1

I'm running a simple website off of Bluehost, and I needed to use custom Python scripts so I created a cgi-bin folder in my site's directory and added my cgi python files there. Everytime I tried to use an AJAX request to use the cgi scripts, however, the server kept returning a 500 error.

This is what the main error log shows:

[Sun Nov 30 15:49:15 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "anewroundtable.com"] [uri "/wp-login.php/"] [unique_id "VHue6zJX@FcAADAOSWgAAACA"]
[Sun Nov 30 15:49:16 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "anewroundtable.com"] [uri "/wp-login.php/"] [unique_id "VHue7DJX@FcAADAOSWsAAACD"]
[Sun Nov 30 15:49:16 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "sunnymedias.com"] [uri "/wp-login.php/"] [unique_id "VHue6zJX@FcAADAOSWoAAACC"]
[Sun Nov 30 15:49:16 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "anewroundtable.com"] [uri "/wp-login.php/"] [unique_id "VHue7DJX@FcAAC34XhwAAAHN"]
[Sun Nov 30 15:49:16 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "sunnymedias.com"] [uri "/wp-login.php/"] [unique_id "VHue7DJX@FcAADAOSW0AAACF"]
[Sun Nov 30 15:49:17 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "anewroundtable.com"] [uri "/wp-login.php/"] [unique_id "VHue7TJX@FcAAC34Xh8AAAHK"]
[Sun Nov 30 15:49:17 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "sunnymedias.com"] [uri "/wp-login.php/"] [unique_id "VHue7TJX@FcAADAOSW8AAACH"]
[Sun Nov 30 15:49:17 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "anewroundtable.com"] [uri "/wp-login.php/"] [unique_id "VHue7TJX@FcAADAOSXEAAACJ"]
[Sun Nov 30 15:49:17 2014] [error] [client 91.121.209.34] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla\\\\/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; ru; rv:1\\\\.9\\\\.0\\\\.2\\\\) Gecko\\\\/2008091620 Firefox\\\\/3\\\\.0\\\\.2" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/eig_rules.conf"] [line "58"] [id "900228"] [msg "Wordpress Brute Force :: Firefox 8"] [hostname "sunnymedias.com"] [uri "/wp-login.php/"] [unique_id "VHue7TJX@FcAAC34XiEAAAHI"]

Based on this error log, can I assume my site is getting brute-force hacked? This is showing up when my site isn't up and running. I removed the site from the file directory due to fear of hackers, but this is still showing up. What exactly is happening here? Is my site getting hacked? These same logs keep popping up every second, by the way. The host names change, however.

Any help is greatly appreciated.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Vishwa Iyer
  • 111
  • 2
  • 2
    fwiw; if anything is connected to the internet you can be sure someone/something is trying to break into it in a matter of seconds. – Sirex Nov 30 '14 at 23:07
  • I would second what Sirex said. That traffic is from a France IP. Assuming you are from France, its legit. Assuming you are from another country, its web crawler, search, or some other traffic. Welcome to the internet. – Travis Stoll Nov 30 '14 at 23:50
  • I'm from the U.S., so it may not be hacking? – Vishwa Iyer Nov 30 '14 at 23:51
  • I'm getting the same error, it seems to be caused by one of the files on my site, I'm currently debugging to find out the cause. Would appreciate anything you have found? – doz87 Jul 17 '15 at 01:19

0 Answers0