Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Xpath error : Invalid Expression in /var/log/httpd/error_log

https://forums.atomicorp.com/viewtopic.php?t=8388

Page 1 of 1

Xpath error : Invalid Expression in /var/log/httpd/error_log

Posted: Thu Apr 14, 2016 3:06 am
by chrismcb
Hi,

Hoping someone can point me in the right direction.

In the default error log at /var/log/httpd/error_log, I'm getting repeated errors with no date/timestamp in between general "File does not exist" errors and ASL blocks.

Code: Select all

[Wed Apr 13 17:16:16 2016] [error] [client x.x.x.x File does not exist: /var/www/vhosts/default/htdocs/2011
[Wed Apr 13 17:23:21 2016] [error] [client x.x.x.x] ModSecurity:  [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "191"] [id "332039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests).  Disable this rule if you use python-requests/. "] [severity "CRITICAL"] Access denied with redirection to http://redirected.com?b=x.x.x.x^Vw5yeW2pO54AACA0o4wAAAAI^332039^20160413172321 using status 302 (phase 2). Pattern match "python-requests/" at REQUEST_HEADERS:User-Agent. [hostname "x.x.x.x"] [uri "/recordings/theme/iefixes.css"] [unique_id "Vw5yeW2pO54AACA0o4wAAAAI"]
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
[Wed Apr 13 18:24:42 2016] [error] [client x.x.x.x] ModSecurity:  [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "353"] [id "333515"] [rev "4"] [msg "Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)"] [severity "ERROR"] [tag "no_ar"] Access denied with redirection to http://redirected.com?b=x.x.x.x^Vw6A2m2pO54AAEgBc7wAAAAJ^333515^20160413182442 using status 302 (phase 2). Pattern match "MJ12bot" at REQUEST_HEADERS:User-Agent. [hostname "mail.x.org"] [uri "/robots.txt"] [unique_id "Vw6A2m2pO54AAEgBc7wAAAAJ"]
This is all I have and I have no idea where to look to start to figure out what's causing it, never mind fix it!

With this, I'm getting close to 100 OSSEC HIDS notifications for rule 1002, which is doing it's job picking up general unknown problems.


Anything to help poin me in the right direction would be very much appreciated!

Re: Xpath error : Invalid Expression in /var/log/httpd/error

Posted: Thu Apr 14, 2016 4:24 am
by prupert
"XPath error : Invalid expression" comes from a web application. Since the line is in your Apache error_log, probably from a PHP application under mod_php running an XPath query on XML data.

Re: Xpath error : Invalid Expression in /var/log/httpd/error

Posted: Thu Apr 14, 2016 4:25 am
by chrismcb
prupert wrote:"XPath error : Invalid expression" comes from a web application. Since the line is in your Apache error_log, probably from a PHP application under mod_php running an XPath query on XML data.
Thanks. Any way to know which one? It's strange that it is going into the default error log and not the specific vhost one.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited