We have been working with cPanel for a couple of weeks trying to track down why Apache is crashing, randomly after a few restarts. One of their techs think mod_security was getting a deadlock (old GITHUB bug) what was showing in the logs. So, I disabled mod_security for that domain per their recommendation. So here we are several weeks later and Apache still randomly crashes and the persistent item in the logs is attempted PDF injection uploads. Comodo WAF is catching these so, I went in and set Comodo WAF to detect only server wide and found the following in the logs just after the crash.
My question is, could these infected PDF injection attempts cause an Apache crash via a bad mod_security or Comodo WAF bug?
Apache error log
[Sun Nov 29 03:08:09.003134 2015] [core:notice] [pid 15743:tid 140208165935040] AH00094: Command line: ‘/usr/local/apache/bin/httpd’
[Sun Nov 29 03:55:40.053043 2015] [:error] [pid 11745:tid 140207972116224] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,stone-disease,229,23870/images/stories/conferences/MIR_2008/miu_2008_peyronies.pdf”] [unique_id “VlrLmjJhsosAAC3hhggAAADJ”]
[Sun Nov 29 03:55:40.053085 2015] [:error] [pid 11745:tid 140207972116224] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,stone-disease,229,23870/images/stories/conferences/MIR_2008/miu_2008_peyronies.pdf”] [unique_id “VlrLmjJhsosAAC3hhggAAADJ”]
[Sun Nov 29 04:18:39.930571 2015] [:error] [pid 11745:tid 140207867217664] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,bph-and-male-luts,75,45519/images/stories/documents/aua_2011/bph_monograph_carnevale_antunes_7_25_2011_final2.pdf”] [unique_id “VlrQ-TJhsosAAC3hhxcAAADT”]
[Sun Nov 29 04:23:52.964066 2015] [:error] [pid 13481:tid 140207877707520] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,bladder-cancer,137,9131/images/stories/documents/pdf_files/bladdercancer_awareness/bhaw_awareness.pdf”] [unique_id “VlrSNzJhsosAADSpChkAAABS”]
[Sun Nov 29 05:04:55.131006 2015] [mpm_worker:notice] [pid 15743:tid 140208165935040] AH00297: SIGUSR1 received. Doing graceful restart
[Sun Nov 29 05:04:56.003625 2015] [mpm_worker:notice] [pid 15743:tid 140208165935040] AH00292: Apache/2.4.16 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Protected by COMODO WAF configured – resuming normal operations
[Sun Nov 29 05:04:56.003644 2015] [core:notice] [pid 15743:tid 140208165935040] AH00094: Command line: ‘/usr/local/apache/bin/httpd’
[Sun Nov 29 06:03:38.718322 2015] [mpm_worker:notice] [pid 15743:tid 140208165935040] AH00297: SIGUSR1 received. Doing graceful restart
[Sun Nov 29 06:03:39.002948 2015] [mpm_worker:notice] [pid 15743:tid 140208165935040] AH00292: Apache/2.4.16 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Protected by COMODO WAF configured – resuming normal operations
[Sun Nov 29 06:03:39.002968 2015] [core:notice] [pid 15743:tid 140208165935040] AH00094: Command line: ‘/usr/local/apache/bin/httpd’
[Sun Nov 29 06:10:57.841498 2015] [:error] [pid 354:tid 140207982606080] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,prostate-cancer,91,42915/images/stories/documents/cury_2011/Saad-Oudard v1.0 20110128.pdf”] [unique_id “VlrrTzJhsosAAAFiZtwAAADI”]
[Sun Nov 29 06:10:57.841543 2015] [:error] [pid 354:tid 140207982606080] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,prostate-cancer,91,42915/images/stories/documents/cury_2011/Saad-Oudard v1.0 20110128.pdf”] [unique_id “VlrrTzJhsosAAAFiZtwAAADI”]
[Sun Nov 29 06:39:52.297460 2015] [access_compat:error] [pid 326:tid 140207825258240] [client 202.112.51.96:46777] AH01797: client denied by server configuration: /home/newurotoday/public_html/
[Sun Nov 29 06:57:49.207991 2015] [mpm_worker:error] [pid 15743:tid 140208165935040] AH00287: server is within MinSpareThreads of MaxRequestWorkers, consider raising the MaxRequestWorkers setting
[Sun Nov 29 06:58:35.246489 2015] [mpm_worker:error] [pid 15743:tid 140208165935040] AH00286: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
[Sun Nov 29 07:01:20.000998 2015] [suexec:notice] [pid 7240:tid 140539491002304] AH01232: suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Sun Nov 29 07:01:20.001074 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/) configured.
[Sun Nov 29 07:01:20.001081 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity: APR compiled version=“1.5.2”; loaded version=“1.5.2”
[Sun Nov 29 07:01:20.001085 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity: PCRE compiled version="8.36 "; loaded version=“8.36 2014-09-26”
[Sun Nov 29 07:01:20.001089 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity: LUA compiled version=“Lua 5.1”
[Sun Nov 29 07:01:20.001092 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity: LIBXML compiled version=“2.9.2”
[Sun Nov 29 07:01:20.001094 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity: Original server signature: Apache/2.4.16 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
[Sun Nov 29 07:01:20.001098 2015] [:notice] [pid 7240:tid 140539491002304] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Sun Nov 29 07:01:21.011724 2015] [mpm_worker:notice] [pid 7241:tid 140539491002304] AH00292: Apache/2.4.16 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Protected by COMODO WAF configured – resuming normal operations
[Sun Nov 29 07:01:21.011776 2015] [core:notice] [pid 7241:tid 140539491002304] AH00094: Command line: ‘/usr/local/apache/bin/httpd’
[Sun Nov 29 07:02:02.807947 2015] [mpm_worker:notice] [pid 7241:tid 140539491002304] AH00297: SIGUSR1 received. Doing graceful restart
[Sun Nov 29 07:02:03.002891 2015] [mpm_worker:notice] [pid 7241:tid 140539491002304] AH00292: Apache/2.4.16 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Protected by COMODO WAF configured – resuming normal operations
[Sun Nov 29 07:02:03.002913 2015] [core:notice] [pid 7241:tid 140539491002304] AH00094: Command line: ‘/usr/local/apache/bin/httpd’
[Sun Nov 29 07:05:01.999527 2015] [:error] [pid 7632:tid 140539204658944] [client 192.88.134.9] ModSecurity: Warning. String match “/images/” at REQUEST_FILENAME. [file “/var/cpanel/cwaf/rules/26_Apps_JComponent.conf”] [line “88”] [id “240031”] [rev “2”] [msg “COMODO WAF: Blocking execution of an uploaded shell in Joomla!”] [hostname “www.urotoday.com”] [uri “/index.php/document/category,guidelines,267,5207/images/stories/documents/prod/pdf/auanet/optimalevaluation.pdf”] [unique_id “Vlr3-DJhsosAAB3QQVAAAABR”]