Cumulus Support

Posted: **Sat 11 Mar 2023 7:49 pm**

When attempting to switch over and use PHP upload, I get HTTP500 errors. It only appears for custom files and realtime.txt. Scrolling through the logs and looking at my server, it appears some of the daily json files wer able to upload via PHP.
I use a 3rd party web host. PHP/Apache run under the same username that own all my files, and that I had uploaded it under SFTP, so permissions shouldn't be a thing. What's odd is after this runs for a bit, faileding, maybe 2-3 minutes.. my remote host blocks my system's IP address for 10-15 minutes before allowing access again, via ANY method (SFTP, HTTP, HTTPS, etc).

Any idea what might be causing it? Clearly one factor is my webhost treating something as a attack, maybe performing too many functions too quick? Which results in the short 10 minute block.

I verified my text string in upload.php and Cumulus match, no dashes. This is with 3.24.1 b3234.

Code: Select all

2023-03-11 14:35:00.407 DoLogFile: Writing log entry for 3/11/2023 2:35:00 PM
2023-03-11 14:35:00.407 DoLogFile: log entry for 3/11/2023 2:35:00 PM written
2023-03-11 14:35:00.408 Writing today.ini, LastUpdateTime = 3/11/2023 2:35:00 PM raindaystart = 7.47244093726 rain counter = 7.52362203957
2023-03-11 14:35:00.416 Updating CWOP
2023-03-11 14:35:00.589 PHP[Int]: Uploading daily graph data file: alldailytempdata.json
2023-03-11 14:35:00.589 PHP[Int]: Uploading daily graph data file: alldailywinddata.json
2023-03-11 14:35:00.589 PHP[Int]: Uploading daily graph data file: alldailyhumdata.json
2023-03-11 14:35:00.590 PHP[Int]: Uploading daily graph data file: alldailyraindata.json
2023-03-11 14:35:00.591 PHP[Int]: Uploading daily graph data file: alldailypressdata.json
2023-03-11 14:35:00.591 PHP[Int]: Uploading daily graph data file: alldailydegdaydata.json
2023-03-11 14:35:00.591 PHP[Int]: Uploading daily graph data file: alltempsumdata.json
2023-03-11 14:35:00.591 PHP[Int]: Uploading daily graph data file: alldailysolardata.json
2023-03-11 14:35:12.737 PHP[Int]: CUtags.php: Response code = 500: InternalServerError
2023-03-11 14:35:12.737 PHP[Int]: CUtags.php: Response text follows:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 webmaster@southingtonweather.com to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>

2023-03-11 14:35:15.960 PHP[20]: realtimegauges.txt: Response code = 500: InternalServerError
2023-03-11 14:35:15.960 PHP[20]: realtimegauges.txt: Response text follows:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 webmaster@southingtonweather.com to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>

2023-03-11 14:35:17.032 PHP[20]: realtime.txt: Response code = 500: InternalServerError
2023-03-11 14:35:17.032 PHP[20]: realtime.txt: Response text follows:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 webmaster@southingtonweather.com to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>

Posted: **Sat 11 Mar 2023 8:34 pm**

There is an error earlier, the very first attempt to test for which com[pression to use fails:

Code: Select all

2023-03-11 14:33:48.143 Updating internet settings
2023-03-11 14:33:48.145 TestPhpUploadCompression: Error - An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set.
2023-03-11 14:33:48.155 Writing Cumulus.ini file
2023-03-11 14:33:48.158 Completed writing Cumulus.ini file
2023-03-11 14:33:48.739 PHP[12]: realtimegauges.txt: Response code = 500: InternalServerError
2023-03-11 14:33:48.739 PHP[12]: realtimegauges.txt: Response text follows:

This error is not from the upload.php procedure itself buut from the call to it.
The log itself does not show the request URI.

Do you have specified the correct URL in the PHP protocol definition?

Posted: **Sun 12 Mar 2023 3:12 am**

HansR wrote: ↑Sat 11 Mar 2023 8:34 pm There is an error earlier, the very first attempt to test for which com[pression to use fails:
Code: Select all
2023-03-11 14:33:48.143 Updating internet settings
2023-03-11 14:33:48.145 TestPhpUploadCompression: Error - An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set.
2023-03-11 14:33:48.155 Writing Cumulus.ini file
2023-03-11 14:33:48.158 Completed writing Cumulus.ini file
2023-03-11 14:33:48.739 PHP[12]: realtimegauges.txt: Response code = 500: InternalServerError
2023-03-11 14:33:48.739 PHP[12]: realtimegauges.txt: Response text follows:
This error is not from the upload.php procedure itself buut from the call to it.
The log itself does not show the request URI.

Do you have specified the correct URL in the PHP protocol definition?

I have specified the correct full URL. I tried it again and got the same error "TestPhpUploadCompression" as before.

I enabled the debug feature on upload.php to see if I get more detailed results, maybe something like my remote host doesn't have some php compression module. However my provider has blocked my IP again for a bit due to excessive HTTP 500 errors again. It will be a bit before I can test again.

Screenshot 2023-03-11 220605.png

Posted: **Sun 12 Mar 2023 4:20 am**

OK. Seems to be one for @Mark.

Posted: **Sun 12 Mar 2023 9:22 am**

There is something odd going on with your web site.

When I first tried in a browser to open https://www.southingtonweather.com/ I got a DNS error. Then after a while it did open your main page.

That aside.

When I then tried the upload script in a browser (https://www.southingtonweather.com/upload.php), I see you have enabled debug mode in it. Best to switch that off for now please.

The response in the browser however is OK with no errors.

The error message in the log file for TestPhpUploadCompression indicates that it is not even sending the request because it thinks the URI is badly formed. Could you check it/re-enter it to ensure there are no odd characters, trailing spaces etc.

Posted: **Fri 17 Mar 2023 4:23 pm**

mcrossley wrote: ↑Sun 12 Mar 2023 9:22 am There is something odd going on with your web site.

When I first tried in a browser to open https://www.southingtonweather.com/ I got a DNS error. Then after a while it did open your main page.

That aside.

When I then tried the upload script in a browser (https://www.southingtonweather.com/upload.php), I see you have enabled debug mode in it. Best to switch that off for now please.

The response in the browser however is OK with no errors.

The error message in the log file for TestPhpUploadCompression indicates that it is not even sending the request because it thinks the URI is badly formed. Could you check it/re-enter it to ensure there are no odd characters, trailing spaces etc.

Not sure about the DNS error. It could have been my hosting company having an issue at the time. It's IPv6 enabled so its AAAA and A records. The system I run it on is also IPv6 capable so it may be over over IPv6 completely if that makes a difference.

I turned debug mode off for now. On build 3.24.2 3235 now as well. I just went through and reentered all my URLs... here's a copy of my Cumulus.ini

Code: Select all

PHP-URL=https://www.southingtonweather.com/upload.php
PHP-Secret=redacted
PHP-IgnoreCertErrors=0

No odd characters. My secret is also all numbers and letters, no symbols.

Got the same errors. However, this time there was no "TestPhpUploadCompression" errors in the log file.

Code: Select all

2023-03-17 11:57:52.403 PHP[0]: realtime.txt: Response code = 500: InternalServerError
2023-03-17 11:57:52.403 PHP[0]: realtime.txt: Response text follows:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 webmaster@southingtonweather.com to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>

However, I checked and found it did upload some of my 5m interval files via php. tempdata.json, solardata.json, winddata.json, etc. Just not my realtime files. I'm wondering if for some reason it didn't want to replace the existing files or threw a security flag. I just deleted them. However my hosting company has blocked my IP for a timeout again so I'm waiting for it to clear then trying to see if it works.

Posted: **Fri 17 Mar 2023 4:52 pm**

Same issue after removing the realtime.txt and other files from my host first. HTTP 500.

Attached log file, as well as a copy of my config file, with passwords, etc redacted. Maybe you can spot something that's throwing it off?

Posted: **Fri 17 Mar 2023 5:09 pm**

Unless you have some access to them, I think you are going to have to ask your hosting company to look at the web server logs and find out what the error was on their side. Everything looks OK from the CMX side.

It may well end up that PHP upload may never work with some hosting companies because of their configuration or security measures. I feared that may be the case, but so far it hasn't proved to be an issue.

Posted: **Sat 18 Mar 2023 10:44 pm**

mcrossley wrote: ↑Fri 17 Mar 2023 5:09 pm Unless you have some access to them, I think you are going to have to ask your hosting company to look at the web server logs and find out what the error was on their side. Everything looks OK from the CMX side.

It may well end up that PHP upload may never work with some hosting companies because of their configuration or security measures. I feared that may be the case, but so far it hasn't proved to be an issue.

Yep. I was able to pull Apache logs.
It looks like mod_security rules are blocking it.
My hosting provider, DreamHost, just recently changed it so it cannot be turned off as well, they used to have an option to turn it off.
It flags it, somewhat rightfully so, as a security problem. (Anything calling a PHP script that creates other files in theory could be seen as an exploit and such so I get why it sees it that way.). So looks like I'm sticking with SFTP for now.

Code: Select all

[Fri Mar 17 09:45:19.033978 2023] [:error] [pid 391411:tid 3760562329344] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50591] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "957"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/octet-stream|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOfwAATq8"]
[Fri Mar 17 09:45:19.034632 2023] [:error] [pid 391411:tid 3760562329344] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50591] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:17/03/23 12:45:19 49.8 60 36.5 4 5 84 0.00 0.00 29.74 E 2 mph F in in 25.2 0.00 2.50 9.40 0.00 69.8 38 48.4 0.0 49.8 12:39 31.8 04:14 5 12:29 13 12:04 29.92 00:19 29.74 12:36 3.24.2 3235 11 49.8 9.9 3.0 0.012 417 62 0.00 23 1 0 ENE 3031 ft 44.5 0.9 0 1 48.4\\r\\n. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "172"] [id "921150"] [msg "HTTP Header Injection Attack via payload (CR/LF detected)"] [data "Matched Data: \\x0d found within ARGS_NAMES:17/03/23 12:45:19 49.8 60 36.5 4 5 84 0.00 0.00 29.74 E 2 mph F in in 25.2 0.00 2.50 9.40 0.00 69.8 38 48.4 0.0 49.8 12:39 31.8 04:14 5 12:29 13 12:04 29.92 00:19 29.74 12:36 3.24.2 3235 11 49.8 9.9 3.0 0.012 417 62 0.00 23 1 0 ENE 3031 ft 44.5 0.9 0 1 48.4\\x5cr\\x5cn: 17/03/23 12:45:19 49.8 60 36.5 4 5 84 0.00 0.00 29.74 E 2 mph F in in 25.2 0.00 2.50 9.40 0.00 69.8 38 48.4 0.0 49.8 12:39 31.8 04:14 5 12:29 13 12:04 29.92 00:19 29.74 12:36 3.24.2 3235 11 49.8 9...."] [severity "CRITIC [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOfwAATq8"]
[Fri Mar 17 09:45:19.036630 2023] [:error] [pid 391411:tid 3760562329344] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50591] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOfwAATq8"]
[Fri Mar 17 09:45:19.037432 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Found 8 byte(s) in ARGS_NAMES:\\x1f\\x8b\\b\\x00\\x00\\x00\\x00\\x00\\x04\\x00]\\x94Ko\\x9c0\\x10\\xc7\\xef\\xfd\\x14 \\xce\\x04a\\x9b\\xc7\\xc2\\xb1i\\xa2\\xad\\x94\\xb4\\xd2\\x86\\xb4\\x87\\xaa\\x07g\\xf1\\xee\\xa2\\xb2@\\rdSU\\xfd\\xee\\xf5\\xcc\\x98\\x87sc~\\x9e\\x19\\xcf\\xe3o\\xfez\\xa5\\x1c\\x94\\x97{\\x8c\\xe7Q\\xec\\xf9\\x1f\\xbcA]:cGY\\xb0\\x9d\\xcc\\xe2\\xc1\\x00\\xc1V`\\xb7\\xf2\\xa8\\x1a\\x1b\\x92XP\\xaa \\xf8'Al\\xad\\xae5>\\x98\\x84o\\x83\\xd0\\x81\\x90H\\xa4\\x14'\\xbbn\\xba<\\xa2XK(4\\t\\xd25\\xdb\\x91_\\x06\\xec\\xa8T\\xdd\\xd7\\xd5/h$\\xda\\x06\\x91\\xc3\\x9c\\xea\\x17\\xba#_\\xa4\\xd7\\xc3\\xb9\\xaa\\xebU0\\x01'\\xf2\\xac\\xe4P5\\xa5z[\\xb5>3g \\xe7\\xf1R\\x91_F\\xe5]k3\\xe3~0\\x00\\xbb\\xba\\xf6\\x9dR%\\x04\\xa0u\\x1a\\xf1\\x88\\xb1\\xd9*\\x1e\\xc1\\x16`\\xbf(\\xa9\\xab\\xe6d\\xec-z\\xcb\\xd7\\xd3\\x82\\x12\\x0e\\xa8\\xd3\\xaa\\xefa@Y\\x90F3\\xa0\\x99\\xb9hG([\\xc2\\xecNV\\x04\\x17\\x12\\x06i\\x02D\\x1f%\\x8e%\\x0cB\\\\\\x9b\\xd6$\\x16\\xc7\\xc6j'bz\\x87\\xc2\\xa6o\\xac"\\xce outside range: 1-255. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "517"] [id "920270"] [msg "Invalid character in request (null chara [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.037607 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Found 1 byte(s) in ARGS_NAMES:\\v\\x92oS\\x12\\ry\\n\\x9c\\xd8\\x93j\\xfaV\\xdf\\xb6\\xcd \\x0f\\xc3C\\x8b\\xf3\\xc0\\x14\\xc7V\\xab\\x83D{/\\xabf#\\x87\\xcdQ\\xab\\xdf\\xa3j\\x86\\r\\xe8N\\xbf\\xca\\xba\\x9fT96\\x158\\xde\\xe3\\x1c\\xcdZ\\xac}\\xe9\\xcesw\\x16U\\rVo2:\\x00\\x92\\x0cZ5%5\\x04\\xa8\\x98\\xf5\\x17F9\\x8b\\x16\\xb4\\xa37#\\xb0\\xb7\\xc2\\x11\\xb9\\xf1\\xa4\\xb6\\nG\\xe6\\xc6\\x9b\\x93\\xf7Z\\xd6a\\xfc\\x9e\\xba\\x99]\\x19/E\\xb8B\\x86\\xd7K\\xf5\\xae\\x94\\xbb8\\xbb:]\\x92\\xaf\\xf6\\x17\\xe6\\xb4\\xc0\\xe2\\xdc\\x8e\\xba\\xfe\\x03\\xb3A\\xe7\\xf9\\xe0\\xc1\\xac\\x01vPT\\xdd\\xe7\\xa7\\xaf\\xa0\\x9b\\x90\\x8b\\x9bP\\xdc\\xb0h\\xc3\\xc3\\\\\\xa0\\\\\\xdf\\x07\\x07SR \\x05\\xa8S\\xcc\\x04]D\\x1eQ1\\x8bl\\xa1\\xc0d\\xc5l\\x1d,\\x9b\\xf7\\x88[2\\xbb_\\xdfa\\xde\\xc5h\\xf4\\x82\\x12\\xe04\\x8b\\xe51\\xf1<\\x8c outside range: 1-255. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "517"] [id "920270"] [msg "Invalid character in request (null character)"] [data "ARGS_NAMES:\\x5cv\\x5cx92oS\\x5cx12\\x5cry\\x5cn\\x5cx9c\\x5cxd8\\x5cx93j\\x5cxfaV\\x5cxdf\\x5cxb6\\x5cxcd \\x5cx0f\\x5cxc3C\\x5cx8b\\x5cxf3\\x5cxc0\\x5cx14 [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.037716 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Found 2 byte(s) in ARGS_NAMES:] \\x89W\\xaf\\v\\x01U1T\\x17\\xf5\\\\\\xdc\\xda\\xf6|\\xe1\\xb3\\xd4g\\x89\\x1f\\xc5>\\xdd\\xfe\\x91"\\xf6\\xb29\\xa9{\\xdd^X\\x88\\xb5\\x85\\xef\\xcf\\x8a\\x96N2<y\\xfe\\x06R\\x0f\\xec7\\xfd\\xf4\\xc8zjk\\xa9\\xf7\\x12\\xff\\x06,\\x9d\\tU\\xc4\\xd1\\xe5v\\xd4\\xa6\\xdb\\x01\\xf9\\xa3|\\x9b\\x9eF\\xd9^\\xa0\\x99\\xb2\\xd2\\x86\\xdc}\\xb9\\x03\\xf6\\xdd\\x80}\\xdb\\xabOr\\x90^\\xfec\\xcb|\\x1es?e\\x99\\xcfX\\x9a\\xf9\\x89\\b\\xfd$2Mqn\\x80\\xe9\\b>\\xe2\\xd8O\\x12\\xdf\\x9cpC\\xd2\\x9fvFzl`\\x06q\\x80\\x93<\\xd4\\xedX\\xbe\\xc8^\\x99\\x91\\x8f\\n\\xff\\x10\\x829\\x07\\xf6\\x1d\\x1d\\x07\\xa0\\xafJ\\xf7U\\xdb`\\x97<\\xa2\\x14/cUC\\x97\\x82\\x8b\\xd8\\xfa\\xe0^\\xbc\\x7f\\x1f\\xfe\\x03\\xc0\\xcd5\\xe1\\x84\\x06\\x00\\x00 outside range: 1-255. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "517"] [id "920270"] [msg "Invalid character in request (null character)"] [data "ARGS_NAMES:] \\x5cx89W\\x5cxaf\\x5cv\\x5cx01U1T\\x5cx17\\x5cxf5\\x5c\\x5c\\x5cxdc\\x5cxda\\x5cxf6|\\x5cxe1\\x5cxb3\\x5cxd4g\\x5cx89\\x5cx1f\\x5cxc5>\\x5cxdd\\x5cxfe\\x5cx91\\x22\\x5cxf6\\x5cxb29\\x5cxa9{\\x5cxdd^X\\x5cx88 [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.037970 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "703"] [id "920340"] [msg "Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.039149 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:\\x1f\\x8b\\b\\x00\\x00\\x00\\x00\\x00\\x04\\x00]\\x94Ko\\x9c0\\x10\\xc7\\xef\\xfd\\x14 \\xce\\x04a\\x9b\\xc7\\xc2\\xb1i\\xa2\\xad\\x94\\xb4\\xd2\\x86\\xb4\\x87\\xaa\\x07g\\xf1\\xee\\xa2\\xb2@\\rdSU\\xfd\\xee\\xf5\\xcc\\x98\\x87sc~\\x9e\\x19\\xcf\\xe3o\\xfez\\xa5\\x1c\\x94\\x97{\\x8c\\xe7Q\\xec\\xf9\\x1f\\xbcA]:cGY\\xb0\\x9d\\xcc\\xe2\\xc1\\x00\\xc1V`\\xb7\\xf2\\xa8\\x1a\\x1b\\x92XP\\xaa \\xf8'Al\\xad\\xae5>\\x98\\x84o\\x83\\xd0\\x81\\x90H\\xa4\\x14'\\xbbn\\xba<\\xa2XK(4\\t\\xd25\\xdb\\x91_\\x06\\xec\\xa8T\\xdd\\xd7\\xd5/h$\\xda\\x06\\x91\\xc3\\x9c\\xea\\x17\\xba#_\\xa4\\xd7\\xc3\\xb9\\xaa\\xebU0\\x01'\\xf2\\xac\\xe4P5\\xa5z[\\xb5>3g \\xe7\\xf1R\\x91_F\\xe5]k3\\xe3~0\\x00\\xbb\\xba\\xf6\\x9dR%\\x04\\xa0u\\x1a\\xf1\\x88\\xb1\\xd9*\\x1e\\xc1\\x16`\\xbf(\\xa9\\xab\\xe6d\\xec-z\\xcb\\xd7\\xd3\\x82\\x12\\x0e\\xa8\\xd3\\xaa\\xefa@Y\\x90F3\\xa0\\x99\\xb9hG([\\xc2\\xecNV\\x04\\x17\\x12\\x06i\\x02D\\x1f%\\x8e%\\x0cB\\\\\\x9b\\xd6$\\x16\\xc7\\xc6j'bz\\x87\\xc2\\xa6o\\xac"\\xce. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "172"] [id "921150"] [msg "HTTP Header Injection Attack via payload (CR/LF detected) [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.039316 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:\\v\\x92oS\\x12\\ry\\n\\x9c\\xd8\\x93j\\xfaV\\xdf\\xb6\\xcd \\x0f\\xc3C\\x8b\\xf3\\xc0\\x14\\xc7V\\xab\\x83D{/\\xabf#\\x87\\xcdQ\\xab\\xdf\\xa3j\\x86\\r\\xe8N\\xbf\\xca\\xba\\x9fT96\\x158\\xde\\xe3\\x1c\\xcdZ\\xac}\\xe9\\xcesw\\x16U\\rVo2:\\x00\\x92\\x0cZ5%5\\x04\\xa8\\x98\\xf5\\x17F9\\x8b\\x16\\xb4\\xa37#\\xb0\\xb7\\xc2\\x11\\xb9\\xf1\\xa4\\xb6\\nG\\xe6\\xc6\\x9b\\x93\\xf7Z\\xd6a\\xfc\\x9e\\xba\\x99]\\x19/E\\xb8B\\x86\\xd7K\\xf5\\xae\\x94\\xbb8\\xbb:]\\x92\\xaf\\xf6\\x17\\xe6\\xb4\\xc0\\xe2\\xdc\\x8e\\xba\\xfe\\x03\\xb3A\\xe7\\xf9\\xe0\\xc1\\xac\\x01vPT\\xdd\\xe7\\xa7\\xaf\\xa0\\x9b\\x90\\x8b\\x9bP\\xdc\\xb0h\\xc3\\xc3\\\\\\xa0\\\\\\xdf\\x07\\x07SR \\x05\\xa8S\\xcc\\x04]D\\x1eQ1\\x8bl\\xa1\\xc0d\\xc5l\\x1d,\\x9b\\xf7\\x88[2\\xbb_\\xdfa\\xde\\xc5h\\xf4\\x82\\x12\\xe04\\x8b\\xe51\\xf1<\\x8c. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "172"] [id "921150"] [msg "HTTP Header Injection Attack via payload (CR/LF detected)"] [data "Matched Data: \\x0d found within ARGS_NAMES:\\x5cv\\x5cx92oS\\x5cx12\\x5cry\\x5cn\\x5cx9c\\x5cxd8\\x5cx93j\\x5cxfaV\\x5cxdf\\x5cxb6\\x5cxcd \\x5cx0f\\x5cxc3C\\ [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.039452 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:] \\x89W\\xaf\\v\\x01U1T\\x17\\xf5\\\\\\xdc\\xda\\xf6|\\xe1\\xb3\\xd4g\\x89\\x1f\\xc5>\\xdd\\xfe\\x91"\\xf6\\xb29\\xa9{\\xdd^X\\x88\\xb5\\x85\\xef\\xcf\\x8a\\x96N2<y\\xfe\\x06R\\x0f\\xec7\\xfd\\xf4\\xc8zjk\\xa9\\xf7\\x12\\xff\\x06,\\x9d\\tU\\xc4\\xd1\\xe5v\\xd4\\xa6\\xdb\\x01\\xf9\\xa3|\\x9b\\x9eF\\xd9^\\xa0\\x99\\xb2\\xd2\\x86\\xdc}\\xb9\\x03\\xf6\\xdd\\x80}\\xdb\\xabOr\\x90^\\xfec\\xcb|\\x1es?e\\x99\\xcfX\\x9a\\xf9\\x89\\b\\xfd$2Mqn\\x80\\xe9\\b>\\xe2\\xd8O\\x12\\xdf\\x9cpC\\xd2\\x9fvFzl`\\x06q\\x80\\x93<\\xd4\\xedX\\xbe\\xc8^\\x99\\x91\\x8f\\n\\xff\\x10\\x829\\x07\\xf6\\x1d\\x1d\\x07\\xa0\\xafJ\\xf7U\\xdb`\\x97<\\xa2\\x14/cUC\\x97\\x82\\x8b\\xd8\\xfa\\xe0^\\xbc\\x7f\\x1f\\xfe\\x03\\xc0\\xcd5\\xe1\\x84\\x06\\x00\\x00. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "172"] [id "921150"] [msg "HTTP Header Injection Attack via payload (CR/LF detected)"] [data "Matched Data: \\x0a found within ARGS_NAMES:] \\x5cx89W\\x5cxaf\\x5cv\\x5cx01U1T\\x5cx17\\x5cxf5\\x5c\\x5c\\x5cxdc\\x5cxda\\x5cxf6|\\x5cxe1\\x5cxb3\\x5cxd4g\\x5cx89\\x5cx1f\\x5cxc5>\\x5cxdd\\x5cxfe\\x5cx91\\x22\\x5cxf6\\x5cx [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:19.043764 2023] [:error] [pid 391411:tid 3760520365824] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50592] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 32)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZHgbXYfoz41S9hbZOgAAATrQ"]
[Fri Mar 17 09:45:28.974973 2023] [:error] [pid 391411:tid 3760470009600] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50619] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Found 4 byte(s) in ARGS:\\x1f\\x8b\\b\\x00\\x00\\x00\\x00\\x00\\x04\\x00]\\x94Ko\\x9c0\\x10\\xc7\\xef\\xfd\\x14 \\xce\\x0e\\xc26\\x8f\\x85c\\xd3D[)i\\xa5\\ri\\x0fU\\x0f\\xce\\xe2\\xdd\\xb5\\xca\\x025\\x90MU\\xf5\\xbb\\xd7\\x9e1\\x0f\\xe7\\xe6\\xf9yf\\x98\\xc7\\xdf\\xfc\\r*1\\xc8\\xa0\\b( \\xe2$ \\x1f\\x82A^:c\\xc7y\\xb8\\x9d\\xcc\\xf2\\xc1\\x00NW`\\xb7\\xf2P\\x8d\\vI\\x1d\\xa8\\xe4\\xd5\\xfa\\xa7a\\xe2\\xac\\xae5>\\x90\\x84m\\xc3\\xc8\\x836\\x11\\xcf0Nt\\xdd\\xf4\\xf1\\x18c\\x1d\\xc1\\xd04\\xcc\\xd6l\\x87~\\xb9eG)\\xeb\\xbeV\\xbfl#\\xf16\\xe4\\x1e\\xf3\\xaa_\\xe8\\x0e}\\x81^\\x0fgU\\xd7\\xab`\\x04^\\xe4Y\\x8aA5\\x95|[\\xb5>3o \\xe7\\xf1\\xa2\\xd0/\\xc7\\xf2\\xae\\xb5\\x99q?\\x18\\x00]]\\xfbN\\xca\\xca\\x06\\x80u\\x1a\\xe1\\x8a\\xd2\\xd9*\\x1f\\xad\\r\\x85\\xbcH\\xa1Us2\\xf6\\x16\\xbc\\xc5\\xebiA)\\xa4\\xeb\\xb4\\xec{;\\xa0<\\xcc\\xe2\\x19\\xe0\\xcc|\\xb4C\\x94\\xb3\\x19\\xb9\\x9d\\xac\\b,$\\n\\xb3\\xd4\\x12}\\x140\\x96(\\x8c`mZ\\xa3X<\\x1b\\xaa\\x9d\\x88\\xe9\\xdd\\x166\\x9d\\xa1\\x8a$\\x9f,\\x9b|\\x9b\\xa1h\\xd0\\x93\\xc3\\xc4\\x9ed\\xd3\\xb7\\xfa\\xb6m\\x06q\\x18\\x1eZ\\x98\\x07\\xa48\\xb6Z\\x1e\\x04\\xd8{\\xa1\\x9a\\x8d\\x186G-\\x7f\\x8f\\xb2\\x196Vw\\xfaU\\xd4\\xfd\\xa4\\xca\\xb1Q\\xd6\\xf1\\x1e\\xe6h\\xd6\\xe2\\ [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOgwAATro"]
[Fri Mar 17 09:45:28.975004 2023] [:error] [pid 391411:tid 3760478402304] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50618] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "957"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/octet-stream|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOhAAATrk"]
[Fri Mar 17 09:45:28.975189 2023] [:error] [pid 391411:tid 3760470009600] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50619] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Found 8 byte(s) in ARGS_NAMES:\\x1f\\x8b\\b\\x00\\x00\\x00\\x00\\x00\\x04\\x00]\\x94Ko\\x9c0\\x10\\xc7\\xef\\xfd\\x14 \\xce\\x0e\\xc26\\x8f\\x85c\\xd3D[)i\\xa5\\ri\\x0fU\\x0f\\xce\\xe2\\xdd\\xb5\\xca\\x025\\x90MU\\xf5\\xbb\\xd7\\x9e1\\x0f\\xe7\\xe6\\xf9yf\\x98\\xc7\\xdf\\xfc\\r*1\\xc8\\xa0\\b( \\xe2$ \\x1f\\x82A^:c\\xc7y\\xb8\\x9d\\xcc\\xf2\\xc1\\x00NW`\\xb7\\xf2P\\x8d\\vI\\x1d\\xa8\\xe4\\xd5\\xfa\\xa7a\\xe2\\xac\\xae5>\\x90\\x84m\\xc3\\xc8\\x836\\x11\\xcf0Nt\\xdd\\xf4\\xf1\\x18c\\x1d\\xc1\\xd04\\xcc\\xd6l\\x87~\\xb9eG)\\xeb\\xbeV\\xbfl#\\xf16\\xe4\\x1e\\xf3\\xaa_\\xe8\\x0e}\\x81^\\x0fgU\\xd7\\xab`\\x04^\\xe4Y\\x8aA5\\x95|[\\xb5>3o \\xe7\\xf1\\xa2\\xd0/\\xc7\\xf2\\xae\\xb5\\x99q?\\x18\\x00]]\\xfbN\\xca\\xca\\x06\\x80u\\x1a\\xe1\\x8a\\xd2\\xd9*\\x1f\\xad\\r\\x85\\xbcH\\xa1Us2\\xf6\\x16\\xbc\\xc5\\xebiA)\\xa4\\xeb\\xb4\\xec{;\\xa0<\\xcc\\xe2\\x19\\xe0\\xcc|\\xb4C\\x94\\xb3\\x19\\xb9\\x9d\\xac\\b,$\\n\\xb3\\xd4\\x12}\\x140\\x96(\\x8c`mZ\\xa3X<\\x1b\\xaa\\x9d\\x88\\xe9\\xdd\\x166\\x9d\\xa1\\x8a$\\x9f,\\x9b|\\x9b\\xa1h\\xd0\\x93\\xc3\\xc4\\x9ed\\xd3\\xb7\\xfa\\xb6m\\x06q\\x18\\x1eZ\\x98\\x07\\xa48\\xb6Z\\x1e\\x04\\xd8{\\xa1\\x9a\\x8d\\x186G-\\x7f\\x8f\\xb2\\x196Vw\\xfaU\\xd4\\xfd\\xa4\\xca\\xb1Q\\xd6\\xf1\\x1e\\xe6h\\xd [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOgwAATro"]
[Fri Mar 17 09:45:28.975371 2023] [:error] [pid 391411:tid 3760470009600] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50619] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "703"] [id "920340"] [msg "Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOgwAATro"]
[Fri Mar 17 09:45:28.975753 2023] [:error] [pid 391411:tid 3760478402304] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50618] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:17/03/23 12:45:29 49.8 60 36.5 4 5 84 0.00 0.00 29.74 E 2 mph F in in 25.2 0.00 2.50 9.40 0.00 69.8 38 48.3 0.0 49.8 12:39 31.8 04:14 5 12:29 13 12:04 29.92 00:19 29.74 12:36 3.24.2 3235 11 49.8 9.9 3.0 0.012 417 65 0.00 23 1 0 ENE 3031 ft 44.5 0.9 0 1 48.3\\r\\n. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "172"] [id "921150"] [msg "HTTP Header Injection Attack via payload (CR/LF detected)"] [data "Matched Data: \\x0d found within ARGS_NAMES:17/03/23 12:45:29 49.8 60 36.5 4 5 84 0.00 0.00 29.74 E 2 mph F in in 25.2 0.00 2.50 9.40 0.00 69.8 38 48.3 0.0 49.8 12:39 31.8 04:14 5 12:29 13 12:04 29.92 00:19 29.74 12:36 3.24.2 3235 11 49.8 9.9 3.0 0.012 417 65 0.00 23 1 0 ENE 3031 ft 44.5 0.9 0 1 48.3\\x5cr\\x5cn: 17/03/23 12:45:29 49.8 60 36.5 4 5 84 0.00 0.00 29.74 E 2 mph F in in 25.2 0.00 2.50 9.40 0.00 69.8 38 48.3 0.0 49.8 12:39 31.8 04:14 5 12:29 13 12:04 29.92 00:19 29.74 12:36 3.24.2 3235 11 49.8 9...."] [severity "CRITIC [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOhAAATrk"]
[Fri Mar 17 09:45:28.976279 2023] [:error] [pid 391411:tid 3760470009600] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50619] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:\\x1f\\x8b\\b\\x00\\x00\\x00\\x00\\x00\\x04\\x00]\\x94Ko\\x9c0\\x10\\xc7\\xef\\xfd\\x14 \\xce\\x0e\\xc26\\x8f\\x85c\\xd3D[)i\\xa5\\ri\\x0fU\\x0f\\xce\\xe2\\xdd\\xb5\\xca\\x025\\x90MU\\xf5\\xbb\\xd7\\x9e1\\x0f\\xe7\\xe6\\xf9yf\\x98\\xc7\\xdf\\xfc\\r*1\\xc8\\xa0\\b( \\xe2$ \\x1f\\x82A^:c\\xc7y\\xb8\\x9d\\xcc\\xf2\\xc1\\x00NW`\\xb7\\xf2P\\x8d\\vI\\x1d\\xa8\\xe4\\xd5\\xfa\\xa7a\\xe2\\xac\\xae5>\\x90\\x84m\\xc3\\xc8\\x836\\x11\\xcf0Nt\\xdd\\xf4\\xf1\\x18c\\x1d\\xc1\\xd04\\xcc\\xd6l\\x87~\\xb9eG)\\xeb\\xbeV\\xbfl#\\xf16\\xe4\\x1e\\xf3\\xaa_\\xe8\\x0e}\\x81^\\x0fgU\\xd7\\xab`\\x04^\\xe4Y\\x8aA5\\x95|[\\xb5>3o \\xe7\\xf1\\xa2\\xd0/\\xc7\\xf2\\xae\\xb5\\x99q?\\x18\\x00]]\\xfbN\\xca\\xca\\x06\\x80u\\x1a\\xe1\\x8a\\xd2\\xd9*\\x1f\\xad\\r\\x85\\xbcH\\xa1Us2\\xf6\\x16\\xbc\\xc5\\xebiA)\\xa4\\xeb\\xb4\\xec{;\\xa0<\\xcc\\xe2\\x19\\xe0\\xcc|\\xb4C\\x94\\xb3\\x19\\xb9\\x9d\\xac\\b,$\\n\\xb3\\xd4\\x12}\\x140\\x96(\\x8c`mZ\\xa3X<\\x1b\\xaa\\x9d\\x88\\xe9\\xdd\\x166\\x9d\\xa1\\x8a$\\x9f,\\x9b|\\x9b\\xa1h\\xd0\\x93\\xc3\\xc4\\x9ed\\xd3\\xb7\\xfa\\xb6m\\x06q\\x18\\x1eZ\\x98\\x07\\xa48\\xb6Z\\x1e\\x04\\xd8{\\xa1\\x9a\\x8d\\x186G-\\x7f\\x8f\\xb2\\x196Vw\\xfaU\\xd4\\xfd\\xa4\\xca\\xb1Q\\xd6\\xf1\\x1 [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOgwAATro"]
[Fri Mar 17 09:45:28.977539 2023] [:error] [pid 391411:tid 3760478402304] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50618] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOhAAATrk"]
[Fri Mar 17 09:45:28.979675 2023] [:error] [pid 391411:tid 3760470009600] [client 2607:e480:2:b:e93e:9932:e88d:d4f5:50619] [client 2607:e480:2:b:e93e:9932:e88d:d4f5] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 17)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.southingtonweather.com"] [uri "/upload.php"] [unique_id "ZBSZKAbXYfoz41S9hbZOgwAATro"]

Posted: **Sun 19 Mar 2023 4:09 am**

have you asked if they can turn this off as an exception?

Posted: **Sun 19 Mar 2023 6:22 am**

I can add to this error circus that my provider/hoster also produces errors in the log although I do not see any consequences in the logs from either CMX and CUtils. The error is:

Code: Select all

2023-03-19 04:40:00.539898 [NOTICE] [121595] [T7] [<my URL>:51220-2#APVH_meteo-wagenborgen.nl:443] [MODSEC] mod_security rule [id "77142267"] at [/etc/httpd/conf/modsecurity.d/rules/custom/011_i360_1_infectors.conf:136] triggered!

If we look at the timing in the CMX log we see:

Code: Select all

2023-03-19 04:40:00.291 PHP[Int]: Upload process starting
2023-03-19 04:40:00.291 PHP[Int]: Uploading Extra file[0]: web/HWActueelT.txt
2023-03-19 04:40:00.292 Current CPU temp = 32,2°C
2023-03-19 04:40:00.295 PHP[Int]: Uploading Extra file[2]: web/HWActueelT.txt
2023-03-19 04:40:00.295 PHP[Int]: Uploading HWActueel.txt
2023-03-19 04:40:00.297 PHP[Int]: Uploading standard Data file: websitedata.json
2023-03-19 04:40:00.300 PHP[Int]: Uploading MeteoWagenborgenData.txt
2023-03-19 04:40:00.322 PHP[Int]: Uploading graph data file: winddata.json
2023-03-19 04:40:00.322 PHP[Int]: Uploading winddata.json
2023-03-19 04:40:00.325 PHP[Int]: Uploading graph data file: wdirdata.json
2023-03-19 04:40:00.325 PHP[Int]: Uploading wdirdata.json
2023-03-19 04:40:00.325 PHP[Int]: Uploading graph data file: tempdata.json
2023-03-19 04:40:00.326 PHP[Int]: Uploading tempdata.json
2023-03-19 04:40:00.326 PHP[Int]: Uploading graph data file: raindata.json
2023-03-19 04:40:00.326 PHP[Int]: Uploading raindata.json
2023-03-19 04:40:00.329 PHP[Int]: Uploading graph data file: humdata.json
2023-03-19 04:40:00.330 PHP[Int]: Uploading humdata.json
2023-03-19 04:40:00.331 PHP[Int]: Uploading graph data file: solardata.json
2023-03-19 04:40:00.331 PHP[Int]: Uploading solardata.json
2023-03-19 04:40:00.337 PHP[Int]: Uploading graph data file: pressdata.json
2023-03-19 04:40:00.337 PHP[Int]: Uploading pressdata.json
2023-03-19 04:40:00.396 PHP[Int]: HWActueel.txt: Response code = 200: OK
2023-03-19 04:40:00.410 PHP[Int]: Uploading websitedata.json
2023-03-19 04:40:00.535 PHP[Int]: MeteoWagenborgenData.txt: Response code = 200: OK
2023-03-19 04:40:00.535 PHP[Int]: winddata.json: Response code = 200: OK
2023-03-19 04:40:00.536 PHP[Int]: humdata.json: Response code = 200: OK
2023-03-19 04:40:00.706 PHP[Int]: websitedata.json: Response code = 200: OK
2023-03-19 04:40:00.870 PHP[Int]: raindata.json: Response code = 200: OK
2023-03-19 04:40:00.870 PHP[Int]: tempdata.json: Response code = 200: OK
2023-03-19 04:40:00.870 PHP[Int]: pressdata.json: Response code = 200: OK
2023-03-19 04:40:00.906 PHP[Int]: wdirdata.json: Response code = 200: OK
2023-03-19 04:40:00.912 CustomHttpMinutes[0]: Response code - OK
2023-03-19 04:40:00.913 PHP[Int]: solardata.json: Response code = 200: OK
2023-03-19 04:40:00.913 PHP[Int]: Upload process complete
2023-03-19 04:40:01.212 WeatherCloud: Response = Success (OK): 200
2023-03-19 04:40:01.749 Reading live data

i.e. that around 04:40:00.540 (so just after the humdata.json being confirmed) the error occurs.
I asked my provider if they could explain the rule.

Posted: **Sun 19 Mar 2023 4:03 pm**

Nossie wrote: ↑Sun 19 Mar 2023 4:09 am have you asked if they can turn this off as an exception?

Unfortunately they will not on the cheaper shared hosting plan I have, they require it on. I would have to upgrade to a virtual private server offering to do this. SFTP will work for now I suppose. I wish they would offer key based login vs just password though.

Posted: **Sun 19 Mar 2023 4:09 pm**

HansR wrote: ↑Sun 19 Mar 2023 6:22 am I can add to this error circus that my provider/hoster also produces errors in the log although I do not see any consequences in the logs from either CMX and CUtils. The error is:
Code: Select all
2023-03-19 04:40:00.539898 [NOTICE] [121595] [T7] [<my URL>:51220-2#APVH_meteo-wagenborgen.nl:443] [MODSEC] mod_security rule [id "77142267"] at [/etc/httpd/conf/modsecurity.d/rules/custom/011_i360_1_infectors.conf:136] triggered! 
[...]

I asked my provider if they could explain the rule.

I had a response telling me it was a module in the Plesk firewall for WebApplications where custom rule xxxx had triggered (Imunify360).
I could disable the rule and the problem went away.

So this type of problems is highly dependent on your provider and how they facilitate the protection of the site.

Cumulus Support

PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors

Re: PHP Upload errors