Mod_security: Access Denied With Code 406. Pattern Match

Feb 22, 2008

Taken from apache error logs, are these below legit or false alarms per se? This same customer is having issues with php sendmail (server uses php 5 w/ phpsuexec enabled)

[Thu Feb 21 17:02:02 2008] [error] [client 216.9.250.112] mod_security: Access denied with code 406. Pattern match "!^[0-9a-z]*$" at COOKIE("PHPSESSID") [hostname "www.clientdomain.com"] [uri "/%23URL.ImagURL%23"]

[Fri Feb 22 10:13:18 2008] [error] [client 189.24.155.203] mod_security: Access denied with code 406. Pattern match "',''));" at POST_PAYLOAD [hostname "clientdomain.com"] [uri "/xmlrpc.php"] ....

View 1 Replies


ADVERTISEMENT

Pattern Match

Jun 20, 2007

mod_security: Access denied with code 406. Pattern match "<[[pace:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[pace:]]*>" at POST_PAYLOAD [hostname "domain.us"] [uri "/_vti_bin/_vti_aut/author.exe"]

This is my mod security rules.conf file

Code:
#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0.9|1.0|1.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'"

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

#Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it
#Then post your fix eh!
#SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9.+_/-?=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'"
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"

#HTTP response spilting generic sigs
SecFilter "Content-Length:.*Content-Type:.*Content-Type:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'"

#HTTP response spilting generic sigs
SecFilter "Content-Length:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Type:" chain
SecFilter "Content-Type:"

#deny TRACE method
SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"


#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"

#Code injection via content length
SecFilterSelective HTTP_Content-Length ";(system|passthru|exec)(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"

#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST "<(.|
)+>"

#generic recursion signatures
SecFilterSelective REQUEST_URI "!(alt_mod_frameset.php)" "chain,id:300004,rev:1,severity:2,msg:'Generic Path Recursion denied'"
SecFilterSelective THE_REQUEST "../../"
#generic path recurision sig

#generic recursion signatures
SecFilterSelective THE_REQUEST ".|./.|./.|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"

#generic bogus path sigs
SecFilterSelective THE_REQUEST ".../" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
SecFilterSelective POST_PAYLOAD "[[:space:]]+...+;" "id:300007,rev:1,severity:2,msg:'Bogus Path denied'"

#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(.*);" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI "<?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(.*);" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

View 2 Replies View Related

ModSecurity: Access Denied With Code 400 (phase 2)

Oct 17, 2007

We have a small Hosting reseller account at eNom. We have a new customer that moved his website from another hosting company to ours. The website is on a shared IP. Enom also uses a internal IP for internal use associated to the domain.

The problem we have is that AOL users can not see the website. As far as we can tell no other ISP's are having this problem. Everyone can see it except AOL users.

When AOL users go to the site they get "Page can not be found". After several calls to eNom support and them triple checking the DNS we still have the problem.

I looked at the error log for the website this morning. I found several errors. I looked up the IP's with the errors and they all pointed back to AOL.. See below for two examples of the errors....

Is this a server problem or DNS?

What do these errors mean and what do I do about it?

The domain is http://2hotlicks.com . They sell Hot Sauce.. Would AOL block it because of the keywords in the Domain name?

[Wed Oct 17 08:11:56 2007] [error] [client 207.200.116.7] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/"] [unique_id "uPWvAgoHAlYAAA25N5AAAAAI"]

[Tue Oct 16 13:11:20 2007] [error] [client 207.200.116.137] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/combos.htm"] [unique_id "yddhwAoHAlYAAEEfgyEAAAAi"]

View 2 Replies View Related

IIS: Access Denied

May 7, 2009

I am installing a .NET application on a client's server but they don't know much about IIS and neither do I.

I am having an access denied issue when browsing a recently installed website on a fresh .NET framework. The "%systemroot%Microsoft.NETFrameworkv2.0.50727Temporary ASP.NET Files" folder appears to have the correct rights, I read that incorrect rights could be a reason for this issue. What else could it be ?

Code:
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.IO.FileLoadException: Could not load file or assembly 'Puerto' or one of its dependencies. Access Denied.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Assembly Load Trace: The following information can be helpful to determine why the assembly 'Puerto' could not be loaded.

=== Pre-bind state information ===
LOG: User = NT AUTHORITYServicio de red
LOG: DisplayName = Puerto
(Partial)
LOG: Appbase = file:///C:/Inetpub/wwwroot/CFDOCS/home/
LOG: Initial PrivatePath = C:InetpubwwwrootCFDOCShomein
Calling assembly : (Unknown).
===
LOG: This bind starts in default load context.
LOG: Using application configuration file: C:InetpubwwwrootCFDOCShomeweb.config
LOG: Using host configuration file: ?c:windowsmicrosoft.netframeworkv2.0.50727aspnet.config
LOG: Using machine configuration file from C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config.
LOG: Policy not being applied to reference at this time (private, custom, partial, or location-based assembly bind).
LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files/web/13c8581c/98ca4568/Puerto.DLL.
LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files/web/13c8581c/98ca4568/Puerto/Puerto.DLL.
LOG: Attempting download of new URL file:///C:/Inetpub/wwwroot/CFDOCS/home/bin/Puerto.DLL.
ERR: Failed to complete setup of assembly (hr = 0x80070005). Probing terminated.

Stack Trace:

[FileLoadException: Could not load file or assembly 'Puerto' or one of its dependencies. Acceso denegado.] ....

View 7 Replies View Related

Access Denied

Jan 22, 2007

All the user in my server say same time have a error msg’: Access Denied

View 3 Replies View Related

Server Access Denied

Sep 18, 2009

I have a strange problem that I encounter sometimes. I have 3 websites on my hosting account. About once a week, I will try to access one of those sites and I will get a timeout or connection error in my browser. I will not have any problem viewing any other websites and as soon as I restart my computer, I can view my sites again.

It seems like either my computer, wifi router, isp or webhost decides to block me from accessing any of my 3 sites for no apparent reason. Restarting my computer fixs this. My ip does not change when I restart my computer so I do not know why it would suddenly allow me acces again but it does.

What is this problem likley to be? A bug on my computer, a bug on my server? My isp being retarded? No one else seems to have any problems accessing my site, I would guess it is a local issue. What I can not figure out though, is why it only happens to my own websites on my hosting account. This never happens when trying to view any other websites except my own(on my hosting account). This cannot be a coincidence. It is a big mystery to me.

View 3 Replies View Related

Mysql Access Denied

Jun 5, 2009

I've setup a mysql user and assigned a password for it. When I try logging in to it with

Quote:

mysql -u USERNAME -p

and then providing the password I get an error:
Quote:

ERROR 1045 (28000): Access denied for user 'USERNAME'@'localhost' (using password: YES)

I don't have trouble logging in as root and when I check the user table there, the password assigned to the user is same as the value the mysql function PASSWORD gives me. Really driving me nuts here, why is it telling me the password is wrong when it's not?

I've tried: Restarting mysql
setting new password
changing username

Using mysql server 5.1.34

View 5 Replies View Related

FTP: Access Denied On Whole Server

Apr 12, 2008

I have many accounts on my server, everyone can connect via FTP but when they try to upload something they get "access denied", i get it too, sometimes it works for a few minutes and goes back to giving me access denied. I have not changed any settings since it was working just fine before. I checked the folder permissions, user permissions, used chown command to make sure the folders belonged to the correct users/groups and I disabled the firewall same thing, any ideas what might be going on? do you this I have a virus on the server? it's a linux server

View 4 Replies View Related

Can't Check Anything Always Access Denied

Dec 5, 2008

i got this message in my direct admin

This message has been automatically generated notifying you that the service httpd is currently down and i searched and someone recommend to check using this order in ssh and i got this message Could not open configuration file /etc/httpd/conf/extra/directadmin-vhosts.conf: Permission denied and also i get permission denied for anything related to apache

View 3 Replies View Related

554 Relay Access Denied

Aug 9, 2007

got a dedicated server with linux and I am using vhcs2 control panel on the server.

I get a bounced message saying 554 <domain> Relay access denied.

I get this message for any email address i send externally.

If i send emails to any email on the server. It works fine.

I am not familiar with the config of vhcs2 or how the mail works.

View 7 Replies View Related

SSL Access Denied Error

Mar 8, 2007

Recently migrated a customer's website to a new server and transferred their SSL certificate. They are now reporting that some users are getting a "permission denied" error when trying to visit the site. The customer's developer and I are unable to reproduce the error anywhere.

Please click on this site and tell me if you get a "permission denied" error: www.accreditationnow.com/

View 4 Replies View Related

Plesk 12.x / Windows :: Access Is Denied

Feb 15, 2015

in last two day we have problem with plesk on windows server 2008 r2 plesk version is 12.we have Access is denied error in some part of plesk like: can not add email address.can not edit email address..can not active on suspend domain..i Conant support team and they are solve problem but after on day. problem came back.in attachment i attach error log file and screenshot on errors.

View 3 Replies View Related

TheNYNOC - Billing Error And Denied Access

Feb 18, 2009

I've had a tiny VPS with Nynoc for a while, and have been satisfied with it's performance.

Today, I just purchased their supervps 3 ($15/mo) and paid 6 months in advance. Although the full amount of the purchase was $90, I was billed only $85 in the invoice. My paypal account showed they had deducted $5 immediately before the order. Anyways, I completed the payment and got confirmation email.

However, few hours later I come to learn via paypal emails that the subscription had been cancelled and the $85 payment refunded!

I tried to login to the client portal, and surprise! Access denied! I tried to reset the password using the "forgotten password" link, now it says my e-mail address doesn't even exist in the database!

I contacted support via e-mail and awaiting a reply.

In the past few months I've received some weird invoices from nynoc. Sometimes they sent me invoice for $0, and then notify me that the invoice was paid in full!

Clearly, their invoice & billing system is having trouble. And now I'm being locked out of my client area. (My old VPS is still running though.) Worse still, there was no word from the nynoc staff.

Has anybody experienced billing errors with nynoc?

View 7 Replies View Related

401 Unauthorized: Access Is Denied Due To Invalid Credentials.

Dec 4, 2007

I have just installed WHMCS on a dedicated Windows 2003 Server box with Plesk 8.2. I am getting the above error when I try to go to the billing subdirectory (www.mydomain.com/billing), if I don't input a correct username/password. Inputing a username/pass does work, and I did so to install it, but obviously this is not a long term solution.

IUSR has read/execute/list rights to the parent httpdocs directory and inheritable permissions is checked. I have checked the child directories and files, and everything seems to have inherited the correct permissions.

I am able to otherwise access my website, as well as TCadmin.

View 13 Replies View Related

MySQL: Access Denied For Root User

Oct 25, 2007

When I deleted a database, the user apparently was orphaned because when I tried to recreate it, it returned "user already exists". I've never encountered that problem although from Googling, I see others have and they delete the user to get around it.

When I log into mysql using the da_admin@ account and attempt to remove the user with drop user <user_name>; I receive the following error message:

ERROR 1227 (42000): Access denied; you need the CREATE USER privilege for this operation

It seems I don't have rights even as the root user. How can I get remove the orphaned user?

View 8 Replies View Related

Apache, Linux, Access Denied Error

Jan 2, 2007

I have apache, php, and mysql setup on CentOS 4.4. I have phpMyAdmin running perfectly in a folder in /var/www/html/phpMyAdmin. I can access phpMyAdmin and use it perfectly. I downloaded Cacti which is a server monitoring application written in php, nothing special. I untar the file and it creates a folder, I simply do a mv command from /home/sys/cacti to /etc/www/html/cacti. Then when I open my browser and attempt to access: [url]I am getting a Access Denied error. It makes no sense though, I have verified the permissions of the files and folders, all good.

The group owner and owner are root, the files are all -rw-r--r-- and the folders are drwxr-xr-x.

View 9 Replies View Related

Access Denied For User 'root'@'localhost

Jun 8, 2007

I'm getting the error after running
[root@server ~]# mysqladmin processlist

Quote:

mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'

I'm running plesk on FC4.

Not too sure why it says failed or denied, as I'm root?

View 3 Replies View Related

Plesk 12.x / Windows :: Receive Error Access Denied

Mar 16, 2015

A few day ago when i access Windows plesk i receive error Access Denied. [URL]..... Even i made these steps i still receiving Access Denied when i access. I tried use PLesk REconfigurator, put psaadm permissons on all C:, update plesk, windows and still having this issue.

View 3 Replies View Related

Plesk 12.x / Windows :: Operation Failed - Access Is Denied

Apr 6, 2015

Login Plesk 12 In Error :

Operation failed
The operation you were performing failed. You can retry the operation with or without changing its parameters. You may also want to report this problem to our support.

Error show :
Access is denied.
---------------------- Debug Info -------------------------------
Windows 2012 and Mssql 2012 .

View 4 Replies View Related

DirectAdmin - Access Denied For User 'apache'@'localhost' (using Password: NO)

Jun 20, 2009

I get the following error when let my site connect to my database: Access denied for user 'apache'@'localhost' (using password: NO)

But when im running lil test script which connect to my localhost with the same passwords and it gives the status 'Connection OK' (im running on admin account, made a MySQL account with DA)


Code:

<?php $link = mysql_connect('localhost','admin_removed','removed'); if (!$link) { die('Could not connect to MySQL: ' . mysql_error()); } echo 'Connection OK'; mysql_close($link); ?>

View 2 Replies View Related

SMTP Server :: 550 Access Denied - Invalid HELO Name (See RFC2821 4.1.1.1)

Apr 21, 2009

Everytime I send an email from my out look or on the webmail I get the following error, its on my small vps running cpanel.

I have already re installed the mail server, installed a diffrent mail server, and also gone in the config and took this out in whm with no joy.

Code:
550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

View 12 Replies View Related

WHM/Cpanel Not Working Via Web Interface.. Sites Still Online..getting Access Denied

Aug 7, 2008

I have someone who manages my box.. but lately he has been MIA.. and very hard to contact.

All of a sudden I realized that I cannot reach my cpanel or whm..

when I go to www.domain.com/cpanel It just says checking for connection.. and doesn't go anywhere.

If I go to domain.com:2082 it says 401 Access Denied

I tried rebooting the box..

View 12 Replies View Related

ERROR 1044 (42000) At Line 15: Access Denied For User

Jul 2, 2008

My server is new from SoftLayer when i try to restore Data Base He Give Me this Massege

ERROR 1044 (42000) at line 15: Access denied for user 'mov_uu'@'localhost' to database 'mav2'

i try to restore another data base he give Also A masseges

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near

And i have Upload Center It Was Work 100% Suddenly He give me
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request
------------------
also
Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0

Fatal error: Unknown: Failed opening required '/home/nameofuser/public_html/vb/index.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0

View 2 Replies View Related

Apache :: Access Denied When Accessing New Virtual Host Site

Apr 28, 2015

I created a new virtual site and cloned an existing to to the new docroot to have content. But when I access it I receive the Access Denied you do not have permission to access . . .I've checked all my entries and unless I'm blind I cannot figure out how to remedy this on my Windows 2003R2 server running apache 2.2.x

View 1 Replies View Related

Plesk 12.x / Linux :: Client Host Rejected - Access Denied

Jul 9, 2014

I migrate from plesk 9.5 to another server with plesk 12.0.18, and then outlook and mail default from iphone don't work, but tunderbird and webmail work well.

In outlook when i put the same configuration than tunderbird and i try to send mail out from my domain said this error:

Error del servidor: '554 5.7.1 <244.Red-88-18-221.staticIP.rima-tde.net[88.18.221.244]>: Client host rejected: Access denied

I don't know if outlook is bad configuration but with plesk 9.5 worked well, and now nothing.

I can recive mail but not send.

View 10 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved