1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Error messages re Potential Cross Site Scripting Attack

Discussion in 'Security' started by Jeffr2014, May 3, 2015.

  1. #1
    Question for security experts: I noticed quite a few messages like the one below in the error log... should I be concerned? Any suggestions on how to deal with this?
    SEMrush
    [Sat May 02 16:12:03.642230 2015] [:error] [pid 8196] [client 175.136.18.56] ModSecurity: Warning. Pattern match "(?:< ?i?frame ?src ?= ?(?[​IMG]gg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\\\\.add|\\\\@)import |asfunction\\\\:|background-image\\\\:|e(?:cma|xec)script|\\\\.fromcharcode|get(?:parentfolder|specialfolder)|\\\\.innerhtml|\\\\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s| ..." at ARGS_NAMES:e.innerHTML. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "302"] [id "340149"] [rev "152"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potential Cross Site Scripting Attack"] [data ".innerhtml"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/js/===n"] [unique_id "VUUvk8BjmNIAACAE6LIAAAAG"]

    There were about 20 messages like this one from 10 different IPs over the weekend...
     
    Jeffr2014, May 3, 2015 IP
    SEMrush
  2. fisasti

    fisasti Active Member

    Messages:
    42
    Likes Received:
    5
    Best Answers:
    2
    Trophy Points:
    58
    #2
    Yes, someone is trying to put some JS code in one of your websites, but i wouldn't care that much. Just take a look at your website(s) and find where did the attackers posted this code. It might be a comments section or something similar.
     
    fisasti, Apr 19, 2016 IP
  3. orrden

    orrden Greenhorn

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #3
    Absolutely. Anytime Mod Security is tripped, you should look into it. If you aren't comfortable or confident doing it yourself, contact your host and post the error in a ticket. Usually they have more information than what you are given and have a better idea of how to find the issue.
     
    orrden, Apr 19, 2016 IP