Skip to content

Apache CGI permission denied rule #1052

Closed
Closed
Apache CGI permission denied rule#1052
Labels
duplicate
@alex-front

Description

@alex-front
alex-front
opened on Feb 7, 2017

When running a scanner against an apache server I see lines like this in error_log:

"[Tue Feb 07 02:37:29.329569 2017] [cgi:error] [pid 9720] [client 10.101.1.50:35612] AH01215: (13)Permission denied: exec of '/usr/local/cpanel/cgi-sys/index.html' failed: /usr/local/cpanel/cgi-sys/index.html"

Many messages like this is a good indication of a malicious activity and should be detected by OSSEC but currently they are not:

[Tue Feb 07 02:37:29.329569 2017] [cgi:error] [pid 9720] [client 10.101.1.50:35612] AH01215: (13)Permission denied: exec of '/usr/local/cpanel/cgi-sys/index.html' failed: /usr/local/cpanel/cgi-sys/index.html

**Phase 1: Completed pre-decoding.
full event: '[Tue Feb 07 02:37:29.329569 2017] [cgi:error] [pid 9720] [client 10.101.1.50:35612] AH01215: (13)Permission denied: exec of '/usr/local/cpanel/cgi-sys/index.html' failed: /usr/local/cpanel/cgi-sys/index.html'
hostname: 'i360-dev-agent-el7-1'
program_name: '(null)'
log: '[Tue Feb 07 02:37:29.329569 2017] [cgi:error] [pid 9720] [client 10.101.1.50:35612] AH01215: (13)Permission denied: exec of '/usr/local/cpanel/cgi-sys/index.html' failed: /usr/local/cpanel/cgi-sys/index.html'

**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '10.101.1.50'
srcport: '35612'
id: 'AH01215'

**Phase 3: Completed filtering (rules).
Rule id: '30301'
Level: '0'
Description: 'Apache error messages grouped.'

Metadata

Metadata

Assignees

No one assigned

    Labels

    duplicate

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions