Portal Home > Knowledgebase > Articles Database > ModSecurity:an automated program explored the site???


ModSecurity:an automated program explored the site???




Posted by anastasia0181, 01-26-2010, 05:22 AM
Hi, I received the below Mod-Security alert about a program exploring a site, I need you please to show me: 1- How to investigate more. 2- Is there a way to stop these programs from exploring sites. 3- Is Mod-Security protecting my sites from being hacked? Thank you. ------------------------------------------------------------------- [Mon Jan 25 19:55:50 2010] [error] [client 193.164.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "58"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.mydomain.net"] [uri "/potentiel.swf"] [unique_id "S133Rkjo4foAAASjYTYbObnS"] -------------------------------------------------------------------

Posted by activelobby4u, 01-26-2010, 08:20 AM
It could be a crawler from search engines or custom crawlers . You can use the robots.txt to block them

Posted by madaboutlinux, 01-26-2010, 08:21 AM
It looks like a false alarm as a swf file is been accessed. The rule that is blocking the request is in file /usr/local/apache/conf/modsec2.user.conf at line number 58. You can either remove the rule from the above mentioned file OR disable the specific rule for your website OR the specific directory by specifying the following code in the VirtualHost of the domain. Edit the httpd.conf file and place the below code in the Virtualhost of the domain. SecRuleRemoveById 990011 Save the file and restart the httpd service. This will make sure that the rule 990011 will not be applicable for the account www.mydomain.net.

Posted by linuxmaster007, 01-27-2010, 01:07 AM
Hello, Please check the apache and suexec logs for more info. <> Last edited by anon-e-mouse; 01-27-2010 at 07:29 AM.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
PHP Timestamp (Views: 320)
dixhost down (Views: 295)
sudo & APF (Views: 252)