Question for security experts: I noticed quite a few messages like the one below in the error log... should I be concerned? Any suggestions on how to deal with this? [Sat May 02 16:12:03.642230 2015] [:error] [pid 8196] [client 175.136.18.56] ModSecurity: Warning. Pattern match "(?:< ?i?frame ?src ?= ?(?gg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\\\\.add|\\\\@)import |asfunction\\\\:|background-image\\\\:|e(?:cma|xec)script|\\\\.fromcharcode|get(?arentfolder|specialfolder)|\\\\.innerhtml|\\\\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s| ..." at ARGS_NAMES:e.innerHTML. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "302"] [id "340149"] [rev "152"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potential Cross Site Scripting Attack"] [data ".innerhtml"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/js/===n"] [unique_id "VUUvk8BjmNIAACAE6LIAAAAG"] There were about 20 messages like this one from 10 different IPs over the weekend...
Yes, someone is trying to put some JS code in one of your websites, but i wouldn't care that much. Just take a look at your website(s) and find where did the attackers posted this code. It might be a comments section or something similar.
Absolutely. Anytime Mod Security is tripped, you should look into it. If you aren't comfortable or confident doing it yourself, contact your host and post the error in a ticket. Usually they have more information than what you are given and have a better idea of how to find the issue.