Recently, I was passed some error logs to take a look into, since we'd had some network spikes recently. However, I've never worked with modsecurity (I'm a programmer just doing this since we don't have a real sysadmin), and something alarming came up.
ModSecurity:
Access denied with code 503 (phase 2). Pattern match
--cut--
[line "23"] [id "390144"] [rev "2"] [msg "Command shell attack:
Generic Attempt to remote include command shell"] [severity
"CRITICAL"]
The words critical, command shell, and attack are probably not something good. I think "remote include command shell" meant a hacker was trying to pull up a shell without authorization, but that's more of a guess than anything.
Can someone tell me what's going on here, or link to some documentation I should read? Would the frequency of entries mean anything?
You should be able to find out which rule is triggering this by looking into the file that should be listed before [line "23"], and having a look at what's on Line 23. Whatever was on there was what triggered the alert and should help you narrow it down.
The frequency probably indicates that this is a bot triggering the mod_security rule. It will be trawling websites across the internet trying to find badly configured webservers to exploit.
The fact that this is showing up in your log files is a good thing, it means that mod_security has done it's job and detected/prevented the attack.