> [id "330039"> [rev "4"> [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. "> [severity "CRITICAL"> [hostname "autodiscover.xxxxxxxx.xxx"> [uri "/cgi-sys/autodiscover.cgi"> [unique_id "VeQAmy4cBQsAACZROUcAAAAw">
we are sure that there are other problems?
-
In addition to the information provided above by Michael, the requests are not attacks. They are legitimate requests from cPanel servers that happen to use a User-Agent that Atomicorp blocks by default. I reported this in the past and as Michael stated CPANEL-268 is open to address this. In the mean time if your server has a file at /etc/asl/whitelist you can add the cPanel autodiscover IP addresses to that file and restart apache, or temporarily disable rule 330039 in your ModSecurity configuration. 0
Please sign in to leave a comment.
Comments
2 comments