503 on request with query params


#1

Hello,

i’m getting a 503 response from one of my domains when i request a page that has query arguments:

http://archinspection.com/lib/get.php?pageid=1&attr=body

the error log shows:
[Wed May 12 13:39:41 2010] [error] [client 207.162.221.40] ModSecurity: Access denied with code 503 (phase 2). Pattern match “/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?” at REQUEST_URI. [file “/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf”] [line “39”] [hostname “archinspection.com”] [uri “/lib/get.php”] [unique_id “S@sSDUWjyI8AAHysCZIAAAAC”]

i have no .htaccess files set up. fairly new to dreamhost so i’m not familiar with everything yet. looks like maybe this is some server level security thing. are we not allowed to use query args? the phpinfo dump shows that php is configured to accept them…

if anyone’s got any info on what might be going on i’d appreciate it!


#2

What is the file permission?

If you are not sure how to check file permission, go to the directory where get.php stands and type command "ls -la"
http://wiki.dreamhost.com/Unix_File_Permissions

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


#3

Either rename the script to something other than “get.php” — that filename is associated with certain types of attacks — or disable ModSecurity (“Enhanced Security”) on the domain.


#4

That is good to know :slight_smile:

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


#5

Where’s the file get.php ?
Tnks[hr]
I have the same problem.
They seem to be failing, but they just won’t stop.

[error] [client 187.40.206.191] ModSecurity: Access denied with code 503 (phase 2)

In my .htaccess file I inserted for all IP of intrusion contact (about #20 IP):
allow from all
deny from 187.40.206.191
deny from 77.xx.xx (complete IP)

In recent days they have increased.
What can I do?


#6

I’m not sure exactly what issue you’re seeing, but it probably isn’t related to the one being reported in this thread. Start a new thread and carefully explain what issues you’re having.