GoogleBot and modsecurity

[sahostking]

[Tue Nov 19 11:50:13.329949 2019] [:error] [pid 206583:tid 47276449986304] [client 35.243.115.20:57622] [client 35.243.115.20] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Attack Detected via libinjection"] [tag "event-correlation"] [hostname "www.sitedomain.com"] [uri "/index.php"] [unique_id "XdO61TVLl3ZTUBSeVvkGagAAAUw"]

[Tue Nov 19 11:51:07.093268 2019] [:error] [pid 206683:tid 47276456290048] [client 35.243.115.20:35058] [client 35.243.115.20] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: <?xml version found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.sitedomain.com"] [uri "/xmlrpc.php"] [unique_id "XdO7C@-@@N87oYyMoiLcoQAAAY8"]


Are these googlebout blocks? from modsecurity

 

[24x7server]

Hi,

The IP 35.243.115.20 is Google's as per the iplocation check, so it does appear to one coming from google's server.

 

[cPanelLauren]

The IP is owned by google but it is NOT a official google IP it's clearly stated in the whois that these are IP's in use by Google Cloud Customers:

NetRange:       35.208.0.0 - 35.247.255.255
CIDR:           35.208.0.0/12, 35.224.0.0/12, 35.240.0.0/13
NetName:        GOOGLE-CLOUD
NetHandle:      NET-35-208-0-0-1
Parent:         NET35 (NET-35-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Google LLC (GOOGL-2)
RegDate:        2017-09-29
Updated:        2018-01-24
Comment:        [B]* The IP addresses under this Org-ID are in use by Google Cloud customers *[/B]
Comment:
Comment:        Direct all copyright and legal complaints to
Comment:        https://support.google.com/legal/go/report
Comment:
Comment:        Direct all spam and abuse complaints to
Comment:        https://support.google.com/code/go/gce_abuse_report
Comment:
Comment:        For fastest response, use the relevant forms above.
Comment:
Comment:        Complaints can also be sent to the GC Abuse desk
Comment:        ([email protected])
Comment:        but may have longer turnaround times.
Ref:            https://rdap.arin.net/registry/ip/35.208.0.0