I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).
After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion). It seems rather that there's something wrong with the amount of data I am sending through.
I've just resolved a similar issue, with a large post triggering PCRE limit errors in multiple rules. I feel it's wrong for mod-security to then flag the request as malicious just because it blew up!
I raised the two settings you mentioned from the default to 500,000 from the default of 1,500 as advised in this post, and it solved my problem.
The default values for the PCRE Match limit are very, very low with
ModSecurity. You can got to 500K usually without harming your set. But
for your information: The PCRE Match limit is meant to reduce the
chance for a DoS attack via Regular Expressions. So by raising the
limit you raise your vulnerability in this regard, but the PCRE errors
are much worse from a security perspective. I run with 500K in prod
usually:
SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/656
Also see
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit
I had a similar issue with PCRE module a few weeks ago and it was related to backtrack_limits.
I assume SecPcreMatchLimit and SecPcreMatchLimitRecursion are related to mod_security, but did you try upping the values for pcre module in your php.ini file or during PHP execution time?
pcre.backtrack_limit and pcre.recursion_limit
You could also confirm if the issue is related to PCRE limits with the following function preg_last_error()
You can see more here: http://php.net/manual/en/function.preg-last-error.php
and here: http://www.php.net/manual/en/pcre.constants.php
I hope this helps.
Related
Maybe someone had the same problem? I'm using Wordpress sites and getting this following error in my metrics. I've already deactivated Auto Updates on Softacolous so now I get less errors, but those ones still couldn't understand:
[Fri Apr 16 11:57:30.115119 2021] [:error] [pid 4189499:tid 47071174346496] [client 193.106.30.100:51380] [client 193.106.30.100] ModSecurity: Warning. Match of "pmFromFile path_excludes" against "REQUEST_FILENAME" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/004_i360_4_custom.conf"] [line "905"] [id "77140992"] [msg "IM360 WAF: Suspicious access attempt (WP folders)!||SC:/home/optim085/rshestakov.com/wp-content/plugins/wp-file-manager||T:APACHE||REQUEST_URI:/wp-content/plugins/wp-file-manager/lib/files/hardfork.php||"] [severity "NOTICE"] [tag "service_i360custom"] [tag "noshow"] [hostname "rshestakov.com"] [uri "/wp-content/plugins/wp-file-manager/lib/files/hardfork.php"] [unique_id "YHlfii5NrBxmL1xubinBiwAAANE"]
Thanks in advice!
OWASP ModSecurity Core Rule Set project here.
This is an alert or a false positive alert from your commercial Imunify360 web application firewall. You should get in touch with the Imunify support to solve this for you. It's a paid service after all.
Like dune73 allready mentioned this is a message generated by immunify360. It might well be legitimate so first you need to check if it was you who triggered it or some unauthorized source.
Check if your ip-address is the same as the ip-address mentioned in the error message. If this is the case it might be a false positive.
Check whether there is a PHP warning in your error log saying something like:
PHP Warning: POST Content-Length of 9852139 bytes exceeds the limit
of 8388608 bytes
Over the last few weeks I've seen this happening to several people who were trying to install a wordpress theme. If this is the case with you as well you should probably check if upping the php limits helps to solve it. (to people who haven't done this before: you can do this by either creating a .user.ini file or by altering a .php.ini file - depending on the setup of your server)
If this still fails you could try looking for the incident in the Immunify360 interface. If it's in there you can whitelist it.
I hope this helps. If you have any more questions please let me know!
I am newly using Google compute engine (GCP). I have a limited knowledge on programming yet i am hosting WordPress website in my server.
The problem is few days back my site got hacked or access by someone else. I received a message from GCE customer support that my account will be suspended if I don't stop using server for mining cryptocurrency. Now I have no idea what he was talking. Then I checked the files and can see lots of foreign files. He is apparently using my server to mine crypto, though nothing malicious or disruption of server..
As I have lots of edited and custom files and that I don't have backup files, my best option was to manually check and remove all those foreign files.. I have almost removed all the files but still there are files continously calling from somewhere else function or something that is tracing NOT FOUND error in error.log and access.log.. Looks like using cron jobs or something.. I have no idea where it's coming from.. I am just trying to find that file that is executing those functions.
error.log file:
[Tue Nov 13 15:03:34.595848 2018] [:error] [pid 31561] [client 66.249.66.150:47822] script '/var/www/example.com/tozeowi.php' not found or unable to $
[Tue Nov 13 15:05:56.744506 2018] [core:error] [pid 31587] [client 176.9.23.3:36328] AH00124: Request exceeded the limit of 10 internal redirects due to probable configurat$
Access.log file:
"GET /joapow1ok/tozeowi.php?serhtr=morgan-stanley-health-insurance-benefits'A=0 HTTP/1.1" 404 3621 "https://www.example.com/joapow1ok/tozeowi.php?"
If someone can help me find that file causing to execute that GET function.. Or is there any linux function to find figure out.
Note: I have disabled many plugins and my theme yet no luck.. I have 3 website in the same directory and all got infected.
Has anyone ever seen the below error in a site running on Concrete CMS ?
This is from the apache error log file
[Thu Jan 31 08:06:51 2013] [error] [client 41.56.88.53] File does not
exist: /va
r/www/\r\n SomeCustomInjectedHeader:injected_by_wvs, referer:
http://www.mysite.com:80/ [Thu Jan 31 08:06:51 2013] [error] [client
41.56.88.53] File does not exist: /va r/www/\n SomeCustomInjectedHeader:injected_by_wvs, referer:
http://www.mysite.com
Looks like some kind of injected file. Does anyone have any idea how I can find what is causing those entries in the error logs?
That has nothing to do with concrete5. It's a scan from an external source, looking for some sort of vulnerability.
This could be good (some hosting providers might do it to make sure you're not going to get hacked) or bad (someone looking for a machine to attack). But bad is relative. It's like returning to your car and seeing that someone touched your door handle.... If you watch your logs, you'll see plenty of blind attacks like this.
[Wed Dec 12 23:23:09 2012] [warn] [client 31.22.4.214] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Wed Dec 12 23:23:09 2012] [error] [client 31.22.4.214] Premature end of script headers: index.php
[Wed Dec 12 23:31:20 2012] [error] mod_fcgid: process /home/www-data/php5-fcgi(32763) exit(communication error), get unexpected signal 7
I get these errors every times in my APACHE logs. I am running a forum, and sometimes these errors get so severe, it returns a 500 error.
I am using APC, Debian OS, PHP5CGI, and MYSQL. Here is a list of the modules I am using on APACHE:
Link to image: i.stack.imgur(dot)com/bcrWn(dot)png
Could you please tell me what's wrong? Is this an APC issue?
I was getting the same random errors from three sites that were using APC extensively for both bytecode caching and other data using the W3 Total Cache plugin for Wordpress.
I disabled the APC caching on the sites, and the errors continued. Removing APC from the server, though, fixed it entirely. Since I researched this extensively and found almost no other incidences of "get unexpected signal 7" with PHP under mod_fcgid, I'm pretty confident that yes, your problem was probably caused by an APC issue.
I would imagine that you've already resolved your problem, since this question is over two months old, but hopefully this may help someone else who runs into the same error.
I was also seeing this error on a shared hosting environment using php-fcgi. APC is enabled but only being used on one site which wasn't generating the error.
It turned out the site with the error had exceeded their disk quota, something I discovered by accident when trying to update some files.
Increasing the disk quota for that site immediately resolved the issue.
I have a simple upload form, here're the start and end tags:
<form action="post.php" method="post" enctype="multipart/form-data">
</form>
I am getting a 500 Internal Server error on submit. And apache logs show the following entries (hostname and ip redacted):
[Tue Feb 14 00:08:32 2012] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Input filter: Failed to create temporary file: /root/tmp/20120214-000832-TznsTkPj2kkAAE5LYREAAAAB-request_body-xqZDkt [hostname "xxxxxxxxxx.com"] [uri "/app/221/product/post.php"] [unique_id "TznsTkPj2kkAAE5LYREAAAAB"]
[Tue Feb 14 00:08:37 2012] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Input filter: Failed to delete temporary file: /root/tmp/20120214-000832-TznsTkPj2kkAAE5LYREAAAAB-request_body-xqZDkt [hostname "xxxxxxxxxx.com"] [uri "/app/221/product/post.php"] [unique_id "TznsTkPj2kkAAE5LYREAAAAB"]
I have searched the code, there's no mention of root or upload_tmp_dir anywhere. All code files belong to the application user and group. In php.ini, upload_tmp_dir was not initially set, I've now set it to /tmp but that hasn't resolved the issue either.
Any idea why it's trying to upload to /root/tmp?
Looks like you should check your ModSecurity settings, in particular the SecUploadDir setting.
File upload support
ModSecurity is capable of intercepting files uploaded through POST
requests and multipart/form-data encoding or (as of 1.9) through PUT
requests.
Since there's only one place you can set that value in PHP, and it's been verified at runtime, plus we know you have ModSecurity running from the log output, seems like that's probly it.
Notes per OP:
If you don't set the SecUploadDir parameter, ModSecurity does not
ignore it. So we made the following changes: SecUploadDir /tmp
SecTmpDir /tmp and now it works perfectly.
One other thing I stumbled upon you can try in a situation like this would be to disable mod security entirely to see if that eliminates the problem. Then you can narrow the issue down to mod security quickly:
https://serverfault.com/questions/57210/disable-modsecurity-for-a-specific-directory