mod_security violations

Hey,

Recently, I've been getting my IP blocked at my host for mod_security violations. The most recent was 5 mins ago whilst I was updating stock levels via the UI. Not exactly special actions there.....

Has anyone else experienced this?

The host, Nativespace, say:

The mod_security violations are caused by coding problems or scripts. You might want to audit your code and scripts that you use for your site.

So, if this is the issue, then surely others are having the same trouble? If not, I guess I need to start looking for a new host.

Any assistance would be gratefully appreciated on this.

Cheers.

Did they say what the script was doing that would cause it? surely it would log the violation

I just got the logs entry from them:

Temporary Blocks: IP:77.86.30.139 Port: Dir:in TTL:3600 (lfd - *Port Scan* detected from 77.86.30.139 (GB/United Kingdom/-). 11 hits in the last 141 seconds)

SO, I guess from that it's saying too many hits so it blocked me?

hmm thats very strange, it doesn't actually give the port number that the "port scan" was on. Seems very peculiar to me tbh

well a "port scan" would imply that your host tried to connect to several different port in a short amount of time. I can't think of anything that opencart is doing that would connect to multiple ports in quick succession.

Yeah, especially "in" like the direction suggests, meaning you're port scanning your own server!

Well, I was opening a product, changing it's stock level, then saving. Rinse and repeat.

Could that be the cause? If so, it's a bit crap that the host blocks me for that!

hmm, were you ultra fast at doing it??? Yeah it does seem pretty crap if that's the case

well it seems bit strange that it would trigger a port scan just by hitting port 80 over and over again which is the only port that doing anything in the admin should hit. You could easily hit port 80 more than 11 times in under 141 seconds just browsing around the front of the store.
port scan should indicate that you hit 11 different ports in that time, but like I said I'm not aware of anything in opencart that would connect on any port other than port 80.

OK, I'll see if they will give me a list of ports.

I reckon they won't/can't...

The only extra modules I have installed are:

Zone Shipping Plus
Import / export

So can't see either of them being the issue.

I will see if they give me a port list....

Hello,

I have a similiar problem.

My host is very kind by asking if they should delete mod_security's rule 950004, but I want to make sure if it's really the best solution.

This is the error my host get:

111.94.111.59 # lfd: (mod_security) mod_security triggered by 111.94.111.59 (ID/Indonesia/-): 5 in the last 300 secs - Fri Jun 3 00:49:08 2011

011-06-03 09:58:16 111.94.111.59 /catalog/view/javascript/jquery/ui/external/jquery.cookie.js HTTP/1.1 gamisgrosir.com Access denied with code 406 (phase 2). Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "120"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]

Looks like it triggered while I was quickly adding things to cart.

Thanks!

5 requests in 300 seconds! that's nothing to be honest, what a stupid rule. Most people browse more than a page a minute. You should definitely get them to remove it IMO

Hi,

Yea, but I'm thinking that it's not for "regular requests" or something like that, since it's a core rule in mod_security.

I did however found many posts in the web about this specific rule 950004 causing problems, although I'm still unable to find an exact description of the rule (like what does it try to "prevent"). I'm not very familiar with configuring servers, I can't even find mod_security's rule description list on Google yet. :|

I just want to make sure that proposing removal of that core rule, will not lead to problems for the hosting in the future.

Thanks!


ps:

I should add.

Looks like it triggered while I was quickly adding things to cart.

It's the JavaScript/Ajax add-to-cart thingy that causes it. So it's probably related with the XSS prevention although there should be no XSS flag if everything's done in the same domain, no?

yes in what you posed before it has "Cross-site Scripting (XSS) Attack" which means it things for some reason it is an XSS or could cause an XSS, but it doesn't really say why. It seems that it checks against the regex strings listed and I'm not great at regex, but It appears to be checking for very common things like javascript functions for mouse down keypress etc. On quick glance it seems like a rule that would trigger on quite a bit of legitimate stuff.

Hi all,

I know that is an old post but we had this problem two days ago on a very secured server and we think that we found the problem: the name of this file "jquery.cookie.js" - it contains "cookie" and a mod_security rule consider that accessing this file 5 times in 300 seconds it's an attack. If you rename this file then everything is ok.

oc-extensions wrote:Hi all,

I know that is an old post but we had this problem two days ago on a very secured server and we think that we found the problem: the name of this file "jquery.cookie.js" - it contains "cookie" and a mod_security rule consider that accessing this file 5 times in 300 seconds it's an attack. If you rename this file then everything is ok.

very interesting, thanks