OK. I haven’t written long time on blog. Today I want to show you what sometimes
\nyum can do without your knowledge. Few days ago I was upgrading one of system using yum.
\nEverything looked fine. I was happy that sometimes yum is useful. After work I went sleep
\nand next day I received messages that smth is fu** up with www…<\/p>\n
\n… yep and the real history is starting now \ud83d\ude42 After update nobody can log into wordpress. When you go to site you saw only text and all design was not loaded. In logs I saw message 403 – Access Denied. Hm… but yesterday everything was working good. WTF? Someone compromised my box? Change the permission? Hm… let’s look… Hm… permission is good so why I have 403 message? Let’s look for rootkits \ud83d\ude42 After few hours I was almost\u00a0 sure that box was clean!
\nLet’s check another test. I was creating directory ‘wp-content’ on random site and put some random file. When I send request for this file i received\u00a0 403 message once again. When I moved file to upper directory – everything worked fine \ud83d\ude42 Strange \ud83d\ude42 Let’s look for logs once again… What I saw? Look:<\/p>\n
–c28ca12d-B–
\nGET \/wp-content\/themes\/gods-and-monsters\/style.css HTTP\/1.1
\n…
\n…
\n–c28ca12d-F–
\nHTTP\/1.1 403 Forbidden
\nContent-Length: 311
\nConnection: close
\nContent-Type: text\/html; charset=iso-8859-1<\/p>\n
–c28ca12d-H–
\nMessage: Pattern match “([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z_@>\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|l …” at REQUEST_URI_RAW. [file “\/etc\/httpd\/modsecurity.d\/base_rules\/modsecurity_crs_41_phpids_filters.conf”] [line “67”] [id “phpids-20”] [msg “Detects JavaScript language constructs”] [data “content\/”] [severity “CRITICAL”] [tag “WEB_ATTACK”]
\n…
\n…<\/p>\n
WTF? “Detects JavaScript language constructs” ? “CRITICAL” ? LOL Let’s look for this strange filter:<\/p>\n
-rw-r–r– 1 root root\u00a0 xxK 11-29 xx:xx modsecurity_crs_41_phpids_filters.conf
\n-rw-r–r– 1 root root\u00a0 xxK 11-29 xx:xx modsecurity_crs_40_generic_attacks.conf<\/p>\n
Hm this files was modified when i was upgrading system \ud83d\ude42 Line 67 looks like:<\/p>\n
SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:\/* “([^*:\\s\\w,.\\\/?+-]\\s*)?(?<![a-z]\\s)(?<![a-z_@>\\|])(\\s*return\\s*)?(?:globalstorage|sessionstorage|postmessage|cal
\nlee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeo
\nut|setinterval|void|setexpression|namespace|while)(?(1)[^\\w%\\”]|(?:\\s*[^@\\s\\w%\\”,.+\\-]))” “phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replace
\nComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:’Detects JavaScript language constructs’,id:’phpids-20′,tag:’WEB_ATTA
\nCK’,logdata:’%{TX.0}’,severity:’2′,setvar:’tx.msg=%{rule.msg}’,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}
\n”<\/p>\n
heh \ud83d\ude42 So everything which was in wp-content was blocked by mod_security \ud83d\ude42 I removed this line and some other strange (bad access wasn’t causes\u00a0 only by this line) and everything back to normal \ud83d\ude42<\/p>\n
Conclusion:
\n*) I always have been compiling by hand and modifying\u00a0 by hand everything so I always know what I do. When you are using automatic tools you can be surprised\u00a0 \ud83d\ude42
\n*) I didn’t believe that mod_security could causes this problem so I ignored this logs on first reading – and it causes longer time to discover real\u00a0 problem \ud83d\ude42
\n*) Automatic tool = faster but you should always check everything before you “Accept” his job \ud83d\ude42<\/p>\n
Best regards,
\nAdam Zabrocki<\/p>\n","protected":false},"excerpt":{"rendered":"
OK. I haven’t written long time on blog. Today I want to show you what sometimes yum can do without your knowledge. Few days ago I was upgrading one of system using yum. Everything looked fine. I was happy that sometimes yum is useful. After work I went sleep and next day I received messages […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,1],"tags":[],"class_list":["post-50","post","type-post","status-publish","format-standard","hentry","category-ideas","category-o-wszystkim-i-o-niczym"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50"}],"version-history":[{"count":4,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/50\/revisions"}],"predecessor-version":[{"id":54,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/50\/revisions\/54"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}