I have a copy of phpMyAdmin in one of my server in a subdomain 'pma' and inside a directory in it named 'app' (manual installed from zip archive, not via yum), which I use for DB related management and it was working ok for couple of months. A couple of days ago my local IP got blocked while trying to login there and after much digging following log found in /var/log/apache2/error_log (replaced my local IP and server domain with <PLACEHOLDER_TEXT> for obvious reasons)
[Fri Jan 07 11:37:54.198143 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/themes/pmahomme/img/ajax_clock_small.gif"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.198701 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.215776 2022] [core:error] [pid 60361] [client <IP_ADDRESS>:60532] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.235059 2022] [core:error] [pid 60364] [client <IP_ADDRESS>:60535] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Fri Jan 07 11:37:54.238782 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.238830 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.244507 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.244559 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
While I'm ok with SSH and CLI, I'm not a core server admin, and it took me some time and help from both ISP and Hosting Provider to figure out the IP ban issue in CSF/LFD, but I'm trying to understand the actual issue so it can be avoided in future. Can anyone decipher the reason? thanks!
