Maybe someone had the same problem? I'm using Wordpress sites and getting this following error in my metrics. I've already deactivated Auto Updates on Softacolous so now I get less errors, but those ones still couldn't understand:
[Fri Apr 16 11:57:30.115119 2021] [:error] [pid 4189499:tid 47071174346496] [client 193.106.30.100:51380] [client 193.106.30.100] ModSecurity: Warning. Match of "pmFromFile path_excludes" against "REQUEST_FILENAME" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/004_i360_4_custom.conf"] [line "905"] [id "77140992"] [msg "IM360 WAF: Suspicious access attempt (WP folders)!||SC:/home/optim085/rshestakov.com/wp-content/plugins/wp-file-manager||T:APACHE||REQUEST_URI:/wp-content/plugins/wp-file-manager/lib/files/hardfork.php||"] [severity "NOTICE"] [tag "service_i360custom"] [tag "noshow"] [hostname "rshestakov.com"] [uri "/wp-content/plugins/wp-file-manager/lib/files/hardfork.php"] [unique_id "YHlfii5NrBxmL1xubinBiwAAANE"]
Thanks in advice!
OWASP ModSecurity Core Rule Set project here.
This is an alert or a false positive alert from your commercial Imunify360 web application firewall. You should get in touch with the Imunify support to solve this for you. It's a paid service after all.
Like dune73 allready mentioned this is a message generated by immunify360. It might well be legitimate so first you need to check if it was you who triggered it or some unauthorized source.
Check if your ip-address is the same as the ip-address mentioned in the error message. If this is the case it might be a false positive.
Check whether there is a PHP warning in your error log saying something like:
PHP Warning: POST Content-Length of 9852139 bytes exceeds the limit
of 8388608 bytes
Over the last few weeks I've seen this happening to several people who were trying to install a wordpress theme. If this is the case with you as well you should probably check if upping the php limits helps to solve it. (to people who haven't done this before: you can do this by either creating a .user.ini file or by altering a .php.ini file - depending on the setup of your server)
If this still fails you could try looking for the incident in the Immunify360 interface. If it's in there you can whitelist it.
I hope this helps. If you have any more questions please let me know!
Related
I am newly using Google compute engine (GCP). I have a limited knowledge on programming yet i am hosting WordPress website in my server.
The problem is few days back my site got hacked or access by someone else. I received a message from GCE customer support that my account will be suspended if I don't stop using server for mining cryptocurrency. Now I have no idea what he was talking. Then I checked the files and can see lots of foreign files. He is apparently using my server to mine crypto, though nothing malicious or disruption of server..
As I have lots of edited and custom files and that I don't have backup files, my best option was to manually check and remove all those foreign files.. I have almost removed all the files but still there are files continously calling from somewhere else function or something that is tracing NOT FOUND error in error.log and access.log.. Looks like using cron jobs or something.. I have no idea where it's coming from.. I am just trying to find that file that is executing those functions.
error.log file:
[Tue Nov 13 15:03:34.595848 2018] [:error] [pid 31561] [client 66.249.66.150:47822] script '/var/www/example.com/tozeowi.php' not found or unable to $
[Tue Nov 13 15:05:56.744506 2018] [core:error] [pid 31587] [client 176.9.23.3:36328] AH00124: Request exceeded the limit of 10 internal redirects due to probable configurat$
Access.log file:
"GET /joapow1ok/tozeowi.php?serhtr=morgan-stanley-health-insurance-benefits'A=0 HTTP/1.1" 404 3621 "https://www.example.com/joapow1ok/tozeowi.php?"
If someone can help me find that file causing to execute that GET function.. Or is there any linux function to find figure out.
Note: I have disabled many plugins and my theme yet no luck.. I have 3 website in the same directory and all got infected.
While uploading images or files with single quotes throwing 500 internal server error in our production, but in our localhost and QA instance the same code is working fine.
we have seen the log file (ssl_error_log) and found the below error
[Fri Nov 25 05:41:56.926603 2016] [:error] [pid 29449] [client 183.82.3.44] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "31"] [id "200002"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 1, IP 0, IH 0, FL 0"] [hostname "www.gatewaychamber.com"] [uri "/edit-profile/"] [unique_id "WDgVc7JgaWA0yezMJ2n#TAAAAAc"]
We have found the solution at this url by disabling rule 200002 in my httpd configuration file:
SecRuleRemoveById 200002
However we have not tried this because we want to know any security issues or evasion attacks after disabling this in the server. Please give any solution or advice to solve this problem. Also, could anyone please explain any security issues if we disable this rule SecRuleRemoveById 200002
in modsecurity.conf file.
If it should be disabled to solve the problem please advise better way to disable this rule. Alternatively, can we modify file name in the frond end using jQuery?
I have seen LinkedIn and Facebook and some other websites accepting single quotes while uploading, without any problem or renaming the file/images. How is this possible?
Thanks in advance.
Based on the information from this link, there was a way to circumvent ModSecurity and sneak in some malicious php code.
ModSecurity up to 2.6.8 has this vulnerability and should have rule 200002 in place. If it is possible to upgrade your version of ModSecurity to at least 2.7.0 the rule is no longer needed. The current version of ModSecurity is 2.9.1.
I found the following error in the error log in the cpanel for my website. I have changed the name to meet the advertiser's TOS. Here is the error:
[Tue Nov 04 01:03:23 2014] [error] [client *ip address*] File does not exist: /home/food/public_html/index.php, referer: mywebsite.com/folder/content.html
I have built the site using HTML, and have not used PHP at all.
From my PC, I am able to access content.html.
When I contacted the tech support of my hosting service, they could not explain why there are errors in the error log and merely said it is a coding issue.
Please inform how to resolve the error and if I should be concerned, as I am not using a file called index.php (or any other PHP file in the site). Thanks for your help.
If I am interpreting this log correctly, this doesn't look like your hosting company is giving you the correct information.
By referer, I assume apache is indicating the URI which generated the request from your client's domain. Meaning that your client is trying to access /home/food/public_html/index.php on your domain. If it doesn't exist you need to have them correct their referring link/script.
I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).
After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion). It seems rather that there's something wrong with the amount of data I am sending through.
I've just resolved a similar issue, with a large post triggering PCRE limit errors in multiple rules. I feel it's wrong for mod-security to then flag the request as malicious just because it blew up!
I raised the two settings you mentioned from the default to 500,000 from the default of 1,500 as advised in this post, and it solved my problem.
The default values for the PCRE Match limit are very, very low with
ModSecurity. You can got to 500K usually without harming your set. But
for your information: The PCRE Match limit is meant to reduce the
chance for a DoS attack via Regular Expressions. So by raising the
limit you raise your vulnerability in this regard, but the PCRE errors
are much worse from a security perspective. I run with 500K in prod
usually:
SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/656
Also see
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit
I had a similar issue with PCRE module a few weeks ago and it was related to backtrack_limits.
I assume SecPcreMatchLimit and SecPcreMatchLimitRecursion are related to mod_security, but did you try upping the values for pcre module in your php.ini file or during PHP execution time?
pcre.backtrack_limit and pcre.recursion_limit
You could also confirm if the issue is related to PCRE limits with the following function preg_last_error()
You can see more here: http://php.net/manual/en/function.preg-last-error.php
and here: http://www.php.net/manual/en/pcre.constants.php
I hope this helps.
I have a simple upload form, here're the start and end tags:
<form action="post.php" method="post" enctype="multipart/form-data">
</form>
I am getting a 500 Internal Server error on submit. And apache logs show the following entries (hostname and ip redacted):
[Tue Feb 14 00:08:32 2012] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Input filter: Failed to create temporary file: /root/tmp/20120214-000832-TznsTkPj2kkAAE5LYREAAAAB-request_body-xqZDkt [hostname "xxxxxxxxxx.com"] [uri "/app/221/product/post.php"] [unique_id "TznsTkPj2kkAAE5LYREAAAAB"]
[Tue Feb 14 00:08:37 2012] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Input filter: Failed to delete temporary file: /root/tmp/20120214-000832-TznsTkPj2kkAAE5LYREAAAAB-request_body-xqZDkt [hostname "xxxxxxxxxx.com"] [uri "/app/221/product/post.php"] [unique_id "TznsTkPj2kkAAE5LYREAAAAB"]
I have searched the code, there's no mention of root or upload_tmp_dir anywhere. All code files belong to the application user and group. In php.ini, upload_tmp_dir was not initially set, I've now set it to /tmp but that hasn't resolved the issue either.
Any idea why it's trying to upload to /root/tmp?
Looks like you should check your ModSecurity settings, in particular the SecUploadDir setting.
File upload support
ModSecurity is capable of intercepting files uploaded through POST
requests and multipart/form-data encoding or (as of 1.9) through PUT
requests.
Since there's only one place you can set that value in PHP, and it's been verified at runtime, plus we know you have ModSecurity running from the log output, seems like that's probly it.
Notes per OP:
If you don't set the SecUploadDir parameter, ModSecurity does not
ignore it. So we made the following changes: SecUploadDir /tmp
SecTmpDir /tmp and now it works perfectly.
One other thing I stumbled upon you can try in a situation like this would be to disable mod security entirely to see if that eliminates the problem. Then you can narrow the issue down to mod security quickly:
https://serverfault.com/questions/57210/disable-modsecurity-for-a-specific-directory