high load

Hi although we have blocked the I.P we still get attacks to pages like these below

GET /wp-content/plugins/google-mp3-audio-player/direct_download
GET /wp-content/plugins/simple-image-manipulator/controller/download
wp-content/plugins/google-mp3-audio-player/direct_download

Hi
Can you please provide modsec debug log for this incident? Can you please give more details about this attack.

where do i get the modsec debug log from please

Ex. /var/log/apache2/modsec_debug.log
You can find location from your cwaf GUI page or from modsecurity configuration file

GET /wp-content/plugins/google-mp3-audio-player/direct_download
GET /wp-content/plugins/simple-image-manipulator/controller/download
wp-content/plugins/google-mp3-audio-player/direct_download

Can you please explain, what they did in above request, what should I going to block?

They just do multiple attacks to the sites and then the server load get’s high

Hi
Disable action for creating debug logs. Did you find out what he is trying to using of request file name above mentioned by you. Can you please send me full request sent by attackers.

Is he trying to download a file or exploits using of any other attacks.

Please explain better how i disable action for logs and no not found anything out

Hi
Clear the contents from following files

  1. ip.bag file in /tmp
  2. default.SESSION in /tmp folder and restart the web server.
  3. Modsec_debug.log disable by default. Locate /var/log/apache2
  4. The plugin was updated 6 years ago. Better to deactivate. If you need to use this plugin let me know and give some more time we will create custom signature for you.

I don’t use the plugin it’s installed from WHM

Hi
If you don’t want/need to use the above mentioned plugins. You can remove it in web root. Locate plugin folder.
Ex. #cd /var/www/html/wp-content/plugins
Then you can remove by manually the unwanted plugins folder.

  #rm -rf folder name(plugin name)

Can you please provide details about Web server, cwaf plugin, restart your web server if you face any errors send me.

I don’t have the plugin installed ? shall i install it again and disable the WHM one under ModSecurity™ Vendors

No need to install. once your server reached high load, you have to do following instructions

1.You can disable the following rules IDs, if it is not needed for you. (this is not better choice)
2.Otherwise you have to schedule ip.pag file reset/truncate.
2.1. GitHub - SpiderLabs/modsec-sdbm-util: Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only.
2. 2 Locate the file ip.pag in /tmp folder and clear the file content :tmp# > ip.pag and default.SESSION file also and restart the webserver.

225180
225181
225182
240330
240331
240332
240333
240334
240335
240336
241140
241141
241142
241143

3.you can create Cron. But please follow the following steps

  1. Delete the file directly (ip.pag and default.SESDION*)
  2. Create the empty file but filename should be same.
  3. Restart the web server.

Thank you for contacting us. If you have any queries please let me know with following details

CWAF plugin version
CWAF rules version
Web Server name and version
Hosting panel name and version

Is there a command to clear the ip pag file i just checked the nobody-ip.pag 1,995,062 in size

Hi
Clear the file content in nobody-ip.pag. (It differ based on web hosting control panel). you can clear the file content using of above mentioned way.

I did try /scripts/shrink_modsec_ip_database -x because we installed the SDBM utility ages ago but never worked.

So you mean open the file nobody-ip.pag and delete the contents ? that’s a big file to open.

Hi
No need to open, just try this command Please follow
#cd /tmp
:/tmp# > nobody-ip.pag
:/tmp# > nobody-ip.dir
:/tmp#> default_SESSION.dir
:/tmp#> default_SESSION.pag
Finally restart the webserver.

Sorry only just seen this so i just paste this command below and restart

cd /tmp
:/tmp# > nobody-ip.pag
:/tmp# > nobody-ip.dir
:/tmp#> default_SESSION.dir
:/tmp#> default_SESSION.pag

Still getting attacks to these

GET /whm-server-status HTTP/1.1
GET /wp-config.php-bak HTTP/1.1

Hi
Can you please enable/status as ON following signature in CWAF GUI. Locate catalog
PFA. But one thing you have to clear the file ip.pag and default.session. if exists more the 3 GB.

I have already said i don’t use the plugin