I am receiving the following error for 1 of my wordpress site running on a Plesk server.
[client 000.00.00.000] ModSecurity: Access denied with code 403 (phase
2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union
\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby
\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'
\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+
\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at
REQUEST_COOKIES:sbjs_first. [file "/etc/httpd/conf/modsecurity.d/rules
/comodo_free/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"]
[msg "COMODO WAF: SQLmap attack detected||website name|F|2"] [data
"Matched Data: |||id=(none) found within REQUEST_COOKIES:sbjs_first:
typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=
(none)|||id=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"]
[hostname "website name"] [uri "/wp-login.php"] [unique_id "ZamB-
8j9IfDbYiJgRoahGwAAAAM"], referer:
When I visited some pages on the frontend it gives this error: Server Error 403 Forbidden You do not have permission to access this document. That's what you can do Reload Page Back to Previous Page Home Page
I wonder if this a real attack? or false positive
I was able to export the site to local. It seems working ok there.
CRS dev-on-duty here. Even if you don't use CRS rules and this is a problem of COMODO WAF rules, I'll try to help. While searching for the cookie name sbjs_first, I found this GitHub issue here, which is an indication that this sourcebuster cookie looks legitimate. Maybe you'll even the solution to your problem in one of the comments in this issue.
If this isn't the solution, you may need to tune the rules. Maybe you can also use our (CRS) documentation on false positives and rule tuning.