A rule in generic_attacks gives me:
[Wed Nov 05 17:02:47 2008] [error] [client 99.999.99.999] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:item. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "133"] [id "950006"] [msg "System Command Injection"] [data "cd/"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "sites.etotalhost.com"] [uri "/cgi-bin/orderedit.cgi"] [unique_id "SRIYB0SP2sgAAF0pV4MAAAAG"]
This is a POST to a perl CGI program with about 2k of post data. I have spent
the better part of a day trying to figure out what pattern is being matched
without any luck, so I had to disable the rule. Sadly, I am now subject
to command injection attacks. This is a false positive.
Note that the log message specifies [data "cd/"]. That pattern does not
appear in any arguments.
Todd Merriman
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|