Google bot triggering OWASP modsecurity rule 949110

[aeroweb]

Last few days we have been noticing that Google crawler IP's (i.e. 66.249.xxx.xxx) have stared being blocked by the OWASP modsecurity rules. This is not an isolated case, we have many servers and the same issues has been seen across all of them. Previously we had no issues like this related to the OWASP rules and Google crawler. I pasted the information on the blocking below.

Has anyone else noticed this happeneing on their servers?

[Tue Jan 17 07:27:50.151353 2023] [:error] [pid 26431:tid 47538366150400] [client 66.249.65.152:44811] [client 66.249.65.152] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.redacted.com"] [uri "/"] [unique_id "Y8aURs22p6M8oG4bTN6gewAAAJg"]

 

[cPRex]

Hey there! This isn't a new thing, as this happens with people once in a while when ModSecurity gets overly protective. Here is a similar thread from 10 years ago:

Mod Security Rules Incorrectly Blocking Googlebot

Hello everyone I'm using CSF Firewall in my blog and the problem is the Mod_Security rules incorrectly blocks Googlebot regularly. It is happening almost every week. In past I have removed a Mod Security rule which was blocking Googlebot and now a new Mod Security rule 950005 is blocking...

forums.cpanel.net

It's best to just adjust ModSecurity to not block that traffic.

 

[ciao70]

Hi,

Check the Modsecurity log carefully, because there is probably some other rule that triggers the 949110

 

[aeroweb]

Thanks for the info, much appreciated.

The strange thing is, we've used modsecurity with the OWASP rules setup on our servers for years now. And yes, we would occasionally get false positives and see the Google Bot being blocked over the years, however in the last 3 days or so we've gotten hundreds of blocks which is very unusual. Do you know if anything has changed recently, have any of the OWASP rules been updated?

Thanks

 

[cPRex]

You can check and see if there has been an update to the package through the /var/log/dnf.rpm.log log file. On my personal machine, the last OWASP update was Jan 5:

2023-01-05T05:34:47-0500 SUBDEBUG Upgrade: ea-modsec2-rules-owasp-crs-3.3.4-1.1.2.cpanel.x86_64

 

[aeroweb]

I do not have a dnf.rpm.log file. I checked the yum.log files and its not in there.

I also checked /etc/apache2/conf.d/modsec_vendor_configs/OWASP3 but it appears that the rule files here get updated daily when cPanel runs its update cron.

 

[aeroweb]

After further review of both the mod-security logs and Apache logs it appears that the Googlebot is actually triggering rule: 942100 "sql injection attack detected via libinjection"

The Google bot seems to be hitting the servers with hundreds of GET requests against WordPress websites using the build in WordPress search feature (/?s=). See below.

GET  /?s=%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9E-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%96%A6DD96%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1-%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9Efdxpr-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%96%A6DD96%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1td3t-%E9%9B%B2%E9%A0%82%E9%AB%98%E5%8E%9F%E6%99%AF%E9%BB%9Ebebzt-%E5%9C%A8%E7%B7%9A%E7%A0%B8%E9%87%91%E8%8A%B1epvh