Hi
I am using CWP7Pro.Admin , I am getting hacked by 192.99.15.139 (
www.keonhacaichaua.com) but the domain (
www.keonhacaichaua.com) is not hosted on my server . When i ping the domain , getting response from my server IP . And It showing my server default webpage . Please see the below log :
[Wed Nov 13 16:52:43.590430 2019] [:error] [pid 29240:tid 140381920347904] [client 192.99.15.139:59554] [client 192.99.15.139] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(\\\\n|\\\\r)" at ARGS_NAMES:--05ad3953fcc1f5c56e9b3997c29f425c\\r\\nContent-Disposition: form-data; name. [file "/usr/local/apache/modsecurity-cwaf/rules/12_HTTP_Protocol.conf"] [line "145"] [id "217291"] [rev "2"] [msg "HTTP Header Injection Attack via payload (CR/LF detected
)||www.keonhacaichaua.com|F|2"] [data "Matched Data: \\x0d found within ARGS_NAMES:--05ad3953fcc1f5c56e9b3997c29f425c\\x5cr\\x5cnContent-Disposition: form-data; name: --05ad3953fcc1f5c56e9b3997c29f425c\\x0d\\x0aContent-Disposition: form
-data; name"] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "www.keonhacaichaua.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "Xcw027yhIcpfEEydlyAKtAAAABM"]
[Wed Nov 13 16:52:51.521429 2019] [:error] [pid 29240:tid 140381895169792] [client 192.99.15.139:59560] [client 192.99.15.139] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "wp-config.php" at REQUEST_URI. [file "/us
r/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "122"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "www.keonhacaichaua.com"] [uri "/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php"] [unique_id "Xcw047yhIcpfEEydlyAKtwAAABY"]
Any Idea ?
W/R
DNA