Since 4.2.0 many Fediverse ActivityPub pushes to /inbox fail with rule 941100, 932130, 932260 and others

[ne20002]

Description

Since the update to CRS 4.2.0 I have a lot of false positives on rules 941100, 932130 or 932260.

I run owasp/modsecurity-crs in front of a Friendica server.

Logs

This is an example:

---D44GyDVQ---A--
[12/May/2024:02:28:16 +0200] 171547369645.268645 92.60.41.50 0 10.0.2.100 8080
---D44GyDVQ---B--
POST /inbox HTTP/1.1
Date: Sun, 12 May 2024 00:28:16 GMT
X-Forwarded-For: 92.60.41.50
User-Agent: http.rb/5.1.1 (Mastodon/4.2.8; +https://c.im/)
X-Forwarded-Proto: https
X-Forwarded-By: 10.88.0.7:8443
Content-Length: 751
X-Real-IP: 92.60.41.50
Digest: SHA-256=GKHv6FBSX2yWqioPpHeSCDAr+vn5xZKkDYKaoVT5m4E=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
Accept-Encoding: gzip
Forwarded: for=92.60.41.50; proto=https; by=10.88.0.7
Content-Type: application/activity+json
Signature: keyId="https://c.im/users/sitecollection#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="g6XAI/Pa4hcJQvnIgAlogJ5cyJWr3Dv2Cpp67qOvp9KQJ116E78ioJ5NIlapzw8rht1+t7H8tKF24Fazg9RJh6vQ+JnbvkZF+M+RnzbEiNcF8d3FLzQONfFB+lsBz9dtWN8B4v5bS/rmi9tZo4irHKrzC6PpH/vujdgazU7qf/IFzyy9tPTnXEAoNSuniEkUPm07n/EB8tLrIZPmClubtl1G3TfJ8/yiRQ3pp6avLaHHNcHejqNoTwR+Jp1nOeXJdabKPswquYPJV+Wzxh8sgv3Ln4oor+nsRCEw13SvuWzUVqm7BXe3rKa1ZKSCWPdvs805PWILCN6b2XSe3J7Rqw=="

---D44GyDVQ---C--
{"@context":"https://www.w3.org/ns/activitystreams","id":"https://c.im/users/sitecollection#delete","type":"Delete","actor":"https://c.im/users/sitecollection","to":["https://www.w3.org/ns/activitystreams#Public"],"object":"https://c.im/users/sitecollection","signature":{"type":"RsaSignature2017","creator":"https://c.im/users/sitecollection#main-key","created":"2024-05-12T00:25:23Z","signatureValue":"SMPaxxkHm6ejaJqS/lAouPJjRtMXmLfX/VBWuu6zTILQu7/gh18Vjlx2dqe/ktBqByQwkbRcdocOCiac6FOEtqvFTJaabUcl+z1NCwx9K9e+541DPYtouwI/6OUTe4BBtOL3eUC31iUosfmlKxgXI+loe7NFXcxc5RMt+Ma3iF9Rtf+QRkg9polMf0w65u/8LxWHI9xRHQsgdw95cJtxy/KnFxDc4zFqkHlBKCBaGHy4DeReGyzNEIheZB8tLyu7HM4zmYTlNfgd0qctARkBbydyVenVTCsHpj/lf2+nq9nNk3AToa5nM9FPet6kATd35ZF9auZQI40qoxb0o1+11g=="}}

---D44GyDVQ---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---D44GyDVQ---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Sun, 12 May 2024 00:28:16 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---D44GyDVQ---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$ (7508 characters omitted)' against variable `ARGS:json.signature.signatureValue' (Value: `SMPaxxkHm6ejaJqS/lAouPJjRtMXmLfX/VBWuu6zTILQu7/gh18Vjlx2dqe/ktBqByQwkbRcdocOCiac6FOEtqvFTJaabUcl+z1N (244 characters omitted)' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "181"] [id "932235"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: enVTCsH found within ARGS:json.signature.signatureValue: SMPaxxkHm6ejaJqS/lAouPJjRtMXmLfX/VBWuu6zTILQu7/gh18Vjlx2dqe/ktBqByQwkbRcdocOCiac6FOEtqvFTJaabUcl+z1NCwx9K9e+541DPYtouwI/6OUTe4BBt (215 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171547369645.268645"] [ref "o281,7v30,344"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171547369645.268645"] [ref ""]

---D44GyDVQ---I--

---D44GyDVQ---J--

---D44GyDVQ---K--

---D44GyDVQ---Z--

---P4CzUReS---A--
[12/May/2024:00:33:32 +0200] 171546681243.652535 202.61.242.89 0 10.0.2.100 8080
---P4CzUReS---B--
POST /inbox HTTP/1.1
Date: Sat, 11 May 2024 22:33:32 GMT
X-Forwarded-For: 202.61.242.89
User-Agent: http.rb/5.1.1 (Mastodon/4.2.8; +https://gametoots.de/)
X-Forwarded-Proto: https
X-Forwarded-By: 10.88.0.7:8443
Content-Length: 763
X-Real-IP: 202.61.242.89
Digest: SHA-256=eMS3mHbAjVbo1Y/ixAKZKpNrwGGPXl2RzSYT5Rg+82M=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
Accept-Encoding: gzip
Forwarded: for=202.61.242.89; proto=https; by=10.88.0.7
Content-Type: application/activity+json
Signature: keyId="https://gametoots.de/users/totorruns#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="V1xkz0vtpv7Nkjf6XrbaLWCwRVzIlHfVJlHGQ63AEFVzl4PDZSunmJbb23vlnwo6HuB0UZylv/NRQ6GGwA3yEqMhzdi3cNVGo2yqb7t1WbzWOwDetbWV39V3YLLq+d0cmzXYgHfjyVjpBkUPmeZmXFxC/l9mS2ZcRUpyBLCIdeEWQqi79Z8LM7b2jNrV5o4QbmlzvGjvFtZBOPc6ZXKhFhPIvDlvC1oo5qJZMB5BuNxEBAt629dQTdXXtQodiS8qMwV2CukPqqYFD0eLVMbv4QsV+bJK3GLutmEPr6uSe1rS5UPNe8KxaS1v25KrVW7gBQz72JeIdmbNgZRcidMhKg=="

---P4CzUReS---C--
{"@context":"https://www.w3.org/ns/activitystreams","id":"https://gametoots.de/users/totorruns#delete","type":"Delete","actor":"https://gametoots.de/users/totorruns","to":["https://www.w3.org/ns/activitystreams#Public"],"object":"https://gametoots.de/users/totorruns","signature":{"type":"RsaSignature2017","creator":"https://gametoots.de/users/totorruns#main-key","created":"2024-05-11T22:32:18Z","signatureValue":"p4COvrjMkdiRgUTAi/Pyi6CZO7+Zhm2SSt2hZrgq6tHgaqCk3IG9nPD6Uem9VxyaZ0xWvz/jQoGhrxhcRHxFBMCJOFHc6wpcB9dwdPG6T359R7QYvSEMBqT4sgHSv9yqw19h4K9Y/327TEC/HefUxdwR4XApugY4f5vigQ6ADyxNmyiQNQSi3VdTVBeXqK2ZpT3xwtqYHNopHkYbrcZoE32Q1O2CsFDptyvJc4PyZtJZ3BbVu1Y3pnnBa/CpBJA0RZjR1AHIC/ZEHGhmJsB6lEGDgPnwCy0jS946qIqCSjBKEyTCedy/IdTapZdelvboRo+ueosXZvPQAZoHgcc5vg=="}}

---P4CzUReS---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---P4CzUReS---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Sat, 11 May 2024 22:33:32 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---P4CzUReS---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `php-function-names-933150.data' against variable `ARGS:json.signature.signatureValue' (Value: `p4COvrjMkdiRgUTAi/Pyi6CZO7+Zhm2SSt2hZrgq6tHgaqCk3IG9nPD6Uem9VxyaZ0xWvz/jQoGhrxhcRHxFBMCJOFHc6wpcB9dw (244 characters omitted)' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "279"] [id "933150"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: mkdir found within ARGS:json.signature.signatureValue: p4COvrjMkdiRgUTAi/Pyi6CZO7+Zhm2SSt2hZrgq6tHgaqCk3IG9nPD6Uem9VxyaZ0xWvz/jQoGhrxhcRHxFBMCJOFHc6wpcB9dwdPG6T359R7QYvSEMBqT4sgHSv9yqw19 (213 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171546681243.652535"] [ref "o7,5v30,344"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171546681243.652535"] [ref ""]

---P4CzUReS---I--

---P4CzUReS---J--

---P4CzUReS---K--

---P4CzUReS---Z--

Your Environment

• CRS version (e.g., v3.3.4): 4.2.0
• Paranoia level setting (e.g. PL1) : 1
• ModSecurity version (e.g., 2.9.6): 3.0.12
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): owasp/modsecurity-crs:nginx docker image
• Operating System and version: Debian Bookworm with Podman

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

[airween]

Hi @ne20002,

thank you for your feedback. Sorry to hear about these FP's.

Rule 941100 uses the operator @detectXSS, so unfortunately we have no influence on its behavior.

In case of other two rules, namely 932130 and 932260, as you can see the rules do what they are supposed to do (see comments - for 932260 please take a look at the comment of 932250 too).

Unfortunately the only thing what you can do is the exclusions.

Do you think these rules are too strict? May be we should move them to higher PL?

[ne20002]

I'm not sure. I have a few more FPs like this one on rule 932120:

---3hjQ85yJ---A--
[10/May/2024:06:31:59 +0200] 171531551991.538011 188.34.164.250 0 10.0.2.100 8080
---3hjQ85yJ---B--
POST /inbox HTTP/1.1
Date: Fri, 10 May 2024 04:31:59 GMT
X-Forwarded-For: 188.34.164.250
User-Agent: http.rb/5.2.0 (Mastodon/4.3.0-nightly.2024-04-30; +https://mastodon.social/)
X-Forwarded-Proto: https
X-Forwarded-By: 10.88.0.5:8443
Content-Length: 835
X-Real-IP: 188.34.164.250
Digest: SHA-256=Ms+vNYBH+NSQU+bW+P6Oor3Ozj+SK4wS9ryoywmtBpY=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
Accept-Encoding: gzip
Forwarded: for=188.34.164.250; proto=https; by=10.88.0.5
Content-Type: application/activity+json
Signature: keyId="https://mastodon.social/users/SecurityInANutPowerShell#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="Pubzqbfh74oNTjs6/sFjOtJEKWmN6qcuf+HzQCcqDifyK4SbjtnksDOW6gInXyP3p82YWpavlifGLmRQ9DzRzaai87hmKvk+BsZz+YBb7x32C5vwvgEEzzrrYg+P44boye+LpPc5GENj/I4+01u8k/QihpgQXaZfkpMzerF8DxDTzLr5WHlj+yW/iYpG+KUQO78lBCsm5MFoQc/xrtwYDq364W0cRacl3n/blmiNnvodVBROUF8uJUVEzSbUoVhXRxQdC2bnRYkhzizpKHivqexvCmYYpvuTE99VPQcRW4NDtmangvvFZTzR2cmvany1FfWo7vFIeEoL3lx4Xrxizw=="

---3hjQ85yJ---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---3hjQ85yJ---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Fri, 10 May 2024 04:31:59 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---3hjQ85yJ---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `windows-powershell-commands.data' against variable `ARGS:json.signature.creator' (Value: `https://mastodon.social/users/SecurityInANutPowerShell#main-key' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "213"] [id "932120"] [rev ""] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: powershell found within ARGS:json.signature.creator: https://mastodon.social/users/securityinanutpowershell#main-key"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171531551991.538011"] [ref "o44,10v8,61t:cmdLineo44,10v11,54t:cmdLineo44,10v12,54t:cmdLineo44,10v23,63t:cmdLine"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `20' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171531551991.538011"] [ref ""]

---3hjQ85yJ---I--

---3hjQ85yJ---J--

---3hjQ85yJ---K--

---3hjQ85yJ---Z--

Most are somehow related to elements of a json signature, some of a json object. All requests are of content-type 'application/activity+json'. I'm not in the details but it seems as if this is not a json only object and this is causing problems as they are treated as json by ModSecurity?
This one though might not be a FB as I believe the content is including some power-shell command (in a text for reference). But it is still problematic to block it though.

I thought that ActivityPub is activity is only including links to the object on the original system and the system is then resolving/loading it. Seems as if there is also some data in there (and if so filtering will be really difficult).
I need to figure out how to log the whole request in case the rule is triggered to have a deeper look on this. It's just for understanding, I'm not developer of any of those systems.

Edit: fascinating enough this might even have been good to be blocked as the given fediverse user is already not longer available aka is deleted. Which makes me suspect that someone tried to do some hack with this.

[dune73]

Thank you for reporting @ne20002. We get relatively few reports given the amount of installations and supposed number of false positives.

Lacking the exact payload, it is very difficult to help you though. If we have the individual payloads, we can check them against the patterns and see whether we can do something about it or not. Like this, it's too blurry.

[ne20002]

Hi @dune73
Sure, I have updated the OP with two new examples including the request data. I will continue to update as soon as I get other examples logged.

At least I find this in the Warning a bit suspicious:
[msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: enVTCsH found within ARGS:json.signature.signatureValue:

Findig enVTCsh as part of a string is triggering the rule?

Same for
[msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: mkdir found within ARGS:json.signature.signature

Maybe I need to disable inspection of the request body for POSTs to /inbox?

[airween]

hi @ne20002,

thanks for details,

At least I find this in the Warning a bit suspicious: [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: enVTCsH found within ARGS:json.signature.signatureValue:

this is the rule 932235, right? (You didn't mention the rule at the last example - I assume you use CRS on PL1 and only this rule has the quoted msg.)

Findig enVTCsh as part of a string is triggering the rule?

Unfortunately yes. See the regex and it's included source, which has the sub-string tcsh.

May be this is too strict on PL1 (I mean a sub-string matches with a pattern, it's not necessarily an attack - not on PL at least). I think we have to investigate this.

Same for [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: mkdir found within ARGS:json.signature.signature

Well, mkdir could be a valid attack.

Maybe I need to disable inspection of the request body for POSTs to /inbox?

Do you think about of using SecRequestBodyAccess in case of libmodsecurity3, please DON'T DO THAT. Libmodsecurity3 has a known bug: if you disable the request body inspection, the engine skips the whole phase:2.

Instead of this, please make an exclusion with ctl:ruleRemoveByTag=OWASP_CRS.

[ne20002]

Hi @airween

Well, mkdir could be a valid attack.

As could other strings .. this again is just a substring in the signature which possibly can include nearly any of the substrings checked by this kind of rules.

I thought of checking for the path /inbox and then ctl:requestBodyAccess=Off.
Maybe I need to exclude the signature arg only? Is this possible?

[airween]

I thought of checking for the path /inbox and then ctl:requestBodyAccess=Off. Maybe I need to exclude the signature arg only? Is this possible?

yes, eg:

SecRule REQUEST_FILENAME "@beginsWith /inbox" \
    "id:100001,\
    phase:1,\
    t:none,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.signature.signature"

[ne20002]

@airween, thank you
I have aplied the rule accordingly.

May be this is too strict on PL1 (I mean a sub-string matches with a pattern, it's not necessarily an attack - not on PL at least). I think we have to investigate this.

I aggree. A simple substring match in PL1 seems to strict for me. At least as this check is not checking word boundaries. Maybe a PL1 rule should do a substring match on e.g. ' mkdir ' where a PL2 rule may check for 'mkdir'?
But I'm not an expert in this field.

[airween]

I aggree. A simple substring match in PL1 seems to strict for me. At least as this check is not checking word boundaries. Maybe a PL1 rule should do a substring match on e.g. ' mkdir ' where a PL2 rule may check for 'mkdir'? But I'm not an expert in this field.

I've added this issue to our next monthly meeting (20th of May, next Monday): #3694 (see "Separate 2nd Meeting" block)). Would you like to attend this meeting?

[ne20002]

I got another interessting one:

---zSV10vK8---A--
[13/May/2024:12:51:19 +0200] 17155974797.339923 49.13.112.22 0 10.0.2.100 8080
---zSV10vK8---B--
POST /inbox HTTP/1.1
Date: Mon, 13 May 2024 10:51:19 GMT
X-Forwarded-For: 49.13.112.22
User-Agent: http.rb/5.2.0 (Mastodon/4.3.0-nightly.2024-05-13; +https://mastodon.social/)
X-Forwarded-Proto: https
X-Forwarded-By: 10.88.0.8:8443
Content-Length: 4031
X-Real-IP: 49.13.112.22
Digest: SHA-256=Tn7U+YL5GF1o6PVARttne8hkD4iXD1zK5Rlt6ZvA358=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
Accept-Encoding: gzip
Forwarded: for=49.13.112.22; proto=https; by=10.88.0.8
Content-Type: application/activity+json
Signature: keyId="https://mastodon.social/users/Tusky#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="p5MLdGyqv3IcUfHlmqr25pRrezFij2ukKq6NB+5mYweZlOsZ8p3m/IG5EuK6rPBcC0ccrvSokrw7LAZhnKQiC6VlpePyPoX6yFNWiiurom8ANfgRiVvN3tK1bZNnnY69/IFDTLbtvBMaCHOZO2dKkzGGeKJtOuxWTxcfF1BDdlq+Xf8inl9jHKSaYJ4S8tmy6ojAcnrsILCMOImFovgQ4GqBjBLtnQ32hXFsxRwf1OgW9hvXz/b3rAOhqdUSUqks/eF0ch2pwcZzbqDit5+BS1mgPEfUTEPY/Q9Gct/JzyMxV9cPDSEacBA3rICWb6FqwhqYWM1xGkJqnumeUctUxA=="

---zSV10vK8---C--
{"@context":["https://www.w3.org/ns/activitystreams","https://w3id.org/security/v1",{"manuallyApprovesFollowers":"as:manuallyApprovesFollowers","sensitive":"as:sensitive","Hashtag":"as:Hashtag","movedTo":{"@id":"as:movedTo","@type":"@id"},"alsoKnownAs":{"@id":"as:alsoKnownAs","@type":"@id"},"toot":"http://joinmastodon.org/ns#","Emoji":"toot:Emoji","featured":{"@id":"toot:featured","@type":"@id"},"featuredTags":{"@id":"toot:featuredTags","@type":"@id"},"schema":"http://schema.org#","PropertyValue":"schema:PropertyValue","value":"schema:value","ostatus":"http://ostatus.org#","atomUri":"ostatus:atomUri","inReplyToAtomUri":"ostatus:inReplyToAtomUri","conversation":"ostatus:conversation","focalPoint":{"@container":"@list","@id":"toot:focalPoint"},"blurhash":"toot:blurhash","discoverable":"toot:discoverable","indexable":"toot:indexable","memorial":"toot:memorial","votersCount":"toot:votersCount","Device":"toot:Device","Ed25519Signature":"toot:Ed25519Signature","Ed25519Key":"toot:Ed25519Key","Curve25519Key":"toot:Curve25519Key","EncryptedMessage":"toot:EncryptedMessage","publicKeyBase64":"toot:publicKeyBase64","deviceId":"toot:deviceId","claim":{"@type":"@id","@id":"toot:claim"},"fingerprintKey":{"@type":"@id","@id":"toot:fingerprintKey"},"identityKey":{"@type":"@id","@id":"toot:identityKey"},"devices":{"@type":"@id","@id":"toot:devices"},"messageFranking":"toot:messageFranking","messageType":"toot:messageType","cipherText":"toot:cipherText","suspended":"toot:suspended"}],"id":"https://chaos.social/users/wmd/statuses/112433396306350018/activity","type":"Create","actor":"https://chaos.social/users/wmd","published":"2024-05-13T10:51:17Z","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://chaos.social/users/wmd/followers","https://mastodon.social/users/Tusky"],"object":{"id":"https://chaos.social/users/wmd/statuses/112433396306350018","type":"Note","inReplyTo":"https://mastodon.social/users/Tusky/statuses/112433308732459217","published":"2024-05-13T10:51:17Z","url":"https://chaos.social/@wmd/112433396306350018","attributedTo":"https://chaos.social/users/wmd","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://chaos.social/users/wmd/followers","https://mastodon.social/users/Tusky"],"sensitive":false,"atomUri":"https://chaos.social/users/wmd/statuses/112433396306350018","inReplyToAtomUri":"https://mastodon.social/users/Tusky/statuses/112433308732459217","conversation":"tag:chaos.social,2024-05-12:objectId=182049045:objectType=Conversation","content":"<p><span class=\"h-card\" translate=\"no\"><a href=\"https://mastodon.social/@Tusky\" class=\"u-url mention\">@<span>Tusky</span></a></span> boosts disabled before updating, boosts enabled after update, so had to deactivate them again.</p><p>(for the home timeline)</p>","contentMap":{"en":"<p><span class=\"h-card\" translate=\"no\"><a href=\"https://mastodon.social/@Tusky\" class=\"u-url mention\">@<span>Tusky</span></a></span> boosts disabled before updating, boosts enabled after update, so had to deactivate them again.</p><p>(for the home timeline)</p>"},"attachment":[],"tag":[{"type":"Mention","href":"https://mastodon.social/users/Tusky","name":"@Tusky@mastodon.social"}],"replies":{"id":"https://chaos.social/users/wmd/statuses/112433396306350018/replies","type":"Collection","first":{"type":"CollectionPage","next":"https://chaos.social/users/wmd/statuses/112433396306350018/replies?only_other_accounts=true&page=true","partOf":"https://chaos.social/users/wmd/statuses/112433396306350018/replies","items":[]}}},"signature":{"type":"RsaSignature2017","creator":"https://chaos.social/users/wmd#main-key","created":"2024-05-13T10:51:18Z","signatureValue":"sBqesrkZ/lPZ19FD9JDishLSyjNSpEmgAiPQw4FbM6n4tP1x/GSebepKpySkxp0iRFI9uEb8J7GUrswbcb1VXxTgTalLB33OM/rt78KT2CxBAb5xMnYu9AwEg/nEwkVKkOnWuV/5AmCyWYFEmBZyGEao7KfpNA9Bo4ANO4Kfu+vmPN6yladnMCl9agy9Maya8igHLFIRZzSi2QNoGjj0ROvdnP20FNxfEeGtmiYGe7RhQhHN/2Xz0w0XQp76YnLSnlULjqziEQ++hESGtfd7m9SCiOEdeqYzGWS1yTYjnsYdWORPUud68zyaBk6QG8glNblSIxHzJq+KGGIfdb4KBA=="}}

---zSV10vK8---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---zSV10vK8---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Mon, 13 May 2024 10:51:19 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---zSV10vK8---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `\$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]' against variable `ARGS:json.object.contentMap.en' (Value: `<p><span class="h-card" translate="no"><a href="https://mastodon.social/@Tusky" class="u-url mention (161 characters omitted)' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "291"] [id "932130"] [rev ""] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >(for the home timeline) found within ARGS:json.object.contentMap.en: <p><span class=h-card translate=no><a href=https://mastodon.social/@tusky class=u-url mention>@<span>tusky</span></a (135 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "17155974797.339923"] [ref "o223,24v20,261t:cmdLineo223,24v26,261t:cmdLine"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "17155974797.339923"] [ref ""]

---zSV10vK8---I--

---zSV10vK8---J--

---zSV10vK8---K--

---zSV10vK8---Z--

[ne20002]

Here is another one:

---r21NI3wg---A--
[16/May/2024:00:05:28 +0200] 171581072852.916713 2a03:2880:ff:2::face:b00c 0 10.0.2.100 8080
---r21NI3wg---B--
POST /inbox HTTP/1.1
User-Agent: facebookexternalua
X-Forwarded-Proto: https
X-Forwarded-By: fd00::1:8:c:8443
Accept: */*
Content-Length: 2322
X-Real-IP: 2a03:2880:ff:2::face:b00c
Digest: SHA-256=70w50fg3CzRPcN9Mwbvx1QuZzWcR/RbvF6os37SnDAo=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
X-Forwarded-For: 2a03:2880:ff:2::face:b00c
Date: Wed, 15 May 2024 22:05:27 GMT
Accept-Encoding: deflate, gzip
Forwarded: for=2a03:2880:ff:2::face:b00c; proto=https; by=fd00::1:8:c
Content-Type: application/ld+json; profile="https://www.w3.org/ns/activitystreams"
Signature: keyId="https://threads.net/ap/users/17841401411590012/#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest",signature="a28N7E9qIhV8VZgXkZw+YmcwNT9QI7STPhgy00iX+bIkJkeFLCXvdgSAf79d44ES0QdbXcMD14jm4oCu1HZj2LZyqSXlQn7ZpvNuzT41Mu/UuSUCmCU7inTI7UvS9YPux4Lga2UR8Gsuxmfs+LloatItx2Wd7HHdduDcQmuX/MvnUIXPVmAsHRDZOhu3Pav4lpNTUqLt9dZgKl6cRsJuNMy7lxIfX9JUtQAwBQV5DmTnHY6HYPrvZhP+8ft6qUmt5lLHYigNssNLsC+Iu5vbDQhLXkHjELxOdwLjJvXryjqlucbtVwndtrfDgvDm/XC9a38jeC86KFQsTVwo4s7RvQ=="

---r21NI3wg---C--
{"\u0040context":["https:\/\/www.w3.org\/ns\/activitystreams"],"id":"https:\/\/threads.net\/ap\/users\/17841401411590012\/post\/17896983660004930\/activity\/","type":"Create","object":{"id":"https:\/\/threads.net\/ap\/users\/17841401411590012\/post\/17896983660004930\/","type":"Note","content":"\u003Cp>One of the most shocking parts about how the YouTube experience has degraded is search. YouTube is one of the biggest search engines on the internet and search on the website is now nearly worthless. It's really hard to believe they'd destroy one of the best and most valuable things the site had going for it but here we are.\u003Cbr \/>\u003Cbr \/>Great video on the subject by \u003Ca href=\"https:\/\/threads.net\/\u0040eposvox\/\" class=\"u-url mention\">\u0040\u003Cspan>eposvox\u003C\/span>\u003C\/a> \u003Cbr \/>\u003Ca href=\"https:\/\/www.youtube.com\/watch?v=ib3E8rBsT60\">https:\/\/www.youtube.com\/watch?v=ib3E8rBsT60\u003C\/a>\u003C\/p>","contentMap":{"en":"\u003Cp>One of the most shocking parts about how the YouTube experience has degraded is search. YouTube is one of the biggest search engines on the internet and search on the website is now nearly worthless. It's really hard to believe they'd destroy one of the best and most valuable things the site had going for it but here we are.\u003Cbr \/>\u003Cbr \/>Great video on the subject by \u003Ca href=\"https:\/\/threads.net\/\u0040eposvox\/\" class=\"u-url mention\">\u0040\u003Cspan>eposvox\u003C\/span>\u003C\/a> \u003Cbr \/>\u003Ca href=\"https:\/\/www.youtube.com\/watch?v=ib3E8rBsT60\">https:\/\/www.youtube.com\/watch?v=ib3E8rBsT60\u003C\/a>\u003C\/p>"},"published":"2024-05-15T15:00:17-07:00","attributedTo":"https:\/\/threads.net\/ap\/users\/17841401411590012\/","url":"https:\/\/www.threads.net\/\u0040davechensky\/post\/C7AU5FByDQQ","to":["https:\/\/www.w3.org\/ns\/activitystreams#Public"],"cc":["https:\/\/threads.net\/ap\/users\/17841401411590012\/followers\/"],"tag":[{"href":"https:\/\/threads.net\/ap\/users\/17841400625863685\/","name":"\u0040eposvox","type":"Mention"}]},"actor":"https:\/\/threads.net\/ap\/users\/17841401411590012\/","published":"2024-05-15T15:00:17-07:00","to":["https:\/\/www.w3.org\/ns\/activitystreams#Public"],"cc":["https:\/\/threads.net\/ap\/users\/17841401411590012\/followers\/"]}

---r21NI3wg---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---r21NI3wg---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Wed, 15 May 2024 22:05:28 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---r21NI3wg---H--
ModSecurity: Warning. Matched "Operator `Pm' with parameter `=' against variable `MATCHED_VARS:ARGS:json.object.content' (Value: `<p>One of the most shocking parts about how the YouTube experience has degraded is search. YouTube i (477 characters omitted)' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "112"] [id "933120"] [rev ""] [msg "PHP Injection Attack: Configuration Directive Found"] [data "Matched Data: engine found within MATCHED_VARS:ARGS:json.object.content: <p>One of the most shocking parts about how the YouTube experience has degraded is search. YouTube is one of the biggest search (450 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "modsecurity"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171581072852.916713"] [ref "o128,6v26,580t:normalisePatho128,6v20,580t:normalisePatho388,1v1046,577o388,1v1046,577"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171581072852.916713"] [ref ""]

---r21NI3wg---I--

---r21NI3wg---J--

---r21NI3wg---K--

---r21NI3wg---Z--

[ne20002]

Another one:

---46DTz1Hg---A--
[17/May/2024:17:11:46 +0200] 171595870630.624273 141.95.205.41 0 10.0.2.100 8080
---46DTz1Hg---B--
POST /inbox HTTP/1.1
Date: Fri, 17 May 2024 15:11:46 GMT
X-Forwarded-For: 141.95.205.41
User-Agent: http.rb/5.1.1 (Mastodon/4.2.8; +https://social.growyourown.services/)
X-Forwarded-Proto: https
X-Forwarded-By: 10.88.0.13:8443
Content-Length: 3634
X-Real-IP: 141.95.205.41
Digest: SHA-256=Ar06NAtR7HqsaXXbEE9OYlPH3oVJ3cvTn9jIX5bUlko=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
Accept-Encoding: gzip
Forwarded: for=141.95.205.41; proto=https; by=10.88.0.13
Content-Type: application/activity+json
Signature: keyId="https://social.growyourown.services/users/homegrown#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="O9NipbIhvONEbwvLZruFjLKw8Co5nB8q2BJz6U/MiYrRikTYMgLGzwj7qRcUPcrp6AQPpxmgRHfBFG9E8c/hby7pHC6VGkR5vpKLCGP7/51bDKWGgZXib8qJQpzTWj8n1rZo6+nibhCmSlKBRpVM0qMTnnl1lfe1ObDIudAvzN6Lexdt+dpzjjE96zBf3NhGoYP3+sEqTzWRqJjjdVNC1pY4wq5lnLEX81EkHU8PAXl3jps7QWsiVRrW4RToLwtK4eB1QG3VvUayuHSEWbpyQZlon2r8APVMHs2ldHZM2FlA0bHGifaRTDuH/K/iVYgCo5ooYxzf56l4eUCI6sABjg=="

---46DTz1Hg---C--
{"@context":["https://www.w3.org/ns/activitystreams",{"ostatus":"http://ostatus.org#","atomUri":"ostatus:atomUri","inReplyToAtomUri":"ostatus:inReplyToAtomUri","conversation":"ostatus:conversation","sensitive":"as:sensitive","toot":"http://joinmastodon.org/ns#","votersCount":"toot:votersCount","Hashtag":"as:Hashtag"}],"id":"https://social.growyourown.services/users/homegrown/statuses/112457068911512452/activity","type":"Create","actor":"https://social.growyourown.services/users/homegrown","published":"2024-05-17T15:11:33Z","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://social.growyourown.services/users/homegrown/followers"],"object":{"id":"https://social.growyourown.services/users/homegrown/statuses/112457068911512452","type":"Note","summary":null,"inReplyTo":null,"published":"2024-05-17T15:11:33Z","url":"https://social.growyourown.services/@homegrown/112457068911512452","attributedTo":"https://social.growyourown.services/users/homegrown","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://social.growyourown.services/users/homegrown/followers"],"sensitive":false,"atomUri":"https://social.growyourown.services/users/homegrown/statuses/112457068911512452","inReplyToAtomUri":null,"conversation":"tag:social.growyourown.services,2024-05-17:objectId=228540:objectType=Conversation","content":"<p>PeerTube admins, you don&#39;t need to federate with entire instances. You can be a lot more selective if you want to:</p><p>1. Log in on PeerTube with your admin account<br />2. Click &quot;Administration&quot; on the left<br />3. Click &quot;Federation&quot; at the top, select &quot;Following&quot; from the dropdown menu<br />4. Click &quot;Follow&quot;, then add all the accounts you want to federate to your PeerTube instance with one account per line<br />5. Click the &quot;Follow&quot; button at the bottom to confirm the accounts</p><p><a href=\"https://social.growyourown.services/tags/PeerTubeAdmin\" class=\"mention hashtag\" rel=\"tag\">#<span>PeerTubeAdmin</span></a> <a href=\"https://social.growyourown.services/tags/PeerTube\" class=\"mention hashtag\" rel=\"tag\">#<span>PeerTube</span></a></p>","contentMap":{"en":"<p>PeerTube admins, you don&#39;t need to federate with entire instances. You can be a lot more selective if you want to:</p><p>1. Log in on PeerTube with your admin account<br />2. Click &quot;Administration&quot; on the left<br />3. Click &quot;Federation&quot; at the top, select &quot;Following&quot; from the dropdown menu<br />4. Click &quot;Follow&quot;, then add all the accounts you want to federate to your PeerTube instance with one account per line<br />5. Click the &quot;Follow&quot; button at the bottom to confirm the accounts</p><p><a href=\"https://social.growyourown.services/tags/PeerTubeAdmin\" class=\"mention hashtag\" rel=\"tag\">#<span>PeerTubeAdmin</span></a> <a href=\"https://social.growyourown.services/tags/PeerTube\" class=\"mention hashtag\" rel=\"tag\">#<span>PeerTube</span></a></p>"},"attachment":[],"tag":[{"type":"Hashtag","href":"https://social.growyourown.services/tags/peertubeadmin","name":"#peertubeadmin"},{"type":"Hashtag","href":"https://social.growyourown.services/tags/peertube","name":"#peertube"}],"replies":{"id":"https://social.growyourown.services/users/homegrown/statuses/112457068911512452/replies","type":"Collection","first":{"type":"CollectionPage","next":"https://social.growyourown.services/users/homegrown/statuses/112457068911512452/replies?only_other_accounts=true&page=true","partOf":"https://social.growyourown.services/users/homegrown/statuses/112457068911512452/replies","items":[]}}}}

---46DTz1Hg---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---46DTz1Hg---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Fri, 17 May 2024 15:11:46 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---46DTz1Hg---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^ (8443 characters omitted)' against variable `ARGS:json.object.contentMap.en' (Value: `<p>PeerTube admins, you don&#39;t need to federate with entire instances. You can be a lot more sele (704 characters omitted)' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "778"] [id "932370"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ; at the top, select &quot;Following&quot; from the dropdown menu<br />4. Click &quot;Follow&quot;, then add all the accounts you want to federate to your PeerTube instance with one acco (1205 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171595870630.624273"] [ref "o262,541v26,804"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171595870630.624273"] [ref ""]

---46DTz1Hg---I--

---46DTz1Hg---J--

---46DTz1Hg---K--

---46DTz1Hg---Z--

I'm not sure what exactly matched here, but the regex match for a Windows Command Injection muts be in here:

PeerTube admins, you don't need to federate with entire instances. You can be a lot more selective if you want to:

1. Log in on PeerTube with your admin account
2. Click "Administration" on the left
3. Click "Federation" at the top, select "Following" from the dropdown menu
4. Click "Follow", then add all the accounts you want to federate to your PeerTube instance with one account per line
5. Click the "Follow" button at the bottom to confirm the accounts

#PeerTubeAdmin #PeerTube

[ne20002]

And another one:

---C1PUrM8M---A--
[17/May/2024:20:15:40 +0200] 171596974046.281855 2a03:2880:3ff:6::face:b00c 0 10.0.2.100 8080
---C1PUrM8M---B--
POST /inbox HTTP/1.1
User-Agent: facebookexternalua
X-Forwarded-Proto: https
X-Forwarded-By: fd00::1:8:d:8443
Accept: */*
Content-Length: 2118
X-Real-IP: 2a03:2880:3ff:6::face:b00c
Digest: SHA-256=7UX3aCU5lvAXRO79NneY5NR9VCg4Uzy1Fxx/uMMQBH4=
Host: fedi.0x42.ch
X-Forwarded-Port: 8443
X-Forwarded-For: 2a03:2880:3ff:6::face:b00c
Date: Fri, 17 May 2024 18:15:39 GMT
Accept-Encoding: deflate, gzip
Forwarded: for=2a03:2880:3ff:6::face:b00c; proto=https; by=fd00::1:8:d
Content-Type: application/ld+json; profile="https://www.w3.org/ns/activitystreams"
Signature: keyId="https://threads.net/ap/users/17841400220650482/#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest",signature="VJk7JL8npqudSyAZkfiX6lx2hGMRKhDYAcWATS7maz9qycKhSgFtTRuZJ9KBmVd6uQ/wtGx5sZK4XPzZIj5+M1Z1/JpTUrdh0txXaoI3fkTsZYa3pzl/MjSzNCF5Zn2l4zbDfvu2SR33IyQmu1RLtSlsR545hjNCVesY767yulrdqROHNn53MBNXrLI1c++lX7JuH10/mFZTSjCWlQxZGhQXNNJHpws+SgsAdpR63ciyOaiwuu4WVvRpUYjyHAT/pFV2KGwGLKdupnem3xhNTD1iXwZO3MeyVu7duf8cq3dqcuL7k2HNpRM6Z9aU5Z5LOKoOg+w9py2YdDTzl4Wl7A=="

---C1PUrM8M---C--
{"\u0040context":["https:\/\/www.w3.org\/ns\/activitystreams"],"id":"https:\/\/threads.net\/ap\/users\/17841400220650482\/post\/17921290316804335\/activity\/","type":"Create","object":{"id":"https:\/\/threads.net\/ap\/users\/17841400220650482\/post\/17921290316804335\/","type":"Note","content":"\u003Cp>It\u2019s drizzly but otherwise nice today, which makes it a fine time to peruse a stack of new books and ARCs that have come to the Scalzi Compound. Which of these books are particularly catching your eye today?\u003C\/p>","contentMap":{"en":"\u003Cp>It\u2019s drizzly but otherwise nice today, which makes it a fine time to peruse a stack of new books and ARCs that have come to the Scalzi Compound. Which of these books are particularly catching your eye today?\u003C\/p>"},"published":"2024-05-17T11:10:28-07:00","attributedTo":"https:\/\/threads.net\/ap\/users\/17841400220650482\/","url":"https:\/\/www.threads.net\/\u0040jscalzi\/post\/C7FELp2JGaQ","to":["https:\/\/www.w3.org\/ns\/activitystreams#Public"],"cc":["https:\/\/threads.net\/ap\/users\/17841400220650482\/followers\/"],"tag":[],"attachment":[{"type":"Image","url":"https:\/\/scontent.cdninstagram.com\/v\/t51.29350-15\/444828096_767615788841609_7014261427382823099_n.jpg?_nc_cat=105&ccb=1-7&_nc_sid=18de74&_nc_ohc=aU1ZlLHPEQAQ7kNvgHFv_Ho&_nc_ad=z-m&_nc_cid=0&_nc_ht=scontent.cdninstagram.com&oh=00_AYA0tEqVSi5U--BRrnsV86YqKkYLVxYypage5mPYWnSfTQ&oe=664D5829","width":1080,"height":1349,"name":"Logical Fantasy: The Many Worlds of John Wyndham, David Byte, ed; Lincoln's Dreams, Connie Willis; Time Out, Michael Marshall Smith; Little Fuzzy, H. Beam Piper; Voices Carry, Raven Oak; Cursed Under London, Gabby Hutchison Crouch; One Hundred Shadows, Hwang Jungeun; Where I End, Sophie White; Welcome to Boy.Net, Lyda Morehouse; The Proper Thing and Other Stories, Seanan McGuire; Fall of Light, Steve Erikson"}]},"actor":"https:\/\/threads.net\/ap\/users\/17841400220650482\/","published":"2024-05-17T11:10:28-07:00","to":["https:\/\/www.w3.org\/ns\/activitystreams#Public"],"cc":["https:\/\/threads.net\/ap\/users\/17841400220650482\/followers\/"]}

---C1PUrM8M---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---C1PUrM8M---F--
HTTP/1.1 403
Server: nginx
X-Robots-Tag: noindex, nofollow
Date: Fri, 17 May 2024 18:15:40 GMT
Content-Length: 146
X-Download-Options: noopen
Content-Type: text/html
Connection: keep-alive
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000;  includeSubDomains

---C1PUrM8M---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\" (7602 characters omitted)' against variable `ARGS:json.object.attachment.array_0.name' (Value: `Logical Fantasy: The Many Worlds of John Wyndham, David Byte, ed; Lincoln's Dreams, Connie Willis; T (311 characters omitted)' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "815"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ; Where found within ARGS:json.object.attachment.array_0.name: Logical Fantasy: The Many Worlds of John Wyndham, David Byte, ed; Lincoln's Dreams, Connie Willis; Time Out, Michael Marsha (288 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171596974046.281855"] [ref "o266,7v36,411"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.2.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.0.2.100"] [uri "/inbox"] [unique_id "171596974046.281855"] [ref ""]

---C1PUrM8M---I--

---C1PUrM8M---J--

---C1PUrM8M---K--

---C1PUrM8M---Z--

[franbuehler]

Decisions taken in issue chat meeting on May 20 2024:

• We agree that this should be solved with a plugin.
• As for the RCE rules, they have a couple of open issues. We need to tackle those as a group and conceptually decide what we want to do with them.

[airween]

Can we close this issue?

[ne20002]

We can.