Jetpack - Oddcake - Rule Exclusions - tail modsec log

==> /var/log/modsec_audit.log <==
---mJW7r7m9---A--
[08/Mar/2025:08:09:52 -0600] 174144299226.029033 192.0.101.183 23584 10.10.10.2 443
---mJW7r7m9---B--
POST /xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442992&nonce=WnTAO9nFUZ&body-hash=pdst%2B%2B8gjpsEsdzTGdS19%2BYN3g4%3D&signature=zkPvTCqzH6WosQCbEkl%2B6b5%2FwEE%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442992" nonce="WnTAO9nFUZ" body-hash="pdst++8gjpsEsdzTGdS19+YN3g4=" signature="zkPvTCqzH6WosQCbEkl+6b5/wEE="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442992&nonce=WnTAO9nFUZ&body-hash=pdst%2B%2B8gjpsEsdzTGdS19%2BYN3g4%3D&signature=zkPvTCqzH6WosQCbEkl%2B6b5%2FwEE%3D
Content-Type: text/xml
Connection: close
Content-Length: 114

---mJW7r7m9---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.testConnection</methodName>
<params>
</params></methodCall>

---mJW7r7m9---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---mJW7r7m9---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:52 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---mJW7r7m9---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.testConnection\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.testConnection found within XML:/*: \x0ajetpack.testConnection\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299226.029033"] [ref "o0,23"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299226.029033"] [ref "o0,19v35,36v819,8v819,11v819,3v819,11v819,1v819,11v819,11v819,11v819,11v819,11v819,11v819,11v819,11v819,11v819,11v819,11v819,1v819,1v819,11v819,11v819,11v819,11v819,1v819,11v819,1v819,1v819,1v819,1v81 (515 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299226.029033"] [ref "o20,12o20,10o31,1v35,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299226.029033"] [ref ""]

---mJW7r7m9---J--

---mJW7r7m9---K--

---mJW7r7m9---Z--

---9yGKyWst---A--
[08/Mar/2025:08:09:53 -0600] 174144299351.793461 192.0.101.183 23594 10.10.10.2 443
---9yGKyWst---B--
POST /xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=VFtTBwbKeO&body-hash=l5MGKDtBMCRLlbhRxcm3udBaUGk%3D&signature=2GdXJgy%2BZNlVKojUemEw%2B6hQScc%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442993" nonce="VFtTBwbKeO" body-hash="l5MGKDtBMCRLlbhRxcm3udBaUGk=" signature="2GdXJgy+ZNlVKojUemEw+6hQScc="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=VFtTBwbKeO&body-hash=l5MGKDtBMCRLlbhRxcm3udBaUGk%3D&signature=2GdXJgy%2BZNlVKojUemEw%2B6hQScc%3D
Content-Type: text/xml
Connection: close
Content-Length: 110

---9yGKyWst---C--
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params>
</params></methodCall>

---9yGKyWst---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---9yGKyWst---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:53 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---9yGKyWst---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299351.793461"] [ref "o0,19v35,36v807,8v807,11v807,3v807,11v807,1v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,1v807,1v807,11v807,11v807,11v807,11v807,1v807,11v807,1v807,1v807,1v807,1v80 (508 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299351.793461"] [ref "o20,12o20,10o31,1v35,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299351.793461"] [ref ""]

---9yGKyWst---J--

---9yGKyWst---K--

---9yGKyWst---Z--

---8j4tgVuU---A--
[08/Mar/2025:08:09:53 -0600] 174144299318.783015 192.0.101.183 23598 10.10.10.2 443
---8j4tgVuU---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741442993&url=https%3A%2F%2Foddcake.net&signature=MVpZsW9VXU4FfFXdTChHFoYTpIBUN2khFhp4bEhKZtHV3%2BtOdg1HLIktRjYltOdjmVoWFEemNpJX7lWel7%2B52H0EV5VdIXnitYEjI9T%2Bo6jKt0UtOMU2u6nBbmzn9r6qRHLVMrVSMdnBxbDajaoMI6Df%2F%2Bl8i%2B4eQ2%2FzYTFVdzQfvcOho51GNjCt1EyuWWAuxcXifrFMEiXDW2bNQpVMi4PXKyGjyOezhIl18ulLasLzZsc0uQI9OYlzupng0NWeZIBSiUrGRvScrbhwZE1xnTnzrl%2B9qjuymijSFC77I4BtZIpnDtQIWUPFOLwA7D3tYEjWYUFpXYVGfYev0hpHVw%3D%3D HTTP/1.1
Host: oddcake.net
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741442993&url=https%3A%2F%2Foddcake.net&signature=MVpZsW9VXU4FfFXdTChHFoYTpIBUN2khFhp4bEhKZtHV3%2BtOdg1HLIktRjYltOdjmVoWFEemNpJX7lWel7%2B52H0EV5VdIXnitYEjI9T%2Bo6jKt0UtOMU2u6nBbmzn9r6qRHLVMrVSMdnBxbDajaoMI6Df%2F%2Bl8i%2B4eQ2%2FzYTFVdzQfvcOho51GNjCt1EyuWWAuxcXifrFMEiXDW2bNQpVMi4PXKyGjyOezhIl18ulLasLzZsc0uQI9OYlzupng0NWeZIBSiUrGRvScrbhwZE1xnTnzrl%2B9qjuymijSFC77I4BtZIpnDtQIWUPFOLwA7D3tYEjWYUFpXYVGfYev0hpHVw%3D%3D
Connection: close

---8j4tgVuU---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---8j4tgVuU---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:53 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---8j4tgVuU---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741442993&url=https%3A%2F%2 (396 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Ftest-wpcom%2F&timestamp=1741442993&url=https%3A%2F%2Foddcake.net&signature=MVpZsW9VXU4FfFXdTChHFoYTpIBUN2khFhp4bEhKZtHV3%2BtOdg1HLIktRjYltOdjmVoWFEemNpJ (296 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299318.783015"] [ref "v0,496"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299318.783015"] [ref ""]

---8j4tgVuU---J--

---8j4tgVuU---K--

---8j4tgVuU---Z--

---sCkBCEh8---A--
[08/Mar/2025:08:09:53 -0600] 174144299329.597005 192.0.101.183 23600 10.10.10.2 443
---sCkBCEh8---B--
POST /xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=tuiRcYRFZ1&body-hash=METbiCw%2BtMQdctk0fdLMNlXOKKM%3D&signature=dAHtkHBsyUYHsI6U4MKyP5TabGQ%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442993" nonce="tuiRcYRFZ1" body-hash="METbiCw+tMQdctk0fdLMNlXOKKM=" signature="dAHtkHBsyUYHsI6U4MKyP5TabGQ="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=tuiRcYRFZ1&body-hash=METbiCw%2BtMQdctk0fdLMNlXOKKM%3D&signature=dAHtkHBsyUYHsI6U4MKyP5TabGQ%3D
Content-Type: text/xml
Connection: close
Content-Length: 116

---sCkBCEh8---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.getHeartbeatData</methodName>
<params>
</params></methodCall>

---sCkBCEh8---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---sCkBCEh8---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:53 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---sCkBCEh8---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.getHeartbeatData\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.getHeartbeatData found within XML:/*: \x0ajetpack.getHeartbeatData\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299329.597005"] [ref "o0,25"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299329.597005"] [ref "o0,19v35,36v803,8v803,11v803,3v803,11v803,1v803,11v803,11v803,11v803,11v803,11v803,11v803,11v803,11v803,11v803,11v803,11v803,1v803,1v803,11v803,11v803,11v803,11v803,1v803,11v803,1v803,1v803,1v803,1v80 (515 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299329.597005"] [ref "o20,12o20,10o31,1v35,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299329.597005"] [ref ""]

---sCkBCEh8---J--

---sCkBCEh8---K--

---sCkBCEh8---Z--

---wz3edLcH---A--
[08/Mar/2025:08:09:53 -0600] 174144299390.700761 192.0.101.183 23602 10.10.10.2 443
---wz3edLcH---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fheartbeat%2Fdata%2F&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=Xnqgz65QTk&body-hash&signature=Pe8FRuRbZmdbdGjYjjuh%2F5vI%2BHs%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442993" nonce="Xnqgz65QTk" body-hash="" signature="Pe8FRuRbZmdbdGjYjjuh/5vI+Hs="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fheartbeat%2Fdata%2F&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=Xnqgz65QTk&body-hash&signature=Pe8FRuRbZmdbdGjYjjuh%2F5vI%2BHs%3D
Connection: close

---wz3edLcH---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---wz3edLcH---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:53 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---wz3edLcH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299390.700761"] [ref "o0,19v74,36v753,1v753,3v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,1v753,11v753,11v753,1v753,1v753,11v753,11v753,11v753,11v753,1v753,11v753,1v753,1v753,1v753,1v753,1v7 (456 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299390.700761"] [ref "o20,12o20,10o31,1v74,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299390.700761"] [ref ""]

---wz3edLcH---J--

---wz3edLcH---K--

---wz3edLcH---Z--

---ur8VlI3j---A--
[08/Mar/2025:08:09:54 -0600] 174144299459.816749 192.0.101.183 23604 10.10.10.2 443
---ur8VlI3j---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fsync%2Fstatus&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=5fGS5TqCLq&body-hash&signature=28UILS2lNnvGh1e%2B%2FyvNjKdZvOI%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442993" nonce="5fGS5TqCLq" body-hash="" signature="28UILS2lNnvGh1e+/yvNjKdZvOI="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fsync%2Fstatus&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442993&nonce=5fGS5TqCLq&body-hash&signature=28UILS2lNnvGh1e%2B%2FyvNjKdZvOI%3D
Connection: close

---ur8VlI3j---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ur8VlI3j---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:54 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---ur8VlI3j---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299459.816749"] [ref "o0,19v68,36v741,1v741,3v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,1v741,11v741,11v741,1v741,1v741,11v741,11v741,11v741,11v741,1v741,11v741,1v741,1v741,1v741,1v741,1v7 (456 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299459.816749"] [ref "o20,12o20,10o31,1v68,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299459.816749"] [ref ""]

---ur8VlI3j---J--

---ur8VlI3j---K--

---ur8VlI3j---Z--

---aWkjZgbR---A--
[08/Mar/2025:08:09:54 -0600] 174144299457.765841 192.0.101.183 23612 10.10.10.2 443
---aWkjZgbR---B--
GET /?rest_route=%2F&_for=jetpack&token=pPLtpiwrI%2A%5EF%24Jq5sN%2Aq88ayi0zN%237%26x%3A1%3A1&timestamp=1741442994&nonce=tVZfQ1BQIG&body-hash&signature=o%2FVIyE1CxJFI7FRCaQGjDJVarZY%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="pPLtpiwrI*^F$Jq5sN*q88ayi0zN#7&x:1:1" timestamp="1741442994" nonce="tVZfQ1BQIG" body-hash="" signature="o/VIyE1CxJFI7FRCaQGjDJVarZY="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2F&_for=jetpack&token=pPLtpiwrI%2A%5EF%24Jq5sN%2Aq88ayi0zN%237%26x%3A1%3A1&timestamp=1741442994&nonce=tVZfQ1BQIG&body-hash&signature=o%2FVIyE1CxJFI7FRCaQGjDJVarZY%3D
Connection: close

---aWkjZgbR---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---aWkjZgbR---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:54 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---aWkjZgbR---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `pPLtpiwrI*^F$Jq5sN*q88ayi0zN#7&x:1:1' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: F$Jq5sN*q88ayi0zN#7 found within ARGS:token: pPLtpiwrI*^F$Jq5sN*q88ayi0zN#7&x:1:1"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299457.765841"] [ref "o11,19v40,36v693,1v693,3v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,1v693,11v693,11v693,1v693,1v693,11v693,11v693,11v693,11v693,1v693,11v693,1v693,1v693,1v693,1v693,1v (458 characters omitted)"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299457.765841"] [ref ""]

---aWkjZgbR---J--

---aWkjZgbR---K--

---aWkjZgbR---Z--

---tLb3YICS---A--
[08/Mar/2025:08:09:54 -0600] 174144299494.825482 192.0.101.183 23624 10.10.10.2 443
---tLb3YICS---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Foddcake.net&signature=DhZ%2FYNk%2B1l5MpziOUCt81XmlWXumfp%2BBGRizT2PncGmy5LPYzfQ9Xy%2Bj0q9Zcpc1OTNCbekBjRRDkiiB6Fr7m9axSLic1rbJiqCxNp%2FRgJpePVucXgQOyRUP0bTl79%2FUgrqn1APchmGe%2BI9%2BvhpEDZ4HqpZOmai75QNONaKabyZB%2BQpsiI%2FUxSIVQd3UY8alZdHy0Y02YkaM9u57b5Ry7l1Vy9%2B%2F1UrNJwMW4T1W88Fyew16iyPl%2B5OKpodCZA0Oi4wngVqFCpZLUg4bWOmwAUd1gyHPqv6ogExIuZOSL9dEzM7v8HCBsy6Jj9L3Ub5%2BmMYJSAcYUiyb%2BkiPWjIikw%3D%3D HTTP/1.1
Host: oddcake.net
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Foddcake.net&signature=DhZ%2FYNk%2B1l5MpziOUCt81XmlWXumfp%2BBGRizT2PncGmy5LPYzfQ9Xy%2Bj0q9Zcpc1OTNCbekBjRRDkiiB6Fr7m9axSLic1rbJiqCxNp%2FRgJpePVucXgQOyRUP0bTl79%2FUgrqn1APchmGe%2BI9%2BvhpEDZ4HqpZOmai75QNONaKabyZB%2BQpsiI%2FUxSIVQd3UY8alZdHy0Y02YkaM9u57b5Ry7l1Vy9%2B%2F1UrNJwMW4T1W88Fyew16iyPl%2B5OKpodCZA0Oi4wngVqFCpZLUg4bWOmwAUd1gyHPqv6ogExIuZOSL9dEzM7v8HCBsy6Jj9L3Ub5%2BmMYJSAcYUiyb%2BkiPWjIikw%3D%3D
Connection: close

---tLb3YICS---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---tLb3YICS---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:54 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---tLb3YICS---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Fod (407 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Foddcake.net&signature=DhZ%2FYNk%2B1l5MpziOUCt81XmlWXumfp%2BBGRizT2PncGmy5LPYzfQ9Xy%2Bj0q9Zcpc1OTNCbekB (307 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299494.825482"] [ref "v0,507"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299494.825482"] [ref ""]

---tLb3YICS---J--

---tLb3YICS---K--

---tLb3YICS---Z--

---FD4sZg7R---A--
[08/Mar/2025:08:09:54 -0600] 174144299456.423020 192.0.101.183 23638 10.10.10.2 443
---FD4sZg7R---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Favailable&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442994&nonce=P8QWRRnEJQ&body-hash&signature=4dC3LILihpfyg8ClrsNFo%2BFrtQE%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442994" nonce="P8QWRRnEJQ" body-hash="" signature="4dC3LILihpfyg8ClrsNFo+FrtQE="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Favailable&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442994&nonce=P8QWRRnEJQ&body-hash&signature=4dC3LILihpfyg8ClrsNFo%2BFrtQE%3D
Connection: close

---FD4sZg7R---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---FD4sZg7R---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:54 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---FD4sZg7R---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299456.423020"] [ref "o0,19v75,36v751,1v751,3v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,11v751,11v751,1v751,1v751,11v751,11v751,11v751,11v751,1v751,11v751,1v751,1v751,1v751,1v751,1v7 (456 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299456.423020"] [ref "o20,12o20,10o31,1v75,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299456.423020"] [ref ""]

---FD4sZg7R---J--

---FD4sZg7R---K--

---FD4sZg7R---Z--

---XFuGVxx5---A--
[08/Mar/2025:08:09:54 -0600] 174144299479.386571 192.0.101.183 23646 10.10.10.2 443
---XFuGVxx5---B--
POST /xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442994&nonce=uVJdJ7sBiX&body-hash=YpK8wg675VHNMMeuAm1muupdBq8%3D&signature=Rw2cNQE0mnqgxroBVhA6cPmryjg%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442994" nonce="uVJdJ7sBiX" body-hash="YpK8wg675VHNMMeuAm1muupdBq8=" signature="Rw2cNQE0mnqgxroBVhA6cPmryjg="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442994&nonce=uVJdJ7sBiX&body-hash=YpK8wg675VHNMMeuAm1muupdBq8%3D&signature=Rw2cNQE0mnqgxroBVhA6cPmryjg%3D
Content-Type: text/xml
Connection: close
Content-Length: 117

---XFuGVxx5---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.featuresAvailable</methodName>
<params>
</params></methodCall>

---XFuGVxx5---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---XFuGVxx5---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:54 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---XFuGVxx5---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.featuresAvailable\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.featuresAvailable found within XML:/*: \x0ajetpack.featuresAvailable\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299479.386571"] [ref "o0,26"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299479.386571"] [ref "o0,19v35,36v799,8v799,11v799,3v799,11v799,1v799,11v799,11v799,11v799,11v799,11v799,11v799,11v799,11v799,11v799,11v799,11v799,1v799,1v799,11v799,11v799,11v799,11v799,1v799,11v799,1v799,1v799,1v799,1v79 (515 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299479.386571"] [ref "o20,12o20,10o31,1v35,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299479.386571"] [ref ""]

---XFuGVxx5---J--

---XFuGVxx5---K--

---XFuGVxx5---Z--

---Thm2OORF---A--
[08/Mar/2025:08:09:55 -0600] 174144299558.072683 192.0.101.183 23660 10.10.10.2 443
---Thm2OORF---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Foddcake.net&signature=DhZ%2FYNk%2B1l5MpziOUCt81XmlWXumfp%2BBGRizT2PncGmy5LPYzfQ9Xy%2Bj0q9Zcpc1OTNCbekBjRRDkiiB6Fr7m9axSLic1rbJiqCxNp%2FRgJpePVucXgQOyRUP0bTl79%2FUgrqn1APchmGe%2BI9%2BvhpEDZ4HqpZOmai75QNONaKabyZB%2BQpsiI%2FUxSIVQd3UY8alZdHy0Y02YkaM9u57b5Ry7l1Vy9%2B%2F1UrNJwMW4T1W88Fyew16iyPl%2B5OKpodCZA0Oi4wngVqFCpZLUg4bWOmwAUd1gyHPqv6ogExIuZOSL9dEzM7v8HCBsy6Jj9L3Ub5%2BmMYJSAcYUiyb%2BkiPWjIikw%3D%3D HTTP/1.1
Host: oddcake.net
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Foddcake.net&signature=DhZ%2FYNk%2B1l5MpziOUCt81XmlWXumfp%2BBGRizT2PncGmy5LPYzfQ9Xy%2Bj0q9Zcpc1OTNCbekBjRRDkiiB6Fr7m9axSLic1rbJiqCxNp%2FRgJpePVucXgQOyRUP0bTl79%2FUgrqn1APchmGe%2BI9%2BvhpEDZ4HqpZOmai75QNONaKabyZB%2BQpsiI%2FUxSIVQd3UY8alZdHy0Y02YkaM9u57b5Ry7l1Vy9%2B%2F1UrNJwMW4T1W88Fyew16iyPl%2B5OKpodCZA0Oi4wngVqFCpZLUg4bWOmwAUd1gyHPqv6ogExIuZOSL9dEzM7v8HCBsy6Jj9L3Ub5%2BmMYJSAcYUiyb%2BkiPWjIikw%3D%3D
Connection: close

---Thm2OORF---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---Thm2OORF---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:55 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---Thm2OORF---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Fod (407 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442994&url=https%3A%2F%2Foddcake.net&signature=DhZ%2FYNk%2B1l5MpziOUCt81XmlWXumfp%2BBGRizT2PncGmy5LPYzfQ9Xy%2Bj0q9Zcpc1OTNCbekB (307 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299558.072683"] [ref "v0,507"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299558.072683"] [ref ""]

---Thm2OORF---J--

---Thm2OORF---K--

---Thm2OORF---Z--

---h2IFIShX---A--
[08/Mar/2025:08:09:55 -0600] 174144299562.479955 192.0.101.183 23664 10.10.10.2 443
---h2IFIShX---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Fenabled&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=R7pT31bORD&body-hash&signature=vtJCdrXDRrJ0Xko3D%2F%2BmRbjUEYo%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442995" nonce="R7pT31bORD" body-hash="" signature="vtJCdrXDRrJ0Xko3D/+mRbjUEYo="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Ffeatures%2Fenabled&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=R7pT31bORD&body-hash&signature=vtJCdrXDRrJ0Xko3D%2F%2BmRbjUEYo%3D
Connection: close

---h2IFIShX---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---h2IFIShX---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:55 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---h2IFIShX---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299562.479955"] [ref "o0,19v73,36v751,1v751,3v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,1v751,11v751,11v751,1v751,1v751,11v751,11v751,11v751,11v751,1v751,11v751,1v751,1v751,1v751,1v751,1v7 (456 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299562.479955"] [ref "o20,12o20,10o31,1v73,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299562.479955"] [ref ""]

---h2IFIShX---J--

---h2IFIShX---K--

---h2IFIShX---Z--

---glNDPUew---A--
[08/Mar/2025:08:09:55 -0600] 174144299550.436145 192.0.101.183 23680 10.10.10.2 443
---glNDPUew---B--
POST /xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=DwLMjcuqXZ&body-hash=h2%2BsjEWmrXuLoPmTZBJXbegPpI8%3D&signature=DdhkjOaHjTIwiyz0MHMktwR%2BLeo%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442995" nonce="DwLMjcuqXZ" body-hash="h2+sjEWmrXuLoPmTZBJXbegPpI8=" signature="DdhkjOaHjTIwiyz0MHMktwR+Leo="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=DwLMjcuqXZ&body-hash=h2%2BsjEWmrXuLoPmTZBJXbegPpI8%3D&signature=DdhkjOaHjTIwiyz0MHMktwR%2BLeo%3D
Content-Type: text/xml
Connection: close
Content-Length: 115

---glNDPUew---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.featuresEnabled</methodName>
<params>
</params></methodCall>

---glNDPUew---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---glNDPUew---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:55 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---glNDPUew---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.featuresEnabled\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.featuresEnabled found within XML:/*: \x0ajetpack.featuresEnabled\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299550.436145"] [ref "o0,24"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299550.436145"] [ref "o0,19v35,36v807,8v807,11v807,3v807,11v807,1v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,1v807,1v807,11v807,11v807,11v807,11v807,1v807,11v807,1v807,1v807,1v807,1v80 (515 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299550.436145"] [ref "o20,12o20,10o31,1v35,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299550.436145"] [ref ""]

---glNDPUew---J--

---glNDPUew---K--

---glNDPUew---Z--

---hWACT8Gw---A--
[08/Mar/2025:08:09:55 -0600] 174144299575.258469 192.0.101.183 23694 10.10.10.2 443
---hWACT8Gw---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442995&url=https%3A%2F%2Foddcake.net&signature=an%2Fnxws1ry%2BSoEqxcloiedpsspa5kqbWEKHRG5LRM3YxFerTnXCes1D90yQe5RJw4iLLpnkgUPr1ow%2FzCpZcqiGHrYK3vrNyYcrKpQIYr3JWKRtRyckqjsqgSIRpqzlGdMKIgwjHegS80PE4Fehvx%2Bzw81NFWS8%2FinOyRZTUv355a6osaWFB2XWV%2FxddlYU%2FTxV88wcD%2BT2uAur51G92QWor%2FLEA1iVN03BGGzfNA6zbGhaLlzKoNzUd5UPFydFz4IApJVSLNWDwbKJLkTUkoXbtPMdJ37llE27KmCknpHb1VctQ9993Y0IS4PxynwBNxJnadMo4IMKXnei0lrM87A%3D%3D HTTP/1.1
Host: oddcake.net
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442995&url=https%3A%2F%2Foddcake.net&signature=an%2Fnxws1ry%2BSoEqxcloiedpsspa5kqbWEKHRG5LRM3YxFerTnXCes1D90yQe5RJw4iLLpnkgUPr1ow%2FzCpZcqiGHrYK3vrNyYcrKpQIYr3JWKRtRyckqjsqgSIRpqzlGdMKIgwjHegS80PE4Fehvx%2Bzw81NFWS8%2FinOyRZTUv355a6osaWFB2XWV%2FxddlYU%2FTxV88wcD%2BT2uAur51G92QWor%2FLEA1iVN03BGGzfNA6zbGhaLlzKoNzUd5UPFydFz4IApJVSLNWDwbKJLkTUkoXbtPMdJ37llE27KmCknpHb1VctQ9993Y0IS4PxynwBNxJnadMo4IMKXnei0lrM87A%3D%3D
Connection: close

---hWACT8Gw---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---hWACT8Gw---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:55 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---hWACT8Gw---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442995&url=https%3A%2F%2Fod (395 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442995&url=https%3A%2F%2Foddcake.net&signature=an%2Fnxws1ry%2BSoEqxcloiedpsspa5kqbWEKHRG5LRM3YxFerTnXCes1D90yQe5RJw4iLLpnkgUPr1 (295 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299575.258469"] [ref "v0,495"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299575.258469"] [ref ""]

---hWACT8Gw---J--

---hWACT8Gw---K--

---hWACT8Gw---Z--

---p0wBMNQ4---A--
[08/Mar/2025:08:09:55 -0600] 174144299570.979173 192.0.101.183 23704 10.10.10.2 443
---p0wBMNQ4---B--
POST /xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=sqxvfYOMcn&body-hash=DJUiPuzRYfl19%2BIU5IiNKIVlKw8%3D&signature=rIKSL6PtvWlITMHwNVAMoMMT%2BgY%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442995" nonce="sqxvfYOMcn" body-hash="DJUiPuzRYfl19+IU5IiNKIVlKw8=" signature="rIKSL6PtvWlITMHwNVAMoMMT+gY="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/xmlrpc.php?for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=sqxvfYOMcn&body-hash=DJUiPuzRYfl19%2BIU5IiNKIVlKw8%3D&signature=rIKSL6PtvWlITMHwNVAMoMMT%2BgY%3D
Content-Type: text/xml
Connection: close
Content-Length: 107

---p0wBMNQ4---C--
<?xml version="1.0"?>
<methodCall>
<methodName>jetpack.getBlog</methodName>
<params>
</params></methodCall>

---p0wBMNQ4---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---p0wBMNQ4---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:55 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---p0wBMNQ4---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^ (7601 characters omitted)' against variable `XML:/*' (Value: `\x0ajetpack.getBlog\x0a\x0a' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0ajetpack.getBlog found within XML:/*: \x0ajetpack.getBlog\x0a\x0a"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299570.979173"] [ref "o0,16"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299570.979173"] [ref "o0,19v35,36v807,8v807,11v807,3v807,11v807,1v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,11v807,1v807,1v807,11v807,11v807,11v807,11v807,1v807,11v807,1v807,1v807,1v807,1v80 (515 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299570.979173"] [ref "o20,12o20,10o31,1v35,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/xmlrpc.php"] [unique_id "174144299570.979173"] [ref ""]

---p0wBMNQ4---J--

---p0wBMNQ4---K--

---p0wBMNQ4---Z--

---OjJg9zCp---A--
[08/Mar/2025:08:09:56 -0600] 174144299676.051821 192.0.101.183 23708 10.10.10.2 443
---OjJg9zCp---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fstats%2Fblog%2F&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=gN74IDNWMI&body-hash&signature=wd%2Fg%2F4kL3Q4pBsnfM4CjfRqJBi4%3D HTTP/1.1
Host: oddcake.net
Authorization: X_JETPACK token="myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0" timestamp="1741442995" nonce="gN74IDNWMI" body-hash="" signature="wd/g/4kL3Q4pBsnfM4CjfRqJBi4="
User-Agent: Jetpack by WordPress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fstats%2Fblog%2F&_for=jetpack&token=myHT%240Zj8lKRmvGMlE1%24RflT5W81x1%5Ev%3A1%3A0&timestamp=1741442995&nonce=gN74IDNWMI&body-hash&signature=wd%2Fg%2F4kL3Q4pBsnfM4CjfRqJBi4%3D
Connection: close

---OjJg9zCp---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---OjJg9zCp---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:56 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---OjJg9zCp---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1137"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: myHT$0Zj8lKRmvGMlE1 found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299676.051821"] [ref "o0,19v70,36v745,1v745,3v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,1v745,11v745,11v745,1v745,1v745,11v745,11v745,11v745,11v745,1v745,11v745,1v745,1v745,1v745,1v745,1v7 (456 characters omitted)"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b' against variable `ARGS:token' (Value: `myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "722"] [id "942131"] [rev ""] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: RflT5W81x1^v found within ARGS:token: myHT$0Zj8lKRmvGMlE1$RflT5W81x1^v:1:0"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299676.051821"] [ref "o20,12o20,10o31,1v70,36"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "174144299676.051821"] [ref ""]

---OjJg9zCp---J--

---OjJg9zCp---K--

---OjJg9zCp---Z--

---iZ082c2j---A--
[08/Mar/2025:08:09:56 -0600] 17414429963.697895 192.0.101.183 23720 10.10.10.2 443
---iZ082c2j---B--
GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442996&url=https%3A%2F%2Foddcake.net&signature=Q2k7USyU%2FYkTqjAZjaG2RBApGKXhurt2%2Bb%2BxJXmZxK%2Bv7Yi%2FpSNyr6S%2BCDe3z3Tu9s7RbpvzLK0UHUjFja1U9nj5Y0ses35v3HdKDcC6mAbqRBzamW20C%2BJA07%2Bxy1lc%2Fl2lwTWUw%2FTuufqnAk63jrfXXYGbR2Gskx73iL12KVYlQZpr4bVyDVUQSpebcFDz5xtKZXt%2Be%2FF27OOV2i3yfq6DAgUb7kg5Z2mD5JdiRVmj0lbZB06OigAyR%2BKZMqndCxDE0N4L5omzcyRR9MwTYbZdXTCvCqDJnDgP56bSReKBKHkmjKAV13I2xT%2FdNi0fdR0oWWHWtr4d0hgcy3ekcw%3D%3D HTTP/1.1
Host: oddcake.net
User-Agent: WordPress.com; https://jptools.wordpress.com
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Referer: https://oddcake.net/?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442996&url=https%3A%2F%2Foddcake.net&signature=Q2k7USyU%2FYkTqjAZjaG2RBApGKXhurt2%2Bb%2BxJXmZxK%2Bv7Yi%2FpSNyr6S%2BCDe3z3Tu9s7RbpvzLK0UHUjFja1U9nj5Y0ses35v3HdKDcC6mAbqRBzamW20C%2BJA07%2Bxy1lc%2Fl2lwTWUw%2FTuufqnAk63jrfXXYGbR2Gskx73iL12KVYlQZpr4bVyDVUQSpebcFDz5xtKZXt%2Be%2FF27OOV2i3yfq6DAgUb7kg5Z2mD5JdiRVmj0lbZB06OigAyR%2BKZMqndCxDE0N4L5omzcyRR9MwTYbZdXTCvCqDJnDgP56bSReKBKHkmjKAV13I2xT%2FdNi0fdR0oWWHWtr4d0hgcy3ekcw%3D%3D
Connection: close

---iZ082c2j---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---iZ082c2j---F--
HTTP/1.1 403
Server: nginx
Date: Sat, 08 Mar 2025 14:09:56 GMT
Content-Length: 146
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline' blob:
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---iZ082c2j---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]* (76 characters omitted)' against variable `REQUEST_LINE' (Value: `GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442996&url=https%3A%2F%2Fod (405 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "53"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /?rest_route=%2Fjetpack%2Fv4%2Fconnection%2Fplugins%2F&timestamp=1741442996&url=https%3A%2F%2Foddcake.net&signature=Q2k7USyU%2FYkTqjAZjaG2RBApGKXhurt2%2Bb%2BxJXmZxK%2Bv7Yi%2FpSNyr6S%2BCDe3z3Tu9s7R (305 characters omitted)"] [severity "4"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17414429963.697895"] [ref "v0,505"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `StrEq' with parameter `0' against variable `TX:MSC_PCRE_LIMITS_EXCEEDED' (Value: `1' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "147"] [id "200005"] [rev ""] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17414429963.697895"] [ref ""]

---iZ082c2j---J--

---iZ082c2j---K--

---iZ082c2j---Z--