Topic: conflict with mod_security
The fancy url feature seems to have a conflict with the apache mod_security module. When viewing some URLs, on the folder-based fancy system, it will cause mod_security to throw up an error and ban the user.
Here is a URL that caused the ban with folder-based (fancy) system on, don't know if that helps analyze the problem:
forums.fsmod.com/topic/8460/echo-base-assets/page/2/
It is to a private forum, so you wont actually be able to reach the page.
Here is a log from mod_security of the ban, from viewing said topic through folder-based (fancy). This does not occur using default URL style.
Time: Sat Mar 28 11:01:22 2009 -0500
IP: xx.xx.xx.xx
Failures: 15 (mod_security)
Interval: 300 seconds
Blocked: Yes
Log entries:
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/style/FirstStrike/FirstStrike_cs.css"] [unique_id "Sc5JzkKHIHsAAHPj2HEAAAAR"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/style/FirstStrike/FirstStrike.css"] [unique_id "Sc5JzkKHIHsAAHex5UUAAAAH"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/include/js/common.js"] [unique_id "Sc5JzkKHIHsAAHey5b0AAAAJ"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_bbcode/styles.css"] [unique_id "Sc5JzkKHIHsAAHXz35kAAAAO"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_bbcode/scripts.js"] [unique_id "Sc5JzkKHIHsAAHMp1V8AAAAL"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_quote/scripts.js"] [unique_id "Sc5Jz0KHIHsAAHYM5AkAAAAX"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/left.png"] [unique_id "Sc5Jz0KHIHsAAG15r80AAAAC"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/r2.jpg"] [unique_id "Sc5Jz0KHIHsAAHe55k0AAAAK"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/rot/img1.png"] [unique_id "Sc5Jz0KHIHsAAHey5b4AAAAJ"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/bg.gif"] [unique_id "Sc5Jz0KHIHsAAHPj2HIAAAAR"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/latestnewsbg.png"] [unique_id "Sc5Jz0KHIHsAAHex5UYAAAAH"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/holo.png"] [unique_id "Sc5Jz0KHIHsAAHMp1WAAAAAL"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/img/avatars/536.jpg"] [unique_id "Sc5Jz0KHIHsAAHXz35oAAAAO"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_bbcode/buttons/Oxygen/b.png"] [unique_id "Sc5Jz0KHIHsAAHYM5AoAAAAX"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/img/avatars/587.jpg"] [unique_id "Sc5Jz0KHIHsAAHXs3rIAAAAM"]