Xpath error : Invalid Expression in /var/log/httpd/error_log

chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Xpath error : Invalid Expression in /var/log/httpd/error_log

Unread post by chrismcb »

Hi,

Hoping someone can point me in the right direction.

In the default error log at /var/log/httpd/error_log, I'm getting repeated errors with no date/timestamp in between general "File does not exist" errors and ASL blocks.

Code: Select all

[Wed Apr 13 17:16:16 2016] [error] [client x.x.x.x File does not exist: /var/www/vhosts/default/htdocs/2011
[Wed Apr 13 17:23:21 2016] [error] [client x.x.x.x] ModSecurity:  [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "191"] [id "332039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests).  Disable this rule if you use python-requests/. "] [severity "CRITICAL"] Access denied with redirection to http://redirected.com?b=x.x.x.x^Vw5yeW2pO54AACA0o4wAAAAI^332039^20160413172321 using status 302 (phase 2). Pattern match "python-requests/" at REQUEST_HEADERS:User-Agent. [hostname "x.x.x.x"] [uri "/recordings/theme/iefixes.css"] [unique_id "Vw5yeW2pO54AACA0o4wAAAAI"]
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
[Wed Apr 13 18:24:42 2016] [error] [client x.x.x.x] ModSecurity:  [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "353"] [id "333515"] [rev "4"] [msg "Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)"] [severity "ERROR"] [tag "no_ar"] Access denied with redirection to http://redirected.com?b=x.x.x.x^Vw6A2m2pO54AAEgBc7wAAAAJ^333515^20160413182442 using status 302 (phase 2). Pattern match "MJ12bot" at REQUEST_HEADERS:User-Agent. [hostname "mail.x.org"] [uri "/robots.txt"] [unique_id "Vw6A2m2pO54AAEgBc7wAAAAJ"]
This is all I have and I have no idea where to look to start to figure out what's causing it, never mind fix it!

With this, I'm getting close to 100 OSSEC HIDS notifications for rule 1002, which is doing it's job picking up general unknown problems.


Anything to help poin me in the right direction would be very much appreciated!
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Xpath error : Invalid Expression in /var/log/httpd/error

Unread post by prupert »

"XPath error : Invalid expression" comes from a web application. Since the line is in your Apache error_log, probably from a PHP application under mod_php running an XPath query on XML data.
Lemonbit Internet Dedicated Server Management
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: Xpath error : Invalid Expression in /var/log/httpd/error

Unread post by chrismcb »

prupert wrote:"XPath error : Invalid expression" comes from a web application. Since the line is in your Apache error_log, probably from a PHP application under mod_php running an XPath query on XML data.
Thanks. Any way to know which one? It's strange that it is going into the default error log and not the specific vhost one.
Post Reply