Modsec Log #2 for Jetpack Debug Test

---AJ1GOJrx---A--
[12/Mar/2025:22:21:11 -0500] 174183607127.350869 192.0.99.205 38698 10.10.10.2 443
---AJ1GOJrx---B--
POST /?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836071&nonce=SSMkiDw6c4&body-hash=pdst%2B%2B8gjpsEsdzTGdS19%2BYN3g4%3D&signature=NmIh7Zx3wP3Fr%2Bh29C1eamXKANs%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836071" nonce="SSMkiDw6c4" body-hash="pdst++8gjpsEsdzTGdS19+YN3g4=" signature="NmIh7Zx3wP3Fr+h29C1eamXKANs="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836071&nonce=SSMkiDw6c4&body-hash=pdst%2B%2B8gjpsEsdzTGdS19%2BYN3g4%3D&signature=NmIh7Zx3wP3Fr%2Bh29C1eamXKANs%3D
Content-Type: text/xml
Connection: close
Content-Length: 114

---AJ1GOJrx---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.testConnection</methodName>
<params>
</params></methodCall>

---AJ1GOJrx---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---AJ1GOJrx---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:11 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---AJ1GOJrx---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.testConnection\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.testConnection found within XML:/*: \x0ajetpack.testConnection\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607127.350869"] [ref "o0,23"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607127.350869"] [ref "v39,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607127.350869"] [ref "o26,2v39,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607127.350869"] [ref ""]

---AJ1GOJrx---J--

---AJ1GOJrx---K--

---AJ1GOJrx---Z--

---WrySEHjs---A--
[12/Mar/2025:22:21:11 -0500] 174183607159.400384 192.0.99.205 38706 10.10.10.2 443
---WrySEHjs---B--
POST /?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836071&nonce=jpr8UAIOQq&body-hash=l5MGKDtBMCRLlbhRxcm3udBaUGk%3D&signature=R9NP12tSJIHfqs%2F6s03juUc%2BHXs%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836071" nonce="jpr8UAIOQq" body-hash="l5MGKDtBMCRLlbhRxcm3udBaUGk=" signature="R9NP12tSJIHfqs/6s03juUc+HXs="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836071&nonce=jpr8UAIOQq&body-hash=l5MGKDtBMCRLlbhRxcm3udBaUGk%3D&signature=R9NP12tSJIHfqs%2F6s03juUc%2BHXs%3D
Content-Type: text/xml
Connection: close
Content-Length: 110

---WrySEHjs---C--
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params>
</params></methodCall>

---WrySEHjs---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---WrySEHjs---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:11 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---WrySEHjs---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607159.400384"] [ref "v39,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607159.400384"] [ref "o26,2v39,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607159.400384"] [ref ""]

---WrySEHjs---J--

---WrySEHjs---K--

---WrySEHjs---Z--

---zyfbUIXJ---A--
[12/Mar/2025:22:21:12 -0500] 174183607296.212170 192.0.99.205 38720 10.10.10.2 443
---zyfbUIXJ---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741836072&url=https%3A%2F%2Fdanran.rocks&signature=mr0tX1lS6ZnpxdHuximC2IJod7aHtNLYL4NmnKgGEvyC6qaANKBCfMiTP4kQ4trDUPu3siCtUPxXx5DqiU21ur9HI38IrTcK%2FU7FGFEy8%2F8%2Fh7B56ecuuX0Y45Cb0MY3YsqIeumTqGfCkk0Pan5pAL%2BwyFt13A%2BSaslwP826Ubgxxz9IXsJ0nGcIbxG%2FIMNujdIMYcZFnHdBGAFHtl4L2skqs1Cbih7lbm9bEdYuDTZIKpWkXz5%2FDAaTrIKLNOQycfRKXv5n%2FrYqGp5ehsBwJI6Jsc0LK30fERwfeNxZUWmhv7fyBQomqvrn6LqnFSHGSV06maUFMSjjaClRK5uZHw%3D%3D HTTP/1.1
Host: danran.rocks
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741836072&url=https%3A%2F%2Fdanran.rocks&signature=mr0tX1lS6ZnpxdHuximC2IJod7aHtNLYL4NmnKgGEvyC6qaANKBCfMiTP4kQ4trDUPu3siCtUPxXx5DqiU21ur9HI38IrTcK%2FU7FGFEy8%2F8%2Fh7B56ecuuX0Y45Cb0MY3YsqIeumTqGfCkk0Pan5pAL%2BwyFt13A%2BSaslwP826Ubgxxz9IXsJ0nGcIbxG%2FIMNujdIMYcZFnHdBGAFHtl4L2skqs1Cbih7lbm9bEdYuDTZIKpWkXz5%2FDAaTrIKLNOQycfRKXv5n%2FrYqGp5ehsBwJI6Jsc0LK30fERwfeNxZUWmhv7fyBQomqvrn6LqnFSHGSV06maUFMSjjaClRK5uZHw%3D%3D
Connection: close

---zyfbUIXJ---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---zyfbUIXJ---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:12 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---zyfbUIXJ---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741836072&url=https%3A%2F%2 (397 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741836072&url=https%3A%2F%2Fdanran.rocks&signature=mr0tX1lS6ZnpxdHuximC2IJod7aHtNLYL4NmnKgGEvyC6qaANKBCfMiTP4kQ4trDUPu3siCtUPxX (297 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607296.212170"] [ref "v0,497"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607296.212170"] [ref ""]

---zyfbUIXJ---J--

---zyfbUIXJ---K--

---zyfbUIXJ---Z--

---UpW2XYvI---A--
[12/Mar/2025:22:21:12 -0500] 174183607255.090224 192.0.99.205 38728 10.10.10.2 443
---UpW2XYvI---B--
POST /?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836072&nonce=rnyjBecJGN&body-hash=METbiCw%2BtMQdctk0fdLMNlXOKKM%3D&signature=17%2BXM5wmLeBsyr%2Fef9wx64v1zKg%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836072" nonce="rnyjBecJGN" body-hash="METbiCw+tMQdctk0fdLMNlXOKKM=" signature="17+XM5wmLeBsyr/ef9wx64v1zKg="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836072&nonce=rnyjBecJGN&body-hash=METbiCw%2BtMQdctk0fdLMNlXOKKM%3D&signature=17%2BXM5wmLeBsyr%2Fef9wx64v1zKg%3D
Content-Type: text/xml
Connection: close
Content-Length: 116

---UpW2XYvI---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.getHeartbeatData</methodName>
<params>
</params></methodCall>

---UpW2XYvI---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---UpW2XYvI---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:12 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---UpW2XYvI---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.getHeartbeatData\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.getHeartbeatData found within XML:/*: \x0ajetpack.getHeartbeatData\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607255.090224"] [ref "o0,25"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `\s' against variable `TX:1' (Value: `for=jetpack&jetpack=comms&token=p7*@tm6cgproauhn6jkpog8w0b&&whve:1:0&timestamp=1741836072&nonce=rnyj (71 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1002"] [id "932205"] [rev ""] [msg "RCE Bypass Technique"] [data "Matched Data: *@tm6cgproauhn6jkpog8w0b&&whve:1:0&timestamp=1741836072&nonce=rnyjbecjgn&body-hash=metbicw+tmqdctk0fdlmnlxokkm=&signature=17+xm5wmlebsyr/ found within REQUEST_HEADERS:Referer: for=jetpac (161 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607255.090224"] [ref "o0,193o22,171o56,137v341,228t:lowercase,t:urlDecodeUnio170,1t:urlDecodeUnio124,1t:urlDecodeUni"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607255.090224"] [ref "v39,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607255.090224"] [ref "o26,2v39,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `20' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607255.090224"] [ref ""]

---UpW2XYvI---J--

---UpW2XYvI---K--

---UpW2XYvI---Z--

---iBzwJT1U---A--
[12/Mar/2025:22:21:12 -0500] 174183607281.437117 192.0.99.205 38736 10.10.10.2 443
---iBzwJT1U---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fheartbeat%2Fdata%2F&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836072&nonce=ocNmGZ5IxD&body-hash&signature=LzD1X4nnHfK2aPdRNyJ5AM3Yqw8%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836072" nonce="ocNmGZ5IxD" body-hash="" signature="LzD1X4nnHfK2aPdRNyJ5AM3Yqw8="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fheartbeat%2Fdata%2F&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836072&nonce=ocNmGZ5IxD&body-hash&signature=LzD1X4nnHfK2aPdRNyJ5AM3Yqw8%3D
Connection: close

---iBzwJT1U---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---iBzwJT1U---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:12 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---iBzwJT1U---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607281.437117"] [ref "v74,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607281.437117"] [ref "o26,2v74,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607281.437117"] [ref ""]

---iBzwJT1U---J--

---iBzwJT1U---K--

---iBzwJT1U---Z--

---1rBylrD4---A--
[12/Mar/2025:22:21:12 -0500] 174183607270.147522 192.0.99.205 38752 10.10.10.2 443
---1rBylrD4---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fsync%2Fstatus&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836072&nonce=iPcsvu0Gea&body-hash&signature=DT6QgTH1eE8ycLQgIou702Iuq0Y%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836072" nonce="iPcsvu0Gea" body-hash="" signature="DT6QgTH1eE8ycLQgIou702Iuq0Y="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fsync%2Fstatus&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836072&nonce=iPcsvu0Gea&body-hash&signature=DT6QgTH1eE8ycLQgIou702Iuq0Y%3D
Connection: close

---1rBylrD4---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---1rBylrD4---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:12 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---1rBylrD4---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8015 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fsync%2Fstatus&_for=jetpack&token=P7%2A%40Tm6CgPRO (121 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1410"] [id "932239"] [rev ""] [msg "Remote Command Execution: Unix Command Injection found in user-agent or referer header"] [data "Matched Data: =iP found within REQUEST_HEADERS:Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fsync%2Fstatus&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1 (77 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607270.147522"] [ref "o159,3v333,221"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607270.147522"] [ref "v68,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607270.147522"] [ref "o26,2v68,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607270.147522"] [ref ""]

---1rBylrD4---J--

---1rBylrD4---K--

---1rBylrD4---Z--

---FtFbRtCD---A--
[12/Mar/2025:22:21:14 -0500] 174183607418.015913 192.0.99.205 12096 10.10.10.2 443
---FtFbRtCD---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fdanran.rocks&signature=gzk%2FhDBTaQS8bYw68fELzijUOQKsJo3WKew0%2FXs9MGYGL6jXEJ8ayMRG6TM%2BN1e%2Foi%2FHkLA7Byc7M7gyBbrVfaH6jX2hIKtcU%2F%2BHFljC%2F4Dml5psBsxtdTLW5Wra9Vqex%2F%2FALGnyp%2BA%2FrGMiUMAOAVrR9NnqL1T%2B7TVAcc2%2FsfstahkYBd0bmoDW74AurRekgyevUIS7geOZxQEdeT1WgyiCkn7YsUvvrhN1aHu7JVOz7kb1IGVf%2FU%2BVqVMZI703k%2FyfhyZJt1jvxBw8zGnfVwzUzxhgKg8FWe2vW1VqOOzyZ6m775k4MT16nUR5M5xtY6f9S7rMNrqlAhPA4bEfpQ%3D%3D HTTP/1.1
Host: danran.rocks
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fdanran.rocks&signature=gzk%2FhDBTaQS8bYw68fELzijUOQKsJo3WKew0%2FXs9MGYGL6jXEJ8ayMRG6TM%2BN1e%2Foi%2FHkLA7Byc7M7gyBbrVfaH6jX2hIKtcU%2F%2BHFljC%2F4Dml5psBsxtdTLW5Wra9Vqex%2F%2FALGnyp%2BA%2FrGMiUMAOAVrR9NnqL1T%2B7TVAcc2%2FsfstahkYBd0bmoDW74AurRekgyevUIS7geOZxQEdeT1WgyiCkn7YsUvvrhN1aHu7JVOz7kb1IGVf%2FU%2BVqVMZI703k%2FyfhyZJt1jvxBw8zGnfVwzUzxhgKg8FWe2vW1VqOOzyZ6m775k4MT16nUR5M5xtY6f9S7rMNrqlAhPA4bEfpQ%3D%3D
Connection: close

---FtFbRtCD---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---FtFbRtCD---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:14 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---FtFbRtCD---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fda (412 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fdanran.rocks&signature=gzk%2FhDBTaQS8bYw68fELzijUOQKsJo3WKew0%2FXs9MGYGL6jXEJ8ayMRG6TM%2BN1e%2Foi%2FHk (312 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607418.015913"] [ref "v0,512"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607418.015913"] [ref ""]

---FtFbRtCD---J--

---FtFbRtCD---K--

---FtFbRtCD---Z--

---2FRY4WMY---A--
[12/Mar/2025:22:21:14 -0500] 174183607425.537050 192.0.99.205 12110 10.10.10.2 443
---2FRY4WMY---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Favailable&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836074&nonce=dwm6LBjoSI&body-hash&signature=7BHhFXcBwDt%2FAHX6kMQzkNVCt%2B4%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836074" nonce="dwm6LBjoSI" body-hash="" signature="7BHhFXcBwDt/AHX6kMQzkNVCt+4="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Favailable&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836074&nonce=dwm6LBjoSI&body-hash&signature=7BHhFXcBwDt%2FAHX6kMQzkNVCt%2B4%3D
Connection: close

---2FRY4WMY---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---2FRY4WMY---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:14 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---2FRY4WMY---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607425.537050"] [ref "v75,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607425.537050"] [ref "o26,2v75,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607425.537050"] [ref ""]

---2FRY4WMY---J--

---2FRY4WMY---K--

---2FRY4WMY---Z--

---LqYtMTBL---A--
[12/Mar/2025:22:21:14 -0500] 174183607479.673565 192.0.99.205 12112 10.10.10.2 443
---LqYtMTBL---B--
POST /?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836074&nonce=Y9SHNdnXxJ&body-hash=YpK8wg675VHNMMeuAm1muupdBq8%3D&signature=jMeE3JcThV2foxecwUN0OSrk7TM%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836074" nonce="Y9SHNdnXxJ" body-hash="YpK8wg675VHNMMeuAm1muupdBq8=" signature="jMeE3JcThV2foxecwUN0OSrk7TM="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836074&nonce=Y9SHNdnXxJ&body-hash=YpK8wg675VHNMMeuAm1muupdBq8%3D&signature=jMeE3JcThV2foxecwUN0OSrk7TM%3D
Content-Type: text/xml
Connection: close
Content-Length: 117

---LqYtMTBL---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.featuresAvailable</methodName>
<params>
</params></methodCall>

---LqYtMTBL---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---LqYtMTBL---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:14 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---LqYtMTBL---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.featuresAvailable\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.featuresAvailable found within XML:/*: \x0ajetpack.featuresAvailable\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607479.673565"] [ref "o0,26"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607479.673565"] [ref "v39,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607479.673565"] [ref "o26,2v39,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607479.673565"] [ref ""]

---LqYtMTBL---J--

---LqYtMTBL---K--

---LqYtMTBL---Z--

---IMK3CX5R---A--
[12/Mar/2025:22:21:14 -0500] 174183607465.421473 192.0.99.205 12124 10.10.10.2 443
---IMK3CX5R---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fdanran.rocks&signature=gzk%2FhDBTaQS8bYw68fELzijUOQKsJo3WKew0%2FXs9MGYGL6jXEJ8ayMRG6TM%2BN1e%2Foi%2FHkLA7Byc7M7gyBbrVfaH6jX2hIKtcU%2F%2BHFljC%2F4Dml5psBsxtdTLW5Wra9Vqex%2F%2FALGnyp%2BA%2FrGMiUMAOAVrR9NnqL1T%2B7TVAcc2%2FsfstahkYBd0bmoDW74AurRekgyevUIS7geOZxQEdeT1WgyiCkn7YsUvvrhN1aHu7JVOz7kb1IGVf%2FU%2BVqVMZI703k%2FyfhyZJt1jvxBw8zGnfVwzUzxhgKg8FWe2vW1VqOOzyZ6m775k4MT16nUR5M5xtY6f9S7rMNrqlAhPA4bEfpQ%3D%3D HTTP/1.1
Host: danran.rocks
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fdanran.rocks&signature=gzk%2FhDBTaQS8bYw68fELzijUOQKsJo3WKew0%2FXs9MGYGL6jXEJ8ayMRG6TM%2BN1e%2Foi%2FHkLA7Byc7M7gyBbrVfaH6jX2hIKtcU%2F%2BHFljC%2F4Dml5psBsxtdTLW5Wra9Vqex%2F%2FALGnyp%2BA%2FrGMiUMAOAVrR9NnqL1T%2B7TVAcc2%2FsfstahkYBd0bmoDW74AurRekgyevUIS7geOZxQEdeT1WgyiCkn7YsUvvrhN1aHu7JVOz7kb1IGVf%2FU%2BVqVMZI703k%2FyfhyZJt1jvxBw8zGnfVwzUzxhgKg8FWe2vW1VqOOzyZ6m775k4MT16nUR5M5xtY6f9S7rMNrqlAhPA4bEfpQ%3D%3D
Connection: close

---IMK3CX5R---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---IMK3CX5R---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:14 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---IMK3CX5R---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fda (412 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836074&url=https%3A%2F%2Fdanran.rocks&signature=gzk%2FhDBTaQS8bYw68fELzijUOQKsJo3WKew0%2FXs9MGYGL6jXEJ8ayMRG6TM%2BN1e%2Foi%2FHk (312 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607465.421473"] [ref "v0,512"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607465.421473"] [ref ""]

---IMK3CX5R---J--

---IMK3CX5R---K--

---IMK3CX5R---Z--

---PL2qCC3F---A--
[12/Mar/2025:22:21:15 -0500] 17418360754.159924 192.0.99.205 12136 10.10.10.2 443
---PL2qCC3F---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Fenabled&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=oqop0lmJne&body-hash&signature=IH2t68xhi9FPTISxcbFMNOpAmh8%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836075" nonce="oqop0lmJne" body-hash="" signature="IH2t68xhi9FPTISxcbFMNOpAmh8="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Fenabled&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=oqop0lmJne&body-hash&signature=IH2t68xhi9FPTISxcbFMNOpAmh8%3D
Connection: close

---PL2qCC3F---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---PL2qCC3F---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:15 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---PL2qCC3F---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17418360754.159924"] [ref "v73,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17418360754.159924"] [ref "o26,2v73,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17418360754.159924"] [ref ""]

---PL2qCC3F---J--

---PL2qCC3F---K--

---PL2qCC3F---Z--

---QSlSy5yI---A--
[12/Mar/2025:22:21:15 -0500] 174183607539.109098 192.0.99.205 12140 10.10.10.2 443
---QSlSy5yI---B--
POST /?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=JZXzuiXNOl&body-hash=h2%2BsjEWmrXuLoPmTZBJXbegPpI8%3D&signature=IGduX7gM8uexzhkMQcNT2cNvY00%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836075" nonce="JZXzuiXNOl" body-hash="h2+sjEWmrXuLoPmTZBJXbegPpI8=" signature="IGduX7gM8uexzhkMQcNT2cNvY00="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=JZXzuiXNOl&body-hash=h2%2BsjEWmrXuLoPmTZBJXbegPpI8%3D&signature=IGduX7gM8uexzhkMQcNT2cNvY00%3D
Content-Type: text/xml
Connection: close
Content-Length: 115

---QSlSy5yI---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.featuresEnabled</methodName>
<params>
</params></methodCall>

---QSlSy5yI---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---QSlSy5yI---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:15 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---QSlSy5yI---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.featuresEnabled\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.featuresEnabled found within XML:/*: \x0ajetpack.featuresEnabled\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607539.109098"] [ref "o0,24"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607539.109098"] [ref "v39,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607539.109098"] [ref "o26,2v39,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607539.109098"] [ref ""]

---QSlSy5yI---J--

---QSlSy5yI---K--

---QSlSy5yI---Z--

---wWBIxKeG---A--
[12/Mar/2025:22:21:15 -0500] 174183607587.061254 192.0.99.205 12142 10.10.10.2 443
---wWBIxKeG---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836075&url=https%3A%2F%2Fdanran.rocks&signature=YTfFaqWAzYDSVmwNTtdouE3Qd0%2Fle0geTYV0YBXOqah2UcyJu9Nx1EiyGZ9Dzth7NIiZRpG3ZdXBCeI76q3J5gr417djVQarWIFWyLl5SqFV6Xt6DFavoEY4EowwYMBAXfkKhlcnXVVP7BZMJTRmbQvIixTvP%2FN1eNIURUpE5tla3Vvf4xge9m%2FbhujV06D3ZbTzqmlM1u8ZQg2tRJ20NnSPRCcxhOn3myKEEe7BwagMEL0vNPoZWU5Mq1bm63eAxdCIIykloVPJO69W936AunLhg%2BaWwv2rGQCw192Wzn9c9ToPHxbhgvnH5%2F6qfrLbRCvD49nV6YrVe0tMgAwUBg%3D%3D HTTP/1.1
Host: danran.rocks
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836075&url=https%3A%2F%2Fdanran.rocks&signature=YTfFaqWAzYDSVmwNTtdouE3Qd0%2Fle0geTYV0YBXOqah2UcyJu9Nx1EiyGZ9Dzth7NIiZRpG3ZdXBCeI76q3J5gr417djVQarWIFWyLl5SqFV6Xt6DFavoEY4EowwYMBAXfkKhlcnXVVP7BZMJTRmbQvIixTvP%2FN1eNIURUpE5tla3Vvf4xge9m%2FbhujV06D3ZbTzqmlM1u8ZQg2tRJ20NnSPRCcxhOn3myKEEe7BwagMEL0vNPoZWU5Mq1bm63eAxdCIIykloVPJO69W936AunLhg%2BaWwv2rGQCw192Wzn9c9ToPHxbhgvnH5%2F6qfrLbRCvD49nV6YrVe0tMgAwUBg%3D%3D
Connection: close

---wWBIxKeG---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---wWBIxKeG---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:15 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---wWBIxKeG---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836075&url=https%3A%2F%2Fda (388 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836075&url=https%3A%2F%2Fdanran.rocks&signature=YTfFaqWAzYDSVmwNTtdouE3Qd0%2Fle0geTYV0YBXOqah2UcyJu9Nx1EiyGZ9Dzth7NIiZRpG3ZdXBC (288 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607587.061254"] [ref "v0,488"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607587.061254"] [ref ""]

---wWBIxKeG---J--

---wWBIxKeG---K--

---wWBIxKeG---Z--

---fwJrRNGq---A--
[12/Mar/2025:22:21:15 -0500] 174183607557.715862 192.0.99.205 12146 10.10.10.2 443
---fwJrRNGq---B--
POST /?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=NzJ7qqw5tm&body-hash=DJUiPuzRYfl19%2BIU5IiNKIVlKw8%3D&signature=WtnOXAn7lGNH9k7tpfP3jmRfYmk%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836075" nonce="NzJ7qqw5tm" body-hash="DJUiPuzRYfl19+IU5IiNKIVlKw8=" signature="WtnOXAn7lGNH9k7tpfP3jmRfYmk="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?for=jetpack&jetpack=comms&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=NzJ7qqw5tm&body-hash=DJUiPuzRYfl19%2BIU5IiNKIVlKw8%3D&signature=WtnOXAn7lGNH9k7tpfP3jmRfYmk%3D
Content-Type: text/xml
Connection: close
Content-Length: 107

---fwJrRNGq---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.getBlog</methodName>
<params>
</params></methodCall>

---fwJrRNGq---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---fwJrRNGq---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:15 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---fwJrRNGq---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.getBlog\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.getBlog found within XML:/*: \x0ajetpack.getBlog\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607557.715862"] [ref "o0,16"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607557.715862"] [ref "v39,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607557.715862"] [ref "o26,2v39,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607557.715862"] [ref ""]

---fwJrRNGq---J--

---fwJrRNGq---K--

---fwJrRNGq---Z--

---iIfsSg7q---A--
[12/Mar/2025:22:21:15 -0500] 174183607574.261293 192.0.99.205 12148 10.10.10.2 443
---iIfsSg7q---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fstats%2Fblog%2F&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=Ei2ZG3IOQF&body-hash&signature=GhEnx8OaThx3FZgRmARpkJSgE1o%3D HTTP/1.1
Host: danran.rocks
Authorization: X_JETPACK token="P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0" timestamp="1741836075" nonce="Ei2ZG3IOQF" body-hash="" signature="GhEnx8OaThx3FZgRmARpkJSgE1o="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fstats%2Fblog%2F&_for=jetpack&token=P7%2A%40Tm6CgPROaUHN6JkpoG8W0b%26%26WhvE%3A1%3A0&timestamp=1741836075&nonce=Ei2ZG3IOQF&body-hash&signature=GhEnx8OaThx3FZgRmARpkJSgE1o%3D
Connection: close

---iIfsSg7q---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---iIfsSg7q---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:15 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---iIfsSg7q---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: nov&n found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607574.261293"] [ref "v70,36"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a- (321 characters omitted)' against variable `ARGS:token' (Value: `P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "645"] [id "942120"] [rev ""] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: && found within ARGS:token: P7*@Tm6CgPROaUHN6JkpoG8W0b&&WhvE:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607574.261293"] [ref "o26,2v70,36t:utf8toUnicode,t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174183607574.261293"] [ref ""]

---iIfsSg7q---J--

---iIfsSg7q---K--

---iIfsSg7q---Z--

---X5rWEigB---A--
[12/Mar/2025:22:21:16 -0500] 17418360766.402796 192.0.99.205 12162 10.10.10.2 443
---X5rWEigB---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836076&url=https%3A%2F%2Fdanran.rocks&signature=FB64UR6VYmWGxbEzK7zeEZp%2FLOMvfFHeCtgaVr6agYI9vj6j0Nb8HpSdG9hmy8JNRF8nrPd2lc2wU%2FgDyY%2Fh6NbeYcVeZqolHfqv2J7PBBUQgZFfEX6QzmiJJF9m10XDcAyO8%2FMaoRavnD3Etv3GN395dpqBsMUEiJP9dyukBhmBdWK4YV0rlu0DNeWY0QZFvbxEgqpWSc6ffCMtaqu7T%2FrPfTcy0nvce0Gqr7JuZt%2FgdcOd3rUYHbKa0AYEUYRLlzylcO71ZHJTImz31dm0%2BqdCjuseoFKSuHyeh5J5gkF3yQeik%2BgdCK3U2T3EMjNnGrJo5qL4YOzHIj3H%2FrHAYA%3D%3D HTTP/1.1
Host: danran.rocks
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://danran.rocks/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836076&url=https%3A%2F%2Fdanran.rocks&signature=FB64UR6VYmWGxbEzK7zeEZp%2FLOMvfFHeCtgaVr6agYI9vj6j0Nb8HpSdG9hmy8JNRF8nrPd2lc2wU%2FgDyY%2Fh6NbeYcVeZqolHfqv2J7PBBUQgZFfEX6QzmiJJF9m10XDcAyO8%2FMaoRavnD3Etv3GN395dpqBsMUEiJP9dyukBhmBdWK4YV0rlu0DNeWY0QZFvbxEgqpWSc6ffCMtaqu7T%2FrPfTcy0nvce0Gqr7JuZt%2FgdcOd3rUYHbKa0AYEUYRLlzylcO71ZHJTImz31dm0%2BqdCjuseoFKSuHyeh5J5gkF3yQeik%2BgdCK3U2T3EMjNnGrJo5qL4YOzHIj3H%2FrHAYA%3D%3D
Connection: close

---X5rWEigB---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---X5rWEigB---F--
HTTP/1.1 403
Server: nginx
Date: Thu, 13 Mar 2025 03:21:16 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---X5rWEigB---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836076&url=https%3A%2F%2Fda (396 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741836076&url=https%3A%2F%2Fdanran.rocks&signature=FB64UR6VYmWGxbEzK7zeEZp%2FLOMvfFHeCtgaVr6agYI9vj6j0Nb8HpSdG9hmy8JNRF8nrPd2lc2wU (296 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17418360766.402796"] [ref "v0,496"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17418360766.402796"] [ref ""]

---X5rWEigB---J--

---X5rWEigB---K--

---X5rWEigB---Z--

---m1i9KX4q---A--
[12/Mar/2025:22:22:08 -0500] 17418361289.408673 34.238.245.215 33682 10.10.10.2 80
---m1i9KX4q---B--
GET /.git/config HTTP/1.1
Host: 149.28.125.6
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

---m1i9KX4q---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---m1i9KX4q---F--
HTTP/1.1 404
Server: nginx
Date: Thu, 13 Mar 2025 03:22:08 GMT
Content-Length: 146
Content-Type: text/html
Connection: keep-alive

---m1i9KX4q---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `149.28.125.6' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "772"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "149.28.125.6"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.10.10.2"] [uri "/.git/config"] [unique_id "17418361289.408673"] [ref "o0,12o0,12v32,12"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `restricted-files.data' against variable `REQUEST_FILENAME' (Value: `/.git/config' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "124"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.git/ found within REQUEST_FILENAME: /.git/config"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "10.10.10.2"] [uri "/.git/config"] [unique_id "17418361289.408673"] [ref "o0,6v4,12t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]

---m1i9KX4q---J--

---m1i9KX4q---K--

---m1i9KX4q---Z--