Hi,
Latelly I’ve been facing a problem with a website. Checking the logs, I found the following:
2023-09-13 17:09:24.449414 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com:443:MODSEC] mod_security rule [id “77350212”] at [/etc/httpd/conf/modsecurity.d/rules/custom/007_i360_4_wordpress.conf:2721] triggered!
[Wed Sep 13 17:09:24.447126 2023] [error] [client 185.220.101.10] ModSecurity: Access denied with code 403, [Rule: ‘REQUEST_FILENAME’ ‘\/[.#]?wp-config[.-][\w._-]*(?:[#~]|(?:inc|txt|tar|xml|zip|bak|old|orig(?:inal)?|save|\d|sw(?:p|o)))$’] [id “77350212”] [msg “IM360 WAF: Information Disclosure Attempt in WordPress||MV:/wp-config.inc||T:LITESPEED||REQUEST_URI:/wp-config.inc||”] [severity “CRITICAL”] [tag “wp_core”] [hostname “shop.com”] [uri “/wp-config.inc”]2023-09-13 17:09:24.449440 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com:443] Content len: 0, Request line: ‘GET /wp-config.inc HTTP/1.1’
2023-09-13 17:09:24.449445 [INFO] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com:443] Cookie len: 139, mailchimp_landing_site=https%3A%2F%2Fshop.com%2Fblog%2Fwp-config; pbid=8db2b8ce1cfe4710035e9cf74386e1024f6cbc408729d133a978dfc7616ec1d8
2023-09-13 17:09:24.449448 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com.gr:443] Redirect: #1, URL: /index.php
This set of errors gets repeated multiple times in just a few seconds, each time trying to access a different version/name of wp-config.
Is it a possible vulnerability in the Mailchimp plugin code or settings? Because everytime this request happens, ModSecurity rules arre triggered.
Any ideas could really help.
Thank you.