Facebook
Twitter
- Server operating system version
- windows server 2022
- Plesk version and microupdate number
- Plesk Obsidian 18.0.45
Hello everybody,
Some of my website visitor are getting FORBIDDEN ACCESS DENIED on my website. below is the information on modsecurity log:
15708555501342031954 141.101.107.81 80 127.0.0.1 80
--43640000-B--
GET /favicon.ico HTTP/1.1
Connection: Keep-Alive
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.9
Cookie: _ga=GA1.2.1221049718.1650885333; twk_uuid_5ba4c8f8c9abba579677c378=%7B%22uuid%22%3A%221.F1GMXvghCqje8vCJpemkoTmLH6jVoQ0AlUenfAQS5kmj4wbQiEe8TT3LGLiLMnj5Qu1rpCQFGj9a9Dizjxw2103XJnhDsOoclhkDJk3PkA9RLpZ39P1WXJRd38vuuOzucApzEbLmhsoi%22%2C%22version%22%3A3%2C%22domain%22%3A%22gs1ng.org%22%2C%22ts%22%3A1657392526214%7D
User-Agent: Mozilla/5.0 (Linux; Android 9; MRD-LX1F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Mobile Safari/537.36
X-Forwarded-For:
CF-RAY: 73b0fb2f4851e628-LHR
X-Forwarded-Proto: http
CF-Visitor: {"scheme":"http"}
CF-Connecting-IP:
CF-IPCountry: NG
CDN-Loop: cloudflare
--43640000-F--
HTTP/1.1 500 Internal Server Error
--43640000-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"'`]\\s*?(?
?:n(?:and|ot)|(?:x?x)?or|between|\\|\\||and|div|&&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|like(?:\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|\\W*?[\"'`\\d])|[^?\\w\\s=.,(]++\\s*?[(@\"'`]*?\\s*?\\w+\\W+\\w|\\*\\s*?\\w+\\W+[\"'`])|(?:unio ..." at REQUEST_COOKIES:twk_uuid_5ba4c8f8c9abba579677c378. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "750"] [id "942260"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \x22:\x221.F found within REQUEST_COOKIES:twk_uuid_5ba4c8f8c9abba579677c378: {\x22uuid\x22:\x221.F1GMXvghCqje8vCJpemkoTmLH6jVoQ0AlUenfAQS5kmj4wbQiEe8TT3LGLiLMnj5Qu1rpCQFGj9a9Dizjxw2103XJnhDsOoclhkDJk3PkA9RLpZ39P1WXJRd38vuuOzucApzEbLmhsoi\x22,\x22version\x22:3,\x22domain\x22:\x22gs1ng.org\x22,\x22ts\x22:1657392526214}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1660556556703477 0 (- - -)
Stopwatch2: 1660556556703477 0; combined=0, p1=0, p2=0, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.5 (GitHub - SpiderLabs/ModSecurity: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence. OWASP_CRS/3.3.2.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
--43640000-Z--
Please I need help in resolving this issue.
Did I need to add this rule to exempt it or this is a malecious activity.
I found out that all visitors having this issue has this cookies "twk_uuid_5ba4c8f8c9abba579677c378" in there browser.
When I manually delete the cookies, the website will open.
I don't know how this cookies is getting into the browser
Some of my website visitor are getting FORBIDDEN ACCESS DENIED on my website. below is the information on modsecurity log:
15708555501342031954 141.101.107.81 80 127.0.0.1 80
--43640000-B--
GET /favicon.ico HTTP/1.1
Connection: Keep-Alive
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.9
Cookie: _ga=GA1.2.1221049718.1650885333; twk_uuid_5ba4c8f8c9abba579677c378=%7B%22uuid%22%3A%221.F1GMXvghCqje8vCJpemkoTmLH6jVoQ0AlUenfAQS5kmj4wbQiEe8TT3LGLiLMnj5Qu1rpCQFGj9a9Dizjxw2103XJnhDsOoclhkDJk3PkA9RLpZ39P1WXJRd38vuuOzucApzEbLmhsoi%22%2C%22version%22%3A3%2C%22domain%22%3A%22gs1ng.org%22%2C%22ts%22%3A1657392526214%7D
User-Agent: Mozilla/5.0 (Linux; Android 9; MRD-LX1F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Mobile Safari/537.36
X-Forwarded-For:
CF-RAY: 73b0fb2f4851e628-LHR
X-Forwarded-Proto: http
CF-Visitor: {"scheme":"http"}
CF-Connecting-IP:
CF-IPCountry: NG
CDN-Loop: cloudflare
--43640000-F--
HTTP/1.1 500 Internal Server Error
--43640000-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"'`]\\s*?(?
?:n(?:and|ot)|(?:x?x)?or|between|\\|\\||and|div|&&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|like(?:\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|\\W*?[\"'`\\d])|[^?\\w\\s=.,(]++\\s*?[(@\"'`]*?\\s*?\\w+\\W+\\w|\\*\\s*?\\w+\\W+[\"'`])|(?:unio ..." at REQUEST_COOKIES:twk_uuid_5ba4c8f8c9abba579677c378. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "750"] [id "942260"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \x22:\x221.F found within REQUEST_COOKIES:twk_uuid_5ba4c8f8c9abba579677c378: {\x22uuid\x22:\x221.F1GMXvghCqje8vCJpemkoTmLH6jVoQ0AlUenfAQS5kmj4wbQiEe8TT3LGLiLMnj5Qu1rpCQFGj9a9Dizjxw2103XJnhDsOoclhkDJk3PkA9RLpZ39P1WXJRd38vuuOzucApzEbLmhsoi\x22,\x22version\x22:3,\x22domain\x22:\x22gs1ng.org\x22,\x22ts\x22:1657392526214}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1660556556703477 0 (- - -)
Stopwatch2: 1660556556703477 0; combined=0, p1=0, p2=0, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.5 (GitHub - SpiderLabs/ModSecurity: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence. OWASP_CRS/3.3.2.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
--43640000-Z--
Please I need help in resolving this issue.
Did I need to add this rule to exempt it or this is a malecious activity.
I found out that all visitors having this issue has this cookies "twk_uuid_5ba4c8f8c9abba579677c378" in there browser.
When I manually delete the cookies, the website will open.
I don't know how this cookies is getting into the browser
