Yes, getting a blank page instead of a 403 error is a sign that there may be an issue somewhere. The first/best thing to check would be the site’s error/debug logs. Look for any entries that happen when you perform test requests. If there is any information it would help to figure out what’s happening, etc.
Thread Starter
gregl7
(@gregl7)
Apparently the blank page showing instead of 403 is a Firefox thing, as other browsers I’ve tested actually show the 403 page when I run the eval command.
I mentioned ModSecurity; whenever eval is run ModSecurity pops up with a warning in the error logs. It looks like more of a warning however than actually blocking what BBQ is doing since I get the 403 page:
——————————————————-
ModSecurity: Warning. Pattern match “(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| …” at REQUEST_FILENAME. [file “/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/001_i360_1_generic.conf”] [line “24”] [id “77134463”] [msg “IM360 WAF: PHP Injection Attack: High-Risk PHP Function Call Found||T:APACHE||MVN:REQUEST_FILENAME||MV:/eval()||SC:/home/gleeshot/public_html/eval()”] [severity “NOTICE”] [tag “service_o”] [tag “service_i360”] [tag “noshow”] [hostname “gleeshots.com”] [uri “/eval()”] [unique_id “YOtGYD01d2O1rsQVHTgX4gAAAxg”]`
——————————————–
If I disable BBQ and run eval, I get the 404 page instead, which I would assume then means BBQ is working.
Having said all that, if BBQ is working, what is it supposed to be doing when all these random bot attacks take place and my entire site is being scanned? Thanks.
Yeah it sounds like it is working. If you try testing some of the firewall patterns and get 403 response (in non-Firefox browsers apparently), then that means it’s working.
“if BBQ is working, what is it supposed to be doing when all these random bot attacks take place and my entire site is being scanned?”
BBQ is a firewall. It has a defined set of rules that, when detected in any request, tells BBQ to respond with 403 – Forbidden status. You can find more information on the WP homepage and launch post at Perishable Press.
I hope this helps. Let me know if I can provide any further infos, glad to help anytime.