PHP Injection Attack: Variable Function Call Found

Hello, since a week I can’t edit the wiki on my site, getting an “internal server error”.

I changed nothing to the hosting config files and of course I am not trying to sabotage myself by submitting “code” or similar stuff, lol.
Did Dreamhost upgraded the security and now I’m getting false positives?

[Sat Jan 30 02:05:04.897305 2021] [:error] [pid 17654:tid 3905165440768] ModSecurity: Warning. Pattern match "(?:(?:\\\\(|\\\\[)[a-zA-Z0-9_.$\\"'\\\\[\\\\](){}/*\\\\s]+(?:\\\\)|\\\\])[0-9_.$\\"'\\\\[\\\\](){}/*\\\\s]*\\\\([a-zA-Z0-9_.$\\"'\\\\[\\\\](){}/*\\\\s].*\\\\)|\\\\([\\\\s]*string[\\\\s]*\\\\)[\\\\s]*(?:\\"|'))" at ARGS:title. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "502"] [id "933210"] [msg "PHP Injection Attack: Variable Function Call Found"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [uri "/index.php"] [unique_id "YBUvUEfbTwpy4vey5-eKUgAAANA"]
[Sat Jan 30 02:05:04.940106 2021] [:error] [pid 17654:tid 3905165440768] [client 178.63.13.146] ModSecurity: Warning. Operator GT matched 1 at TX:executing_anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980120"] [msg "Inbound Anomaly Score (Total Inbound Score: 0 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [uri "/index.php"] [unique_id "YBUvUEfbTwpy4vey5-eKUgAAANA"]

I have a couple wiki sites (MediaWiki), and I haven’t noticed any change, but DH is constantly upgrading systems (usually for the better…). A common problem might be a PHP update that is incompatible with older wiki software.

Besides the ModSecurity warnings, are there any errors in the logs?

The ModSecurity warnings can generally be ignored. ModSecurity blocks a wide variety of known attacks, and there are bots constantly probing websites. Those same warnings appear dozens of times in my error logs across several sites.

About the ModSecurity warnings – these are typically generated by bots. For example, the second warning line is from a WebMeUp IP address (probably their BlexBot). The first warning doesn’t have an IP address. Did you remove the IP address? That would tell us who triggered the security warning.

Thanks for your suggestions.
I upgraded PHP (which was a bad move, as you said, because wiki software is old).
Fixed turning off ModSecurity. Maybe I should keep it on and lower its settings, but I’m a noob lolloloolloolol.
I will update the Wiki and the PHP, then turn on again ModSecurity.
Will do the same with phpbb.
My nerves are not ready for updates :stuck_out_tongue: