1

Recently, I was passed some error logs to take a look into, since we'd had some network spikes recently. However, I've never worked with modsecurity (I'm a programmer just doing this since we don't have a real sysadmin), and something alarming came up.

ModSecurity:
Access denied with code 503 (phase 2). Pattern match
--cut--
[line "23"] [id "390144"] [rev "2"] [msg "Command shell attack:
Generic Attempt to remote include command shell"] [severity
"CRITICAL"]

The words critical, command shell, and attack are probably not something good. I think "remote include command shell" meant a hacker was trying to pull up a shell without authorization, but that's more of a guess than anything.

Can someone tell me what's going on here, or link to some documentation I should read? Would the frequency of entries mean anything?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
waiwai933
  • 156
  • 1
  • 2
  • 14

2 Answers2

0

You should be able to find out which rule is triggering this by looking into the file that should be listed before [line "23"], and having a look at what's on Line 23. Whatever was on there was what triggered the alert and should help you narrow it down.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
0

The frequency probably indicates that this is a bot triggering the mod_security rule. It will be trawling websites across the internet trying to find badly configured webservers to exploit.

The fact that this is showing up in your log files is a good thing, it means that mod_security has done it's job and detected/prevented the attack.