ModSecurity SQL Injection

[adeyjones]

Hi,
the last few days i've been battling with one specific website (out of many on the same server) which wont render correctly. When inspecting, the site loads as plain HTML and the console shows a load of 403 or 404 errors for every image, CSS file or JS script.
I have finally got it narrowed down to ModSecurity, I disabled this and the site loaded fine, re-enabled and it went back to being screwed up.
In the log, I have the following:
rule 980130: Inbound Anomaly Score Exceeded
rule 949110: Inbound Anomaly Score Exceeded
rule 942100: SQL injection attack detected via libinjection

This only started around 24th January, nothing had changed on the site at all, a few plugins were updated but have since been rolled back with no effect. What could be causing this and how do I find the root of the problem?

Thanks

 

[mtindor]

Those particular rules in that ruleset are often triggered falsely. I'm not one to suggest that you disable the rules globally. Just be aware that when I ran that ruleset (one week, short test) that particular ruleset available in cPanel was full of rules that generated false positives and was pretty much useless in my mind unless one disables all of the rules generating false positives. And then if one disables the rules generating false positives, one likely increases the risk of something getting through that should have been blocked.

I don't know how anyone runs that particular ruleset.

 

[adeyjones]

Thanks for your reply. I know very little about ModSecurity, my server support guys advised me to disable it for the affected account - what would you recommend in this case?

 

[mtindor]

Thanks for your reply. I know very little about ModSecurity, my server support guys advised me to disable it for the affected account - what would you recommend in this case?

I'm not recommending anything. If you are going to run that ruleset, understand that those particular rules in the ruleset are very prone to false positives (especially on Wordpress sites, but not only with Wordpress sites). So you shouldn't be surprised if you have to disable those rules for some other site(s) down the road just to keep your sanity.

 

[cPRex]

Thanks for the details, @mtindor !

@adeyjones - as mentioned, sometimes even a default ruleset will cause issues for a site. It may be necessary to disable those rules through WHM in order to get things working, but that's really up to you/your server admin to evaluate.