The following users disabled "ModSecurity" via changes in .htaccess file

Issue

A notification message from Imunify360 Advisor is received:

"The following users disabled "ModSecurity" via changes in .htaccess file: {username}. Please comment/remove either "SecFilterEngine Off" or "SecFilterScanPOST Off" in their .htaccess files

Environment

• Imunify360
• Apache

Solution

Remove the directives, such as SecFilterEngineand SecFilterScanPost from the user's .htaccess files. Configuration files in user's paths should not look like this:

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

As in this case, the filtering engine is disabled and this state is considered unsafe, such files should be deleted or modified accordingly. If some plugins modify these files, consider adjusting those as well.

These directives can be used to avoid antivirus detections, so if such changes were done without the user's knowledge, it is worth creating a ticket to conduct a malware investigation. The initial warning will show you the name of the affected user but will not be updated with the new usernames. To make sure ModSdcurity protection is enabled, it may be required to check .htaccess files on the server. Providing that /home is the server's web root, it is possible to find such files with:

webpath='/home/'; find $webpath -type f -name ".htaccess" -exec \
grep -H -iPo '^\s*(?!#\s*)SecFilter(?:Engine|ScanPOST)\s*Off\b' {} \; 

The above command allow briefly recon the state of ModSecurity Engine for the sites and its folders. The files found with this command should be revised or cleaned manually, most of the times those files can be deleted though. It is recomended to backup files if automation like sed is going to be used:

webpath='/home/'; find $webpath -type f -name ".htaccess" -exec \
grep -iPl '^\s*(?!#\s*)SecFilter(?:Engine|ScanPOST)\s*Off\b' {} \; \
2>/dev/null | xargs tar -Pczf ~/htaccesses_$RANDOM.tar.gz

While the following command can be used to change the relevant directives in htaccess files from Off to On:

webpath='/home/'; find $webpath -type f -name ".htaccess" \
-exec sed -i '/^[^#]*\(SecFilterEngine\|SecFilterScanPOST\)\s*Off/ I s// \1 On/g' {} \;

Sed will add two whitespaces at the begining of the changed directive.

As soon as a full background scan will report no suspicious .htaccess were detected, the status will be changed with API request.  Please note, that the new status and the Advisor update will not be delivered immediately. Since the Malware scanner can no longer detect SMW-SUS-20410-php.exploit.htaccess signature types in configuration files, it may require up to two days before the status changes.

Cause

This message advises removing SecFilterEngine|SecFilterScanPost Off directives from .htaccess, to enable ModSecurity. It disappears after a new background scan can not find maliciously modified .htaccess files.