Access denied with code 403 (phase 2). Pattern match “(?i)\b(?i:and)\b\s+(\d{1,10}|‘[^=]{1,10}’)\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|‘[^=]{1,10}’)\s*?[<>]|\band\b ?(?:\d{1,10}|[\‘"][^=]{1,10}[\’"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|‘[^=]{1,10}’)” at ARGS:Post. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “313”] [id “211580”] [msg “COMODO WAF: SQL Injection Attack”] [data “Matched Data: and 3 found within ARGS:Post:
\x0a
\x0aSimone Peach Megapack49 Videos | 11.84 GB \x0aBabe Name:\x0aMandy Saxo\x0aProfession:\x0aPorn Star\x0aFeature Dancer: No\x0aEthnicity: Caucasian\x0aCountry of Origin: Czech Republic\x0aProvince / State: Praha\x0aPlace of Birth: Praha\x0aDate of Birth: November 10, 1983 (30 years old)\x0aAstrological Sign: Scorpio (Oct 23 – Nov 21)\x0aAliases: Simon Peach, Simone Style, Anita Paycheck, Simona Style, Sim…”] [severity “CRITICAL”]
/index.php?s=dc0c50b40dcd2cbcbc72113a6a6ef4f3&app=forums&module=ajax§ion=topics&do=editBoxSave&p=1328688&t=86715&f=58 HTTP/1.0
phpbb forum
Will be fixed with next update.
Rule 383b680 [id “220042”][file “/var/cpanel/cwaf/rules/cwaf_05.conf”][line “116”] - Execution error - PCRE limits exceeded (-8): (null).
/praveer_v2/wp-admin/post.php HTTP/1.1
302
Solution?
Sometimes this error is fixed by increasing SecPcreMatchLimit and SecPcreMatchLimitRecursion in mod_security configuration file.
Access denied with code 403 (phase 2). Pattern match “(media|post|post_new)\.php” at Request_URI. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “1780”] [id “220830”] [msg “COMODO WAF: COMODO WAF: Blocking XSS attack”]
/wp-comments-post.php HTTP/1.1
Access denied with code 403 (phase 2). Pattern match “(media|post|post_new)\.php” at Request_URI. [file “/var/cpanel/cwaf/rules/cwaf_05.conf”] [line “1780”] [id “220830”] [msg “COMODO WAF: COMODO WAF: Blocking XSS attack”]
/wp-comments-post.php HTTP/1.1
Will be fixed with next update. Thank you.
[Sat Jul 12 00:28:59 2014] [error] [client 117.224.22.11] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:/cc(?:$|[\\t\\n\\r \”'\\-;|])|(?:\\\\b(curl|wget)|[;|][^a-zA-Z0-9_]{0,}?\\bcc)\\b)" at ARGS_NAMES:curl. [file “/var/cpanel/cwaf/rules/cwaf_02.conf”] [line “24”] [id “211000”] [msg “COMODO WAF: System Command Injection”] [data “Matched Data: curl found within ARGS_NAMES:curl: curl”] [severity “CRITICAL”] [hostname “new.enhanc.com ”] [uri “/upgrade-account.php”] [unique_id “U8C5i7ia3joAAEZ0ZhYAAAAI”]
/mod_pagespeed_beacon?url=http%3A%2F%2Fwww.ntierinfotech.com %2F HTTP/1.1
Access denied with code 403 (phase 2). Pattern match “(?i:["'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))|((o|(\\u006F))(n|( …” at ARGS:cs. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “1093”] [id “213070”] [msg “COMODO WAF: IE XSS Filters - Attack Detected.”] [data “Matched Data: \x22],#contact-textarea ,#contact-textarea textarea,#filters ,#filters ul,#filters ul li,#filters ul li a,#filters ul li a h3,#filters ul li a.active h3,#google-map ,#home-slider .flex-control-nav,#home-slider .flex-control-nav li a,#home-slider .flex-control-nav li a.flex-active,#home_img ,#nav .sub-menu,#nav .sub-menu li,#nav .sub-menu li a,#portfolio ,#portfolio-wrap ,#portfolio-wrap .one-third,#portfolio-wrap .portfolio-item,#project-navigation ,#project-navigation ul,#project-navigation ul li…”]
/essaydemo/wp-content/themes/jupiter_3.9.3/stylesheet/images/icons/credit-cards/mastercard.png HTTP/1.1
ntierinfotech.com
collections_remove_stale: Failed deleting collection (name “ip”, key “2.50.51.227_”): Internal error
127.0.0.1
/whm-server-status HTTP/1.0
collections_remove_stale: Failed deleting collection (name “ip”, key “192.99.148.204_bb4c06b38802a3a8f12182eb99ba26b13f30feeb”): Internal error
/favicon.ico HTTP/1.1
worldstarpussy.com
collections_remove_stale: Failed deleting collection (name “ip”, key “109.165.23.48_7b27e8bbd6b437e3f3555e0e636c2daa33c5dc80”): Internal error
[Thu Aug 21 08:10:40 2014] [error] [client 103.231.44.82] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i)([\\s\”'`;\\/0-9\\=]+on\\w+\\s*=)" at ARGS:customized. [file “/var/cpanel/cwaf/rules/cwaf_03.conf”] [line “35”] [id “212010”] [msg “COMODO WAF: XSS Filter - Category 2: Event Handler Vector”] [data “Matched Data: 4OntzOjU6InRpdGxlIjtzOjA6IiI7czo0OiJ0ZXh0IjtzOjExNToiPGltZyBzdHlsZT0id2lkdGg6MTAwJSIgc3JjPSJodHRwOi8vc2VhcmNocHJvcGVydGllc2luZG9yZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTQvMDgvYmFubmVyLWZveC10b3dlcnNfMy5qcGciPiI7czo2OiJmaWx0ZXIiO2I6MDtzOjEwOiJkd19pbmNsdWRlIjtpOjE7czo5OiJkd19sb2dnZWQiO3M6MDoiIjtzOjk6Im90aGVyX2lkcyI7czowOiIiO3M6OToicGFnZS0xNTM2IjtpOjE7czoxMDoicGFnZS1mcm9udCI7aToxO30= found within ARGS:customized: {\x22widget_pages[1]\x22:{\x22encoded_serialized_instance\x22:\x22YTowOnt9\x22,\x22…”] [severity “CRITICAL”] [hostname “searchpropertiesindore.com ”] [uri “/”] [unique_id “U-Xhv7ia3joAACw3G@MAAAAA”]
also comment spam protection is not working. Please look
Bruteforce false positive still exist
[Tue Sep 30 07:17:47.908173 2014] [:error] [pid 23427] [client 182.70.233.187] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 0 at IP. [file “/var/cpanel/cwaf/rules/cwaf_06.conf”] [line “19”] [id “230000”] [msg “COMODO WAF: Brute Force Attack Identified from 182.70.233.187 (1 hits since last alert)”] [hostname “testing.empexus.com ”] [uri “/favicon.ico”] [unique_id “VCqRW7ia3joAAFuDyaQAAAAA”]testing.empexus.com ”] [uri “/isc/wp-admin/post.php”] [unique_id “VCqRsbia3joAAFv1sBcAAAAC”]testing.empexus.com ”] [uri “/isc/wp-admin/themes.php”] [unique_id “VCqSYbia3joAAF0kmjsAAAAE”]testing.empexus.com ”] [uri “/favicon.ico”] [unique_id “VCqTGbia3joAAFt6SkQAAAAM”]testing.empexus.com ”] [uri “/isc/wp-admin/admin-ajax.php”] [unique_id “VCqTWria3joAAGFQ5SoAAAAF”]
above false positive have been ignored or fixed?
May I know if above false positive have been fixed in this update?
Wordpress
[Thu Apr 30 08:16:40.747694 2015] [:error] [pid 25362] [client 46.103.59.183] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\”'\\xc3\\x82\\xc2\\xb4\\xc3\\xa2\\xc2\\x80\\xc2\\x99\\xc3\\xa2\\xc2\\x80\\xc2\\x98]\\\\s*?!\\\\s*?[\\"'\xc3\x82\xc2\xb4\xc3\xa2\xc2\x80\xc2\x99\xc3\xa2\xc2\x80\xc2\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|data …" at ARGS:shortcodes[0][string]. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “30”] [id “211650”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”] [data “Matched Data: \x22selecto found within ARGS:shortcodes[0][string]: [bsf-info-box icon_type=\x22selector\x22 img_width=\x2248\x22 icon_size=\x2237\x22 icon_color=\x22#81d742\x22 icon_style=\x22advanced\x22 icon_color_bg=\x22#ffffff\x22 icon_color_border=\x22#ff4747\x22 icon_border_size=\x225\x22 icon_border_radius=\x22500\x22 icon_border_spacing=\x2250\x22 title=\x22\xce\x95\xce\xbe\xce\xbf\xce\xb9\xce\xba\xce\xbf\xce\xbd\xcf\x8c\xce\xbc\xce\xb7\xcf\x83\xce\xb7 \xce\xb5\xce\xbd\xce\xad\xcf\x81\xce\xb3\xce…”] [hostname “xxxx.com ”] [uri “/”] [unique_id “VUIdKMBjyMsAAGMSnnUAAAAF”]
Why do you have MSSQL enabled? MSSQL is Microsoft SQL Server, if you’re on linux, this rule is not for you.