False-Positive report thread

Hi k2host
We are working on this.

Hi k2host,
We have released ruleset version 1.216. Please update your rules.

1. 210381

2. WordPress 5.2.4

3. 403 error whenever someone clicks on a tag that contains greek capital letters.

--3a37be6f-A--
[30/Oct/2019:10:24:09 +0000] GDUljtnqZXDgifMoo147wvlx 2a02:587:cc20:xxxxxxxxxx 185.157.xxxxx:443 443
--3a37be6f-B--
GET /tag/%cf%80%ce%b1%ce%b3%cf%89%ce%bc%ce%b1/ HTTP/1.1
Host: xxxxx
Connection: Keep-Alive
Accept-Encoding: gzip
CF-IPCountry: GR
X-Forwarded-For: 2axxxxxxx52
CF-RAY: 52dcxxxxxd9e2b-ATH
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: same-origin
sec-fetch-mode: navigate
referer: https://xxxxxxxxxxx-ton-prespon-meta-to-mploko-tis-ee/
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cookie: xxxxxxxx
CF-Connecting-IP: 2a02xxxxxxxx52
CDN-Loop: cloudflare

--3a37be6f-F--
HTTP/1.1 403 Forbidden

--3a37be6f-H--
Message: Access denied with code 403 (phase 2). Test 'REQUEST_URI' against '@validateUrlEncoding' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/12_HTTP_Protocol.conf"] [line "65"] [id "210381"] [rev "6"] [msg "COMODO WAF: URL Encoding Abuse Attack Attempt"] [logdata "/tag/%cf%80%ce%b1%ce%b3%cf%89%ce%bc%ce%b1/=/tag/%cf%80%ce%b1%ce%b3%cf%89%ce%bc%ce%b1/"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"] [MatchedString "/tag/%cf%80%ce%b1%ce%b3%cf%89%ce%bc%ce%b1/"]

--3a37be6f-Z--

Hi
We are working on this.

Hi
You can disable the rule for avoid this. And use cwaf plugin in standalone mode for a while in cpanel or use bash command line for rules management.

Using with latest wordpress and gravity forms plugin. This is a multi page form. Had the form setup for 2 years and typically havent had problems. Whats unique about this input that is setting it off?

Plugin version=2.18.2
Last available version=2.24.5
Installed rules version=1.229
Available rules version=1.229
Installed for web platform=Apache

[Thu Jan 23 01:25:33.846396 2020] [:error] [pid 95220] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:[\\\\t\\\\n\\\\r ()]case[\\\\t\\\\n\\\\r ]{0,}?\\\\()|(?:\\\\)[\\\\t\\\\n\\\\r ]{0,}?like[\\\\t\\\\n\\\\r ]{0,}?\\\\()|(?:having[\\\\t\\\\n\\\\r ]{0,}?[^\\\\t\\\\n\\\\r ]{1,}[\\\\t\\\\n\\\\r ]{0,}?[^a-zA-Z0-9\\\\t\\\\n\\\\r _])|(?:if[\\\\t\\\\n\\\\r ]{0,1}\\\\([a-zA-Z0-9_][\\\\t\\\\n\\\\r ]{0,}?[<=>~])|(\\\\-\\\\w+? ..." at ARGS:input_65. [file "/usr/local/cwaf/rules/22_SQL_SQLi.conf"] [line "33"] [id "211700"] [rev "6"] [msg "COMODO WAF: Detects conditional SQL injection attempts||example.com|F|2"] [data "Matched Data: having me, found within ARGS:input_65: So, I asked my Dad one evening - Was I planned and his answer was yes. I am very reluctant to believe it. So, I asked him what really happened with he and my Mom. He said after having me, she changed completely. \\x0d\\x0a\\x0d\\x0aThen I also found out that some replacement text and is why we left.  \\x0d\\x0a"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "example.com"] [uri "/intake-form-2-2/"] [unique_id "Xij2DQoAAAQAAXP0wz4AAAAH"]

root@examplecom-prod:/var/log/apache2# grep 211700 /usr/local/cwaf/rules/22_SQL_SQLi.conf
	"id:211700,msg:'COMODO WAF: Detects conditional SQL injection attempts||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.sqli_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:urlDecodeUni,rev:6,severity:2,tag:'CWAF',tag:'SQLi'"

Shark007’s FREE Codec solutions
https://shark007.net

please unblock this domain

1. 243420
2. WordPress 5.4.2 + UpdraftPlus Version: 1.16.26 Plugin

--f5cd0263-A--
[14/Jul/2020:18:57:13 +0100] Xw3x9-KCL10WxvcThLXKFQAAlQk 11.50.196.11 59054 11.12.11.5 443
--f5cd0263-B--
GET /wp-admin/admin-ajax.php?action=updraft_ajax&subaction=activejobs_list&nonce=ab9d6b6c98&downloaders= HTTP/2.0
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.xxxxxx.com/wp-admin/options-general.php?page=updraftplus
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_sec_66fb718014e5f3200c5e68861d9aa569=User1%7C1594726770%7CxLo1lzK4bwTqR4zZnxlMiqhI5m3XTkUkFp2BBOzatXb%7C59d417b4785c5fdbfe2a68400c9c22fd5ffc066f6cced4358f38b383c63c23eb; PHPSESSID=c5a530c6a0a549e7ce6a2be0633298e9; wordpress_test_cookie=WP+Cookie+check; tk_ai=woo%3AIaFGXcVWB5Xtdc%2BxpSF0WO%2Bv; wordpress_logged_in_66fb718014e5f3200c5e68861d9aa569=User1%7C1594726770%7CxLo1lzK4bwTqR4zZnxlMiqhI5m3XTkUkFp2BBOzatXb%7C2dab6196c1622d76a260d42e9525264b2858d4a2eaa5cf530fe93d8df874dad6; wp-settings-time-1=1594556450; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; ucp_tabs=0
Host: www.xxxxxx.com

--f5cd0263-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/7.4.7
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Connection: close
Content-Type: text/html; charset=iso-8859-1

--f5cd0263-H--
Message: Access denied with code 403 (phase 3). Match of "validateByteRange 0-31" against "ARGS:downloaders" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/30_Apps_OtherApps.conf"] [line "6651"] [id "243420"] [rev "3"] [msg "COMODO WAF: Information disclosure vulnerability in Eclipse Jetty before 9.2.9.v20150224 (CVE-2015-2080)||www.xxxxxx.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 11.50.196.11] ModSecurity: Access denied with code 403 (phase 3). Match of "validateByteRange 0-31" against "ARGS:downloaders" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/30_Apps_OtherApps.conf"] [line "6651"] [id "243420"] [rev "3"] [msg "COMODO WAF: Information disclosure vulnerability in Eclipse Jetty before 9.2.9.v20150224 (CVE-2015-2080)||www.xxxxxx.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.xxxxxx.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "Xw3x9-KCL10WxvcThLXKFQAAlQk"]
Action: Intercepted (phase 3)
Apache-Handler: application/x-httpd-ea-php56___lsphp
Stopwatch: 1594749431828189 1670096 (- - -)
Stopwatch2: 1594749431828189 1670096; combined=4149, p1=502, p2=3328, p3=119, p4=0, p5=155, sr=232, sw=45, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
WebApp-Info: "default" "66fb718014e5f3200c5e68861d9aa569" "-"
Engine-Mode: "ENABLED"

--f5cd0263-Z--

fp will be fixed in the next rules release

Rule: 212740
WHMCS 7.10.2
CentOS 7 7.8.2003
Apache 2.4.41
Interworx 6.7.4

To reproduce the issue, all I have to do is log into the Admin of WHMCS, go to Setup → General Settings, and click “Save Changes.”

Audit Log:

[19/Jul/2020:15:07:07 --0400] XxSZ23xyddQ6gvYsArxSdgAAAA8 123.456.7.8 40108 12.345.67.8 443
--f3d2d37b-B--
POST /whmcs/admin/configgeneral.php?action=save HTTP/2.0
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://thedomain.com/whmcs/admin/configgeneral.php?nocache=8jMadJTK1R3HKffs
Content-Type: application/x-www-form-urlencoded
Content-Length: 13059
Origin: https://thedomain.com
Cookie: sortdata=eyJzeXN0ZW1tYWlsaW1wb3J0bG9nb3JkZXJieSI6ImRhdGUiLCJzeXN0ZW1tYWlsaW1wb3J0bG9nb3JkZXIiOiJBU0MiLCJjb25maWd0aWNrZXRzcGFtY29udHJvbG9yZGVyYnkiOiJpZCIsImNvbmZpZ3RpY2tldHNwYW1jb250cm9sb3JkZXIiOiJERVNDIn0%3D; __stripe_mid=c8c36287-f644-4ad1-bdb0-09929fb20d25; wordpress_test_cookie=WP+Cookie+check; viewer7327=0c27q1cpanna44fqb369kheqc0; WHMCSde5atk1KJEyi=sddnvg771s7v7nqaia79gq7jp8; WHMCSFD=eyJ0aWNrZXRzIjp7InZpZXciOiJhY3RpdmUiLCJtdWx0aV92aWV3IjoiIiwiZGVwdGlkIjoiIiwibXVsdGlfZGVwdF9pZCI6IiIsInByaW9yaXR5IjoiIiwiY2xpZW50IjoiIiwiY2xpZW50aWQiOiIiLCJjbGllbnRuYW1lIjoiIiwic3ViamVjdCI6IiIsImVtYWlsIjoiIiwic2VhcmNoZmxhZyI6IiIsInRhZyI6IiIsIm11bHRpX3RhZ3MiOiIifSwiY2xpZW50cyI6eyJ1c2VyaWQiOiIiLCJuYW1lIjoiIiwiZW1haWwiOiIiLCJjb3VudHJ5LWNhbGxpbmctY29kZS1waG9uZSI6IiIsInBob25lIjoiIiwiZ3JvdXAiOiIiLCJzdGF0dXMiOiIiLCJhZGRyZXNzMSI6IiIsImFkZHJlc3MyIjoiIiwiY2l0eSI6IiIsInN0YXRlIjoiIiwicG9zdGNvZGUiOiIiLCJjb3VudHJ5IjoiIiwicGF5bWVudG1ldGhvZCI6IiIsImNjdHlwZSI6IiIsImNjbGFzdGZvdXIiOiIiLCJhdXRvY2NiaWxsaW5nIjoiIiwiY3JlZGl0IjoiIiwiY3VycmVuY3kiOiIiLCJzaWdudXBkYXRlcmFuZ2UiOiIiLCJsYW5ndWFnZSI6IiIsIm1hcmtldGluZ29wdGluIjoiIiwiZW1haWx2ZXJpZmljYXRpb24iOiIiLCJhdXRvc3RhdHVzIjoiIiwidGF4ZXhlbXB0IjoiIiwibGF0ZWZlZXMiOiIiLCJvdmVyZHVlbm90aWNlcyI6IiIsInNlcGFyYXRlaW52b2ljZXMiOiIiLCJjdXN0b21maWVsZHMiOiIiLCJlbWFpbDIiOiIiLCJjb3VudHJ5LWNhbGxpbmctY29kZS1waG9uZTIiOiIiLCJwaG9uZTIiOiIiLCJncm91cDIiOiIifX0%3D
Upgrade-Insecure-Requests: 1
Dnt: 1
Te: trailers
Host: thedomain.com

--f3d2d37b-C--
token=9ae9fd1e347aa52e9aa4c0be8294c416bedf797e&companyname=BCT+Publishing+LLC&email=hosting%40thedomain.com&domain=https%3A%2F%2Fthedomain.com%2Fwhmcs%2F&logourl=%2F%2Fthedomain.com%2Fwhmcs%2Fassets%2Fimg%2Flogo.png&invoicepayto=BCT+Publishing%0D%0APO+Box+7671%0D%0ACave+Creek+AZ+85327&systemurl=https%3A%2F%2Fthedomain.com%2Fwhmcs%2F&template=six&activitylimit=1000&numrecords=50&maintenancemodemessage=We+are+currently+performing+maintenance+and+will+be+back+shortly.&maintenancemodeurl=&charset=utf-8&dateformat=MM%2FDD%2FYYYY&clientdateformat=fullday&defaultcountry=US&language=english&cututf8mb4=on&tel-cc-input=1&orderdaysgrace=0&orderformtemplate=modern&orderfrmsidebartoggle=1&enabletos=on&tos=https%3A%2F%2Fthedomain.com%2Fterms-of-service%2F&autoredirecttoinvoice=gateway&shownotesfieldoncheckout=on&allowdomainstwice=on&skipfraudforexisting=on&autoprovisionexistingonly=on&allowregister=on&allowtransfer=on&allowowndomain=on&enabledomainrenewalorders=on&autorenewdomainsonpayment=on&domainautorenewdefault=on&domaintodolistentries=on&disabledomaingrace=0&domainExpiryFeeHandling=existing&ns1=ns1.thedomain.com&ns2=ns2.thedomain.com&ns3=&ns4=&ns5=&domuseclientsdetails=on&domfirstname=William&domlastname=Basore&domcompanyname=BCT+Publishing+LLC&domemail=domains%40thedomain.com&domaddress1=PO+Box+7671&domaddress2=&domcity=Cave+Creek&domstate=Arizona&dompostcode=85327&domcountry=US&country-calling-code-domphone=1&domphone=480-522-1035&mailtype=smtp&mailencoding=0&smtpport=587&smtphost=host.thedomain.com&smtpusername=system%40thedomain.com&smtppassword=************&smtpssl=tls&signature=---%0D%0ABCT+Publishing+LLC%0D%0Ahttp%3A%2F%2Fsecure.thedomain.com&emailcss=.ExternalClass%2C.ExternalClass+div%2C.ExternalClass+font%2C.ExternalClass+p%2C.ExternalClass+span%2C.ExternalClass+td%2Ch1%2Cimg%7Bline-height%3A100%25%7Dh1%2Ch2%7Bdisplay%3Ablock%3Bfont-family%3AHelvetica%3Bfont-style%3Anormal%3Bfont-weight%3A700%7D%23outlook+a%7Bpadding%3A0%7D.ExternalClass%2C.ReadMsgBody%7Bwidth%3A100%25%7Da%2Cblockquote%2Cbody%2Cli%2Cp%2Ctable%2Ctd%7B-webkit-text-size-adjust%3A100%25%3B-ms-text-size-adjust%3A100%25%7Dtable%2Ctd%7Bmso-table-lspace%3A0%3Bmso-table-rspace%3A0%7Dimg%7B-ms-interpolation-mode%3Abicubic%3Bborder%3A0%3Bheight%3Aauto%3Boutline%3A0%3Btext-decoration%3Anone%7Dtable%7Bborder-collapse%3Acollapse%21important%7D%23bodyCell%2C%23bodyTable%2Cbody%7Bheight%3A100%25%21important%3Bmargin%3A0%3Bpadding%3A0%3Bwidth%3A100%25%21important%7D%23bodyCell%7Bpadding%3A20px%3B%7D%23templateContainer%7Bwidth%3A600px%3Bborder%3A1px+solid+%23ddd%3Bbackground-color%3A%23fff%7D%23bodyTable%2Cbody%7Bbackground-color%3A%23FAFAFA%7Dh1%7Bcolor%3A%23202020%21important%3Bfont-size%3A26px%3Bletter-spacing%3Anormal%3Btext-align%3Aleft%3Bmargin%3A0+0+10px%7Dh2%7Bcolor%3A%23404040%21important%3Bfont-size%3A20px%3Bline-height%3A100%25%3Bletter-spacing%3Anormal%3Btext-align%3Aleft%3Bmargin%3A0+0+10px%7Dh3%2Ch4%7Bdisplay%3Ablock%3Bfont-style%3Aitalic%3Bfont-weight%3A400%3Bletter-spacing%3Anormal%3Btext-align%3Aleft%3Bmargin%3A0+0+10px%3Bfont-family%3AHelvetica%3Bline-height%3A100%25%7Dh3%7Bcolor%3A%23606060%21important%3Bfont-size%3A16px%7Dh4%7Bcolor%3Agrey%21important%3Bfont-size%3A14px%7D.headerContent%7Bbackground-color%3A%23f8f8f8%3Bborder-bottom%3A1px+solid+%23ddd%3Bcolor%3A%23505050%3Bfont-family%3AHelvetica%3Bfont-size%3A20px%3Bfont-weight%3A700%3Bline-height%3A100%25%3Btext-align%3Aleft%3Bvertical-align%3Amiddle%3Bpadding%3A0%7D.bodyContent%2C.footerContent%7Bfont-family%3AHelvetica%3Bline-height%3A150%25%3Btext-align%3Aleft%3B%7D.footerContent%7Btext-align%3Acenter%7D.bodyContent+pre%7Bpadding%3A15px%3Bbackground-color%3A%23444%3Bcolor%3A%23f8f8f8%3Bborder%3A0%7D.bodyContent+pre+code%7Bwhite-space%3Apre%3Bword-break%3Anormal%3Bword-wrap%3Anormal%7D.bodyContent+table%7Bmargin%3A10px+0%3Bbackground-color%3A%23fff%3Bborder%3A1px+solid+%23ddd%7D.bodyContent+table+th%7Bpadding%3A4px+10px%3Bbackground-color%3A%23f8f8f8%3Bborder%3A1px+solid+%23ddd%3Bfont-weight%3A700%3Btext-align%3Acenter%7D.bodyContent+table+td%7Bpadding%3A3px+8px%3Bborder%3A1px+solid+%23ddd%7D.table-responsive%7Bborder%3A0%7D.bodyContent+a%7Bword-break%3Abreak-all%7D.headerContent+a+.yshortcuts%2C.headerContent+a%3Alink%2C.headerContent+a%3Avisited%7Bcolor%3A%231f5d8c%3Bfont-weight%3A400%3Btext-decoration%3Aunderline%7D%23headerImage%7Bheight%3Aauto%3Bmax-width%3A600px%3Bpadding%3A20px%7D%23templateBody%7Bbackground-color%3A%23fff%7D.bodyContent%7Bcolor%3A%23505050%3Bfont-size%3A14px%3Bpadding%3A20px%7D.bodyContent+a+.yshortcuts%2C.bodyContent+a%3Alink%2C.bodyContent+a%3Avisited%7Bcolor%3A%231f5d8c%3Bfont-weight%3A400%3Btext-decoration%3Aunderline%7D.bodyContent+a%3Ahover%7Btext-decoration%3Anone%7D.bodyContent+img%7Bdisplay%3Ainline%3Bheight%3Aauto%3Bmax-width%3A560px%7D.footerContent%7Bcolor%3Agrey%3Bfont-size%3A12px%3Bpadding%3A20px%7D.footerContent+a+.yshortcuts%2C.footerContent+a+span%2C.footerContent+a%3Alink%2C.footerContent+a%3Avisited%7Bcolor%3A%23606060%3Bfont-weight%3A400%3Btext-decoration%3Aunderline%7D%40media+only+screen+and+%28max-width%3A640px%29%7Bh1%2Ch2%2Ch3%2Ch4%7Bline-height%3A100%25%21important%7D%23templateContainer%7Bmax-width%3A600px%21important%3Bwidth%3A100%25%21important%7D%23templateContainer%2Cbody%7Bwidth%3A100%25%21important%7Da%2Cblockquote%2Cbody%2Cli%2Cp%2Ctable%2Ctd%7B-webkit-text-size-adjust%3Anone%21important%7Dbody%7Bmin-width%3A100%25%21important%7D%23bodyCell%7Bpadding%3A10px%21important%7Dh1%7Bfont-size%3A24px%21important%7Dh2%7Bfont-size%3A20px%21important%7Dh3%7Bfont-size%3A18px%21important%7Dh4%7Bfont-size%3A16px%21important%7D%23templatePreheader%7Bdisplay%3Anone%21important%7D.headerContent%7Bfont-size%3A20px%21important%3Bline-height%3A125%25%21important%7D.footerContent%7Bfont-size%3A14px%21important%3Bline-height%3A115%25%21important%7D.footerContent+a%7Bdisplay%3Ablock%21important%7D.hide-mobile%7Bdisplay%3Anone%3B%7D%7D&emailglobalheader=++++++++++++%3C%21DOCTYPE+html+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+XHTML+1.0+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fxhtml1%2FDTD%2Fxhtml1-transitional.dtd%22%3E%0D%0A%3Chtml+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%22%3E%0D%0A++++%3Chead%3E%0D%0A++++++++%3Cmeta+http-equiv%3D%22Content-Type%22+content%3D%22text%2Fhtml%3B+charset%3D%7B%24charset%7D%22+%2F%3E%0D%0A++++++++%3Cmeta+name%3D%22viewport%22+content%3D%22width%3Ddevice-width%2C+initial-scale%3D1%2C+maximum-scale%3D1%2C+user-scalable%3Dno%22%3E%0D%0A++++++++%3Cstyle+type%3D%22text%2Fcss%22%3E%0D%0A++++++++++++%5BEmailCSS%5D%0D%0A++++++++%3C%2Fstyle%3E%0D%0A++++%3C%2Fhead%3E%0D%0A++++%3Cbody+leftmargin%3D%220%22+marginwidth%3D%220%22+topmargin%3D%220%22+marginheight%3D%220%22+offset%3D%220%22%3E%0D%0A++++++++%3Ccenter%3E%0D%0A++++++++++++%3Ctable+align%3D%22center%22+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+height%3D%22100%25%22+width%3D%22100%25%22+id%3D%22bodyTable%22%3E%0D%0A++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++%3Ctd+align%3D%22center%22+valign%3D%22top%22+id%3D%22bodyCell%22%3E%0D%0A++++++++++++++++++++++++%3Ctable+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+id%3D%22templateContainer%22%3E%0D%0A++++++++++++++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++++++++++++++%3Ctd+align%3D%22center%22+valign%3D%22top%22%3E%0D%0A++++++++++++++++++++++++++++++++++++%3Ctable+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+width%3D%22100%25%22+id%3D%22templateHeader%22%3E%0D%0A++++++++++++++++++++++++++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++%3Ctd+valign%3D%22top%22+class%3D%22headerContent%22%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%3Ca+href%3D%22%7B%24company_domain%7D%22%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++++++%3Cimg+src%3D%22%7B%24company_logo_url%7D%22+style%3D%22max-width%3A600px%3Bpadding%3A20px%22+id%3D%22headerImage%22+alt%3D%22%7B%24company_name%7D%22+%2F%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++++++++++++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++++++++++++++++++++++++++%3C%2Ftable%3E%0D%0A++++++++++++++++++++++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++++++++++++++%3Ctd+align%3D%22center%22+valign%3D%22top%22%3E%0D%0A++++++++++++++++++++++++++++++++++++%3Ctable+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+width%3D%22100%25%22+id%3D%22templateBody%22%3E%0D%0A++++++++++++++++++++++++++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++%3Ctd+valign%3D%22top%22+class%3D%22bodyContent%22%3E++++++++&emailglobalfooter=++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++++++++++++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++++++++++++++++++++++++++%3C%2Ftable%3E%0D%0A++++++++++++++++++++++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++++++++++++++%3Ctd+align%3D%22center%22+valign%3D%22top%22%3E%0D%0A++++++++++++++++++++++++++++++++++++%3Ctable+border%3D%220%22+cellpadding%3D%220%22+cellspacing%3D%220%22+width%3D%22100%25%22+id%3D%22templateFooter%22%3E%0D%0A++++++++++++++++++++++++++++++++++++++++%3Ctr%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++%3Ctd+valign%3D%22top%22+class%3D%22footerContent%22%3E%0D%0A+++++++++++++++++++++++++++++++++++++++++++++++++%3Ca+href%3D%22%7B%24company_domain%7D%22%3Evisit+our+website%3C%2Fa%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%3Cspan+class%3D%22hide-mobile%22%3E+%7C+%3C%2Fspan%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%3Ca+href%3D%22%7B%24whmcs_url%7D%22%3Elog+in+to+your+account%3C%2Fa%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%3Cspan+class%3D%22hide-mobile%22%3E+%7C+%3C%2Fspan%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%3Ca+href%3D%22%7B%24whmcs_url%7Dsubmitticket.php%22%3Eget+support%3C%2Fa%3E+%3Cbr+%2F%3E%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++Copyright+%C2%A9+%7B%24company_name%7D%2C+All+rights+reserved.%0D%0A++++++++++++++++++++++++++++++++++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++++++++++++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++++++++++++++++++++++++++%3C%2Ftable%3E%0D%0A++++++++++++++++++++++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++++++++++++++%3C%2Ftable%3E%0D%0A++++++++++++++++++++%3C%2Ftd%3E%0D%0A++++++++++++++++%3C%2Ftr%3E%0D%0A++++++++++++%3C%2Ftable%3E%0D%0A++++++++%3C%2Fcenter%3E%0D%0A++++%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E++++++++&systememailsfromname=BCT+Publishing&systememailsfromemail=support%40thedomain.com&bccmessages=&contactformdept=&contactformto=hosting%40thedomain.com&supportmodule=&ticketmask=%25n%25n%25n%25n%25n%25n&supportticketorder=ASC&ticketEmailLimit=10&requireloginforclienttickets=on&supportticketkbsuggestions=on&attachmentthumbnails=on&ticketratingenabled=on&ticket_add_cc=0&ticket_add_cc=1&lastreplyupdate=always&allowedfiletypes=.jpg%2C.gif%2C.jpeg%2C.png%2C.doc%2C.zip%2C.tar.gz%2C.gz%2Cxls%2C.php%2C.html%2C.htm%2C.txt%2C.sql&networkissuesrequirelogin=on&enablemetricinvoicing=on&enablepdfinvoices=on&pdfpapersize=Letter&tcpdffont=helvetica&tcpdffontcustom=&enablemasspay=on&allowcustomerchangeinvoicegateway=on&groupsimilarlineitems=on&sequentialinvoicenumbering=0&sequentialinvoicenumberformat=%7BNUMBER%7D&sequentialinvoicenumbervalue=&latefeetype=Fixed+Amount&invoicelatefeeamount=5.00&latefeeminimum=0.00&acceptedcctypes%5B%5D=Visa&acceptedcctypes%5B%5D=MasterCard&acceptedcctypes%5B%5D=Discover&acceptedcctypes%5B%5D=American+Express&invoiceincrement=1&invoicestartnumber=&addfundsminimum=10.00&addfundsmaximum=100.00&addfundsmaximumbalance=300.00&addfundsrequireorder=on&noautoapplycredit=on&creditondowngrade=on&affiliateearningpercent=0&affiliatebonusdeposit=0.00&affiliatepayout=25.00&affiliatesdelaycommission=0&affiliatedepartment=1&affiliatelinks=&captchasetting=offloggedin&captchatype=recaptcha&captchaform%5BdomainChecker%5D=on&captchaform%5Bregistration%5D=on&captchaform%5BcontactUs%5D=on&captchaform%5BsubmitTicket%5D=on&recaptchapublickey=6LcUOIIUAAAAAHAgKmKaZulhmDD7OIJeFHWfKg7U&recaptchaprivatekey=6LcUOIIUAAAAADnx4HHRnT0HXsWuwqC4_DJA_eil&autogeneratedpwformat=&requiredpwstrength=50&invalidloginsbanlength=15&ccallowcustomerdelete=on&allowsmartyphptags=0&proxyheader=&csrftoken_ns_WHMCS_ns_default=on&csrftoken_ns_WHMCS_ns_domainchecker=off&allowautoauth=0&twitterusername=&marketingreqoptin=0&marketingoptinmessage=We+would+like+to+send+you+occasional+news%2C+information+and+special+offers+by+email.+To+join+our+mailing+list%2C+simply+tick+the+box+below.+You+can+unsubscribe+at+any+time.&clientdisplayformat=1&allow_client_email_preferences=0&allow_client_email_preferences=1&sendemailnotificationonuserdetailschange=on&showcancel=on&affreport=on&bannedsubdomainprefixes=mail%2Cmx%2Cgapps%2Cgmail%2Cwebmail%2Ccpanel%2Cwhm%2Cftp%2Cclients%2Cbilling%2Cmembers%2Clogin%2Caccounts%2Caccess&enablesafeinclude=1&logerrors=on&tab=0
--f3d2d37b-F--
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 23 Apr 2014 18:36:22 GMT
Accept-Ranges: bytes
Content-Length: 613
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=15768000
Connection: close
Content-Type: text/html; charset=UTF-8

--f3d2d37b-H--
Message: Access denied with code 403 (phase 2). Pattern match "image\\/svg\\+xml|text\\/(?:css|html|(?:x-)?(?:(?:ecma|java|vb)script|scriptlet)).|.application\\/x-shockwave-flash" at ARGS_POST:emailglobalheader. [file "/etc/httpd/modsecurity.d/cwaf/07_XSS_XSS.conf"] [line "69"] [id "212740"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||thedomain.com|F|2"] [data "Matched Data: text/html; found within ARGS_POST:emailglobalheader: <!doctypehtmlpublic\x22-//w3c//dtdxhtml1.0transitional//en\x22\x22http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd\x22><htmlxmlns=\x22http://www.w3.org/1999/xhtml\x22><head><metahttp-equiv=\x22content-type\x22content=\x22text/html;charset={$charset}\x22/><metaname=\x22viewport\x22content=\x22width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no\x22><styletype=\x22text/css\x22>[emailcss]</style></head><bodyleftmargin=\..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.456.7.8] ModSecurity: Access denied with code 403 (phase 2). Pattern match "image\\\\\\\\/svg\\\\\\\\+xml|text\\\\\\\\/(?:css|html|(?:x-)?(?:(?:ecma|java|vb)script|scriptlet)).|.application\\\\\\\\/x-shockwave-flash" at ARGS_POST:emailglobalheader. [file "/etc/httpd/modsecurity.d/cwaf/07_XSS_XSS.conf"] [line "69"] [id "212740"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||thedomain.com|F|2"] [data "Matched Data: text/html; found within ARGS_POST:emailglobalheader: <!doctypehtmlpublic\\\\x22-//w3c//dtdxhtml1.0transitional//en\\\\x22\\\\x22http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd\\\\x22><htmlxmlns=\\\\x22http://www.w3.org/1999/xhtml\\\\x22><head><metahttp-equiv=\\\\x22content-type\\\\x22content=\\\\x22text/html;charset={$charset}\\\\x22/><metaname=\\\\x22viewport\\\\x22content=\\\\x22width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no\\\\x22><styletype=\\\\x22text/css\\\\x22>[emailcss]</style></head><bodyleftmargin=\\\\..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "thedomain.com"] [uri "/whmcs/admin/configgeneral.php"] [unique_id "XxSZ23xyddQ6gvYsArxSdgAAAA8"]
Apache-Error: [file "mod_include.c"] [line 3843] [level 4] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /403.shtml
Action: Intercepted (phase 2)
Stopwatch: 1595185627563774 175754 (- - -)
Stopwatch2: 1595185627563774 175754; combined=10748, p1=261, p2=10425, p3=0, p4=0, p5=62, sr=47, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--f3d2d37b-Z--

1. 211170
2. WordPress 5.3.4 + Tickera (Premium) 3.4.6.9

--fe749351-A--
[28/Jul/2020:15:29:27 +0100] XyA2QiU5zeKLPzfOuRzXMwABCQo 11.222.333.44 56887 555.66.77.8 443
--fe749351-B--
GET /t-order-c/xxxx/?stripe_session_id=cs_live_xxxxxx HTTP/2.0
Cookie: __stripe_mid=xxxx; __stripe_sid=xxxx; cart_info_xxxxx=%7B%22total%22%3A10%2C%22coupon_code%22%3A%22%22%2C%22currency%22%3A%22%xxxx%22%2C%22buyer_data%22%3A%7B%22first_name_post_meta%22%3A%22xxxx%22%2C%22last_name_post_meta%22%3A%22xxxx%22%2C%22email_post_meta%22%3A%22xxxx%40xxxx.com%22%2C%22tc_ff_telephonenumber_tcfn_xxxx_post_meta%22%3A%22xxxx%22%2C%22tc_ff_housenamenumber_tcfn_8872_post_meta%22%3A%22xxxx%22%2C%22tc_ff_streetname_tcfn_8177_post_meta%22%3A%22xxxx%22%2C%22tc_ff_town_tcfn_xxxx_post_meta%22%3A%22xxxxxxxx%22%2C%22tc_ff_county_tcfn_4434_post_meta%22%3A%22xxxx%22%2C%22tc_ff_postcode_tcfn_xxxx_post_meta%22%3A%xxxx%22%2C%22tc_ff_carregistration_tcfn_xxxx_post_meta%22%3A%22xxxx%22%2C%22tc_ff_customercomments_tcfn_xxxx_post_meta%22%3A%22%22%7D%2C%22owner_data%22%3A%7B%22ticket_type_id_post_meta%22%3A%7B%xxxx%22%3A%5B%xxxx%22%5D%7D%7D%2C%22gateway%22%3A%22stripe%22%2C%22gateway_admin_name%22%3A%22Stripe%22%2C%22gateway_class%22%3A%22TC_Gateway_Stripe%22%7D; tc_order_xxxx=xxxx; __utma=xxxx; __utmb=xxxx; __utmc=xxxx; __utmz=xxxx.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _ga=xxxx; _gid=xxxx; tc_cart_xxxx=%7B%xxxx%22%3A1%7D; __utmt=1; tk_ai=woo%3A%xxxx; PHPSESSID=xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) xxxx
Accept-Language: en-gb
Referer: https://checkout.stripe.com/pay/cs_live_xxxx
Host: www.xxxxx.co.uk

--fe749351-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/7.2.32
Vary: Accept-Encoding,Cookie,User-Agent
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Link: <https://www.xxxxx.co.uk/wp-json/>; rel="https://api.w.org/", <https://www.xxxxx.co.uk/?p=xxxx>; rel=shortlink
Set-Cookie: tc_cart_xxxx=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: tc_cart_seats_xxxx=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: cart_info_xxxx=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: tc_order_xxxx=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Connection: close
Content-Type: text/html; charset=UTF-8

--fe749351-H--
Message: Access denied with code 403 (phase 2). Match of "endsWith %{request_headers.host}" against "TX:1" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "45"] [id "211170"] [rev "3"] [msg "COMODO WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||www.xxxxx.co.uk|F|2"] [data "Matched Data: https://checkout.stripe.com/ found within ARGS_NAMES:stripe_session_id: checkout.stripe.com"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 11.222.333.44] ModSecurity: Access denied with code 403 (phase 2). Match of "endsWith %{request_headers.host}" against "TX:1" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/02_Global_Generic.conf"] [line "45"] [id "211170"] [rev "3"] [msg "COMODO WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||www.xxxxx.co.uk|F|2"] [data "Matched Data: https://checkout.stripe.com/ found within ARGS_NAMES:stripe_session_id: checkout.stripe.com"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "www.xxxxx.co.uk"] [uri "/t-order-c/xxxx/"] [unique_id "XyA2QiU5zeKLPzfOuRzXMwABCQo"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-ea-php56___lsphp
Stopwatch: 1595946562504517 4514144 (- - -)
Stopwatch2: 1595946562504517 4514144; combined=1029, p1=600, p2=337, p3=0, p4=0, p5=91, sr=83, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--fe749351-Z--

Issue will be fixed in the next rules release

Issue will be fixed in the next rules release

1. 243420

2. WordPress, Caldera Forms during form submission: Screenshot 2020-08-26 at 1....

--46c4db2d-A--
[25/Aug/2020:22:05:37 +0000] RRvx@FlA8A43oP@l4KNdMvkH 94.x.x.84 58368 176.x.x.141:443 443
--46c4db2d-B--
POST /cf-api/CF5ac348b74349b HTTP/1.1
host: xxx
content-length: 2623
pragma: no-cache
cache-control: no-cache
accept: */*
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
content-type: multipart/form-data; boundary=----WebKitFormBoundaryTUJPTqcnW8gN0O0L
origin: https://xxx
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://xxx/contact/
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cookie: xxx

--46c4db2d-F--
HTTP/1.1 403 Forbidden

--46c4db2d-H--
Message: Access denied with code 403 (phase 3). Test 'REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES|ARGS|ARGS_NAMES|REQUEST_BODY|!ARGS:data[email]|!ARGS:downloaders' against '!@validateByteRange 0-31' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/30_Apps_OtherApps.conf"] [line "6014"] [id "243420"] [rev "4"] [msg "COMODO WAF: Information disclosure vulnerability in Eclipse Jetty before 9.2.9.v20150224 (CVE-2015-2080)"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [MatchedString "/cf-api/CF5ac348b74349b"]

--46c4db2d-Z--

1. 210831
2. Wordpress 5.5

--6709f887-A--
[26/Aug/2020:08:11:33 +0100] uYGlPC5N5prRtjDlWRho0Jvh x.x.x.x 60366 x.x.x.x:443 443
--6709f887-B--
POST /wp-cron.php?doing_wp_cron=1598425893.3665618896484375000000 HTTP/1.1
Host: xxxxx.co.uk
User-Agent: WordPress/5.5; https://xxxxxxxxx.co.uk
Accept: */*
Accept-Encoding: deflate, gzip
Referer: https://xxxxxxxx.co.uk/wp-cron.php?doing_wp_cron=1598425893.3665618896484375000000
Connection: close
Content-Length: 0
Content-Type: application/x-www-form-urlencoded

--6709f887-F--
HTTP/1.1 403 Forbidden

--6709f887-H--
Message: Access denied with code 403 (phase 2). Test 'REQUEST_HEADERS:User-Agent' against '(?i:(?:^(?:microsoft url|user-Agent|www\.weblogs\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\bdatacha0s\b|; widows|\\\r|a(?: href=|d(?:sarobot|vanced email extractor)|gdm79@mail\.ru|miga-aweb/3\.4|t(?:hens|tache|(?:omic_email_hunt|spid)er)|utoemailspider)|b(?:ackdoor|lack hole|utch__2\.1\.1|wh3_user_agent)|c(?:h(?:e(?:esebot|rrypicker)|ina(?: local browse 2\.|claw))|o(?:mpatible(?: ;(?: msie|\.)|-)|n(?:cealed defense|t(?:actbot/|entsmartz)|veracrawler)|py(?:guard|rightcheck)|re-project/1.0)|rescent internet toolpak)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|e(?:ducate search vxb|mail(?:siphon|wolf|(?: extracto|reape)r|(siphon|spider)|(?:collec|harves|magne)t)|o browse|xtractorpro|(?:collecto|irgrabbe)r)|f(?:a(?:xobot|(?:ntombrows|stlwspid)er)|loodgate|oobar/|ull web bot|(?:iddle|ranklin locato)r)|g(?:ameBoy, powered by nintendo|ecko/25|rub(?: crawler|-client))|h(?:anzoweb|hjhj@yahoo|l_ftien_spider)|i(?:n(?:dy library|ternet(?: (?:exploiter sux|ninja)|-exprorer))|sc systems irc search 2\.1)|kenjin spider|larbin@unspecified|m(?:ailto:craftbot@yahoo\.com|i(?:crosoft (?:internet explorer/5\.0$|url control)|ssigua)|o(?:r(?:feus fucking scanner|zilla)|siac 1.|zilla/3\.mozilla/2\.01$)|urzillo compatible)|n(?:ameofagent|e(?:ssus|(?:uralbot/0\.|wt activeX; win3)2)|ikto|o(?: browser|kia-waptoolkit.{0,} googlebot.{0,}googlebot))|p(?:a(?:ckrat|nscient\.com)|cbrowser|e 1\.4|leasecrawl/1\.|mafind|oe-component-client|ro(?:duction bot|gram shareware 1\.0\.|webwalker)|s(?:urf|ycheclone))|rsync|s(?:\.t\.a\.l\.k\.e\.r\.|afexplorer tl|e(?:archbot admin@google.com|curity scan)|hai|itesnagger|(?:tress tes|urveybo)t)|t(?:ele(?:port pro|soft)|oata dragostea mea pentru diavola|uring machine|(?: {0,1}h {0,1}a {0,1}t {0,1}' {0,1}s g {0,1}o {0,1}t {0,1}t {0,1}a {0,1} h {0,1}u {0,1}r {0,1}|akeou|his is an exploi)t)|u(?:nder the rainbow 2\.|ser-agent:)|v(?:adixbot|oideye)|w(?:3mir|e(?:b(?: (?:by mail|downloader)|emailextract{0,1}|mole|vulnscan|(?:bandi|(?:altb|ro)o)t)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent)|se(?:nut){0,1}bot)|ordpress(?: hash grabber|/4\.01))|zeus(?: .{0,}webster pro){0,1}|[a-z]surf[0-9][0-9]|(?:$botname/$botvers|(script|sql) inject)ion|(compatible ; msie|msie .{1,}; .{0,}windows xp)|(?:8484 boston projec|xmlrpc exploi)t|(sogou develop spider|sohu agent)|(?:demo bot|(?:d|e)browse)|(libwen-us|myie2|murzillo compatible|webaltbot|wisenutbot)))' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/03_Global_Agents.conf"] [line "31"] [id "210831"] [rev "2"] [msg "COMODO WAF: Rogue web site crawler"] [logdata "shai"] [severity "WARNING"] [tag "CWAF"] [tag "Agents"] [MatchedString "WordPress/5.5; https://xxxxxxx.co.uk"]

--6709f887-Z--

Before status 403 from waf response status was 400.
The rule work well. Disable rule for yourself if it interferes with work.

1. 218500
2. Apache
3. ruleset 1.232 version

Cookies that are set by facebook ads. sbjc_current … trm=(none)

Message:  [file "/usr/local/cwaf/rules/22_SQL_SQLi.conf"] [line "64"] [id "218500"] [rev "17"] [msg "COMODO WAF: SQLmap attack detected||autojini.com|F|2"] [data "Matched Data: |
||trm=(none) found within REQUEST_COOKIES:sbjs_current: typ=referral|||src=m.facebook.com|||mdm=referral|||cmp=(none)|||cnt=|||trm=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "
SQLi"] Access denied with code 403 (phase 2). Pattern match "[\\[\\]\\x22',()\\.]{10}$|\\b(?:union\\sall\\sselect\\s(?:(?:null|\\d+),?)+|order\\sby\\s\\d{1,4}|(?:and|or)\\s\\d{4}=\\
d{4}|waitfor\\sdelay\\s'\\d+:\\d+:\\d+'|(?:select|and|or)\\s(?:(?:pg_)?sleep\\(\\d+\\)|\\d+\\s?=\\s?(?:dbms_pipe\\.receive_message\\ ..." at REQUEST_COOKIES:sbjs_current.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 97.89.153.236] ModSecurity:  [file "/usr/local/cwaf/rules/22_SQL_SQLi.conf"] [line "64"] [id "218500"] [rev "17"]
[msg "COMODO WAF: SQLmap attack detected||autojini.com|F|2"] [data "Matched Data: |||trm=(none) found within REQUEST_COOKIES:sbjs_current: typ=referral|||src=m.facebook.com|||mdm
=referral|||cmp=(none)|||cnt=|||trm=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] Access denied with code 403 (phase 2). Pattern match "[\\\\\\\\[\\\\\\\\]\\\\\\\\x22',()
\\\\\\\\.]{10}$|\\\\\\\\b(?:union\\\\\\\\sall\\\\\\\\sselect\\\\\\\\s(?:(?:null|\\\\\\\\d+),?)+|order\\\\\\\\sby\\\\\\\\s\\\\\\\\d{1,4}|(?:and|or)\\\\\\\\s\\\\\\\\d{4}=\\\\\\\\d{4}|
waitfor\\\\\\\\sdelay\\\\\\\\s'\\\\\\\\d+:\\\\\\\\d+:\\\\\\\\d+'|(?:select|and|or)\\\\\\\\s(?:(?:pg_)?sleep\\\\\\\\(\\\\\\\\d+\\\\\\\\)|\\\\\\\\d+\\\\\\\\s?=\\\\\\\\s?(?:dbms_pipe\\
\\\\\\.receive_message\\\\\\\\ ..." at REQUEST_COOKIES:sbjs_current. [hostname "autojini.com"] [uri "/inventory/index.cfm"] [unique_id "X4zoaataGx5s@tsej7GZlAAAACo"]
Action: Intercepted (phase 2)
Stopwatch: 1603070057181949 11129 (- - -)
Stopwatch2: 1603070057181949 11129; combined=7455, p1=838, p2=6557, p3=0, p4=0, p5=60, sr=126, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

FP will be fixed in the next rules release.

I don’t want to create multiple posts. Is that Okay? I use Plesk 18.0.31 ModSecurity mit COMODO rules. I don’t know the version number of this rules. But its updated daily.
I found this 4 rules thats block legal visitors:

211270 => Pattern match “(?rint|echo|eval|exec)\(”
=> because url parameter include “eval” in word => ?search=Karneval%20(2020)

211630 => Pattern match “(??:select|?(?:benchmark|if|sleep)\(.)”
=> because url parameter include “if” in name => ?name=Harif%20(2020)

211650 => Pattern match “(?i?:[\x22’](?:;? ?\\b(?:having|select|union)\\b ?[^\\s]| ?! ?[\\x22'\w])|\b(?:c(?nnection_id|urrent_user)|database)\b ?\(|\bunion\b[\w(\s]?select\b|\buser ?\(|\bschema ?\(|\bselect.?\w?\buser ?\(|\binto[\s+]+(?:dump|out)fil …”
=> because url parameter include “union” in search => ?search=the%20re%27union%20(2020)

212790 => Pattern match “(?:alert|eval|\.fromcharcode)(?:\(|`)”
=> because url parameter include “eval” in word => ?search=Karneval%20(2020)

Is here a list which comodo ID must be disabled when its can be detected in regular search?

1. 211170
2. Ruby on Rails v6.0.3.4

--0df3522b-H--
Message: Access denied with code 403 (phase 2). Match of "contains %{SERVER_NAME}" against "REQUEST_HEADERS:referer" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "45"] [id "211170"] [rev "5"] [msg "COMODO WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||xxxxxx.com|F|2"] [data "Matched Data: 47.196.206.45 found within ARGS_NAMES:session_id: https://checkout.stripe.com/pay/cs_live_a06mLOe9zK3LUdkvng08IHc4xo0lrQrnyLYsw6S0Ldum8cnwUC0AJ5HEbb"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 108.162.212.147] ModSecurity: Access denied with code 403 (phase 2). Match of "contains %{SERVER_NAME}" against "REQUEST_HEADERS:referer" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "45"] [id "211170"] [rev "5"] [msg "COMODO WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||xxxxxx.com|F|2"] [data "Matched Data: 47.196.206.45 found within ARGS_NAMES:session_id: https://checkout.stripe.com/pay/cs_live_a06mLOe9zK3LUdkvng08IHc4xo0lrQrnyLYsw6S0Ldum8cnwUC0AJ5HEbb"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "xxxxxx.com"] [uri "/order/stripe_thankyou"] [unique_id "X6dYva6ExZS[at]LVcOeMc7MwAAAEE"]
Action: Intercepted (phase 2)
Stopwatch: 1604802749868529 4744 (- - -)
Stopwatch2: 1604802749868529 4744; combined=1434, p1=925, p2=383, p3=0, p4=0, p5=126, sr=157, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"