Mod_security is being triggered

hyder95

• June 10, 2016 00:37

Hello, My mod_security is being triggered from last couple of days for few sites. Even the server's IP is also comes in host name in some triggered list. Here are the details of few attacks :
1- Host: Sitename.com Request: GET /hudsykdommer-t-%C3%C3%83%C6%92%C3%82%C2%AF%C3%83%E2%80%9A%C3%82%C2%BF%C3%83%E2%80%9A%C3%82%C2%BD%E2%C3%83%C6%92%C3%82%C2%AF%C3%83%E2%80%9A%C3%82%C2%BF%C3%83%E2%80%9A%C3%82%C2%BD%A6-talgcyste.html Action Description: Access denied with code 406 (phase 2). Justification: Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. Rule ID: 1234123439: UTF8 Encoding Abuse Attack Attempt. [Thu Jun 09 17:09:14 2016] [error] [client 207.46.13.155] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "16"> [file "/usr/local/apache/conf/modsec2.user.conf"> [line "23"> [id "1234123439"> [msg "UTF8 Encoding Abuse Attack Attempt"> [severity "WARNING"> [hostname "Sitename.com"> [uri "/hudsykdommer-t-\\xc3\\xef\\xbf\\xbd-telangiektasier.html"> [unique_id "V1lcakAPm3wAAGvlWxoAAAAF"> 2- Host: My Server's Request: GET / Action Description: Access denied with code 406 (phase 2). Justification: Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. Rule ID: 1234123429 Request Indicates an automated program explored the site. [Fri Jun 10 00:26:08 2016] [error] [client 31.184.195.114] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "58"> [id "1234123429"> [msg "Request Indicates an automated program explored the site"> [severity "NOTICE"> [hostname "Server IP"> [uri "/cgi-bin/cgi_wrapper/cgi_wrapper">
What those attacks shows and Is this ignore able thing or do i need to take action and how can we with this ?? Thank You.

• 

  keat63

  • June 10, 2016 10:52

  Which ModSec rules are you using. To me, this looks like ModSec is doing it's job, are you saying that this is a false positive ?

  0
• 

  hyder95

  • June 11, 2016 06:09

  Hello, No, I don't know what exactly is this, I am asking to you guys is that normal thing ?? Thank You.

  0
• 

  twhiting9275

  • June 12, 2016 22:11

  modsec and regexp are ugly. This is quite common, unfortunately. You'll need to weed out, and fine tune rules like this

  0
• 

  cPanelMichael

  • June 16, 2016 17:26

  Hello, The log entry below "Rule ID" will tell you information about the URL accessed, the rule it broke, a description of the rule, and rule number. This helps you to evaluate if it's a false positive, or if it successfully blocked an attack. The following document explains how to manage to your ModSecurity rules from Web Host Manager: ModSecurity Tools - Documentation - cPanel Documentation Thank you.

  0

Please sign in to leave a comment.