ModSecurity Tools – OWASP ModSecurity Core Rule Set, with OpenCart v3.x

When we implemented ModSecurity™ Tools with vendor OWASP ModSecurity Core Rule Set, OpenCart site displayed strange behavior.

We had to disable three of the 21+ core rules to make our OpenCart site act and preform normal again. Below are the three rules we had to disable.

Hope this helps others who may have a VPS/server that has implemented ModSecurity™ Tools for Cpanel/WHM..

Rules we had to disable

Stephen Hawking Dies at 76

Stephen W. Hawking, the Cambridge University physicist and best-selling author who roamed the cosmos from a wheelchair, pondering the nature of gravity and the origin of the universe and becoming an emblem of human determination and curiosity, died early Wednesday at his home in Cambridge, England. He was 76.

His death was confirmed by a spokesman for Cambridge University.

“Not since Albert Einstein has a scientist so captured the public imagination and endeared himself to tens of millions of people around the world,” Michio Kaku, a professor of theoretical physics at the City University of New York, said in an interview.

Dr. Hawking did that largely through his book “A Brief History of Time: From the Big Bang to Black Holes,” published in 1988. It has sold more than 10 million copies and inspired a documentary film by Errol Morris. The 2014 film about his life, “The Theory of Everything,” was nominated for several Academy Awards and Eddie Redmayne, who played Dr. Hawking, won the Oscar for best actor.

Scientifically, Dr. Hawking will be best remembered for a discovery so strange that it might be expressed in the form of a Zen koan: When is a black hole not black? When it explodes.

What is equally amazing is that he had a career at all. As a graduate student in 1963, he learned he had amyotrophic lateral sclerosis, a neuromuscular wasting disease also known as Lou Gehrig’s disease. He was given only a few years to live.
The disease reduced his bodily control to the flexing of a finger and voluntary eye movements but left his mental faculties untouched.

He went on to become his generation’s leader in exploring gravity and the properties of black holes, the bottomless gravitational pits so deep and dense that not even light can escape them.

That work led to a turning point in modern physics, playing itself out in the closing months of 1973 on the walls of his brain when Dr. Hawking set out to apply quantum theory, the weird laws that govern subatomic reality, to black holes. In a long and daunting calculation, Dr. Hawking discovered to his befuddlement that black holes — those mythological avatars of cosmic doom — were not really black at all. In fact, he found, they would eventually fizzle, leaking radiation and particles, and finally explode and disappear over the eons.

Nobody, including Dr. Hawking, believed it at first — that particles could be coming out of a black hole. “I wasn’t looking for them at all,” he recalled in an interview in 1978. “I merely tripped over them. I was rather annoyed.”

That calculation, in a thesis published in 1974 in the journal Nature under the title “Black Hole Explosions?,” is hailed by scientists as the first great landmark in the struggle to find a single theory of nature — to connect gravity and quantum mechanics, those warring descriptions of the large and the small, to explain a universe that seems stranger than anybody had thought.

The discovery of Hawking radiation, as it is known, turned black holes upside down. It transformed them from destroyers to creators — or at least to recyclers — and wrenched the dream of a final theory in a strange, new direction.

“You can ask what will happen to someone who jumps into a black hole,” Dr. Hawking said in an interview in 1978. “I certainly don’t think he will survive it.

“On the other hand,” he added, “if we send someone off to jump into a black hole, neither he nor his constituent atoms will come back, but his mass energy will come back. Maybe that applies to the whole universe.”

Dennis W. Sciama, a cosmologist and Dr. Hawking’s thesis adviser at Cambridge, called Hawking’s thesis in Nature “the most beautiful paper in the history of physics.”

Official website :


Hawking (2013) documentary by Stephen Finnigan.

Configuring CA or Certificate Authority with pfSence

NOTES: If you are using Firefox, you must import the ROOT-CA Certificate that you have generated on your pfSense firewall. I noticed using Chrome that you don’t need to import the ROOT CA Certificate to make it work on the Local Side!

In the menu of your Firefox Browser navigate here >

> Tools > Options > Privacy & Security > “Scroll down” click on View Certificate.

Check both options and import!

Et voilà!!!

Now in Firefox your pfSense will be secured using your CA Certificate on the local side 😉

You may check for the certificate in Firefox



Type Description Link
DNSBL AD_Cameleon
DNSBL AD_MalwareBytes_HpHosts_Ads
DNSBL Ads/ncoin
DNSBL BBCan178_malware
DNSBL malicious_dshield_SD
DNSBL malicious_hpHosts_zip
DNSBL malicious_malc1de
DNSBL malicious_MDL
DNSBL malicious_MVPS
DNSBL malicious_SWC
DNSBL malicious_Zeus
DNSBL Malware domains list
DNSBL Malware Exploit DNS Group
DNSBL Malware Exploit DNS Group
DNSBL Malware Exploit DNS Group
DNSBL Malware
DNSBL MW_MalwareBytes_HpHosts_Exploits
DNSBL MW_MalwareBytes_HpHosts_Fraud
DNSBL MW_MalwareBytes_HpHosts_Hijacks
DNSBL MW_MalwareBytes_HpHosts_Malware
DNSBL MW_MalwareBytes_HpHosts_Misleading
DNSBL MW_MalwareBytes_HpHosts_Phishing
DNSBL MW_MalwareBytes_HpHosts_PUP
DNSBL MW_MalwareBytes_HpHosts_Spam_2
DNSBL MW_MalwareBytes_HpHosts_Spam_3
DNSBL MW_MalwareDomains
DNSBL MW_SuspiciousDomains_High
DNSBL MW_SuspiciousDomains_Medium
DNSBL phising
DNSBL Privacy Fraud DNS Group
DNSBL Ransomware Tracker Blacklists
DNSBL Ransomware Tracker Blacklists
DNSBL Ransomwaretracker
DNSBL StevenBlacksList
DNSBL Windows Telemetry
DNSBL Windows Telemetry
IPv4 Abuse_DYRE
IPv4 Abuse_DYRE
IPv4 Abuse_SSLBL
IPv4 Abuse_SSLBL
IPv4 Abuse_Zeus
IPv4 Abuse_Zeus
IPv4 BinaryDefense_BanList
IPv4 Emerging threats block IP’s
IPv4 Emerging Threats
IPv4 Feodotracker
IPv4 Feodotracker
IPv4 Firehol_Level3
IPv4 malc0de
IPv4 TorNodes – helps with wannacry and alike (get the list on his website)
IPv4 WindowsSpyBlocker_spy

Request denied by pfSense proxy SquidGuard: 403 Forbidden

Request denied by pfSense v 2.4.x proxy SquidGuard: 403 Forbidden

To fix this…

Navigate to 

> Services > SquidGuard Proxy Filter >

> SquidGuard Proxy Filter > Common ACL >

Target Rules! Just type : all

Click the + Sign icon

Under Target Categories select > access “Allow”

Click Save!

When you make any changes to SquidGuard, you need to remember to go back to the General settings page and click the Apply button or nothing you did will take effect.

Also don’t forget to empty your browser cache.

STUN Awareness

Setting the Scene

Zepko Analysts decided to try to track down ransomware threat actors using a different approach.

Zepko were recently approached by a company who were hit with ransomware which was identified by Zepko Analysts as a variant of CrySiS ransomware using file extensions .dharma, .wallet or .zzzzz.

Analysts have had previous experience dealing with CrySiS ransomware and discovered that the Threat Actors often use RDP brute force attacks to login, kill the antivirus and monitoring processes, then execute the ransomware payload. To find out more regarding ransomware over RDP attacks visit

Leading on from this, as we know, most ransomware types leave a contact email address in the ransom note or in the file extension, which is used as a direct point of contact with the Threat Actor. This is the email address to directly talk about the payment methods, usually in return for a decryption tool for the encrypted files. In this correspondence Threat Actors also sometimes offer to decrypt one or two files to prove they are able to decrypt files as promised.

Using the email address in the ransom note, Analysts attempted to see if it was possible to somehow use this direct contact with the Threat Actor as a way of tracking them down.

To do this they decided to use a method utilising the STUN protocol, otherwise known as Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators (NAT’s)). Quite a mouthful.

The protocol has a number of different uses but simply put, STUN is a tool which can be used to detect and traverse NATs that are located between two endpoints. When a blinding request is sent over UDP from a client operating from a private network, the STUN server responds with the IP and port number of the client. A full, (and much better) explanation of the STUN Protocol can be found on Wikipedia at

To perform a stun request on a ransomware Threat Actor, Analysts used a hidden PHP script in an image to perform the STUN request once a link is clicked by the Threat Actor.

To do this, Analysts created a website with a webpage that displayed an image. This image contained the hidden PHP script that when the image is visited in a web browser it loads the PHP script and would initiate the STUN request which the response was logged containing the IP address of the person who clicked the link. This IP address would be that of the threat actor.

Because this was being sent in the form of a suspicious looking link it was highly unlikely that the threat actor would click it. To entice the Threat Actor to click the link, Analysts posed as a finance company who had been hit with the ransomware who were ready to pay the ransom.
Emailing the Threat Actor

Below is the email chain between Analysts and the Threat Actors. The email address contacted was Spelling mistakes and typos were purposely made throughout the email correspondence to make it appear as if the message had been sent by someone who is not especially familiar with using computers.

Source :

STUN server ports : UDP 3478, TCP/TLS 5349


libcurl error codes


libcurl-errors – error codes in libcurl


This man page includes most, if not all, available error codes in libcurl. Why they occur and possibly what you can do to fix the problem are also included.


Almost all “easy” interface functions return a CURLcode error code. No matter what, using the curl_easy_setopt option CURLOPT_ERRORBUFFER is a good idea as it will give you a human readable error string that may offer more details about the cause of the error than just the error code. curl_easy_strerror can be called to get an error string from a given CURLcode number.

CURLcode is one of the following:


All fine. Proceed as usual.


The URL you passed to libcurl used a protocol that this libcurl does not support. The support might be a compile-time option that you didn’t use, it can be a misspelled protocol string or just a protocol libcurl has no code for.


Very early initialization code failed. This is likely to be an internal error or problem, or a resource problem where something fundamental couldn’t get done at init time.


The URL was not properly formatted.


A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision. This means that a feature or option was not enabled or explicitly disabled when libcurl was built and in order to get it to function you have to get a rebuilt libcurl.


Couldn’t resolve proxy. The given proxy host could not be resolved.


Couldn’t resolve host. The given remote host was not resolved.


Failed to connect() to host or proxy.


The server sent data libcurl couldn’t parse. This error code is used for more than just FTP and is aliased as CURLE_WEIRD_SERVER_REPLY since 7.51.0.


We were denied access to the resource given in the URL. For FTP, this occurs while trying to change to the remote directory.


While waiting for the server to connect back when an active FTP session is used, an error code was sent over the control connection or similar.


After having sent the FTP password to the server, libcurl expects a proper reply. This error code indicates that an unexpected code was returned.


During an active FTP session while waiting for the server to connect, the CURLOPT_ACCEPTTIMEOUT_MS (or the internal default) timeout expired.


libcurl failed to get a sensible result back from the server as a response to either a PASV or a EPSV command. The server is flawed.


FTP servers return a 227-line as a response to a PASV command. If libcurl fails to parse that line, this return code is passed back.


An internal failure to lookup the host used for the new connection.


A problem was detected in the HTTP2 framing layer. This is somewhat generic and can be one out of several problems, see the error buffer for details.


Received an error when trying to set the transfer mode to binary or ASCII.


A file transfer was shorter or larger than expected. This happens when the server first reports an expected transfer size, and then delivers data that doesn’t match the previously given size.


This was either a weird reply to a ‘RETR’ command or a zero byte transfer complete.


When sending custom “QUOTE” commands to the remote server, one of the commands returned an error code that was 400 or higher (for FTP) or otherwise indicated unsuccessful completion of the command.


This is returned if CURLOPT_FAILONERROR is set TRUE and the HTTP server returns an error code that is >= 400.


An error occurred when writing received data to a local file, or an error was returned to libcurl from a write callback.


Failed starting the upload. For FTP, the server typically denied the STOR command. The error buffer usually contains the server’s explanation for this.


There was a problem reading a local file or an error returned by the read callback.


A memory allocation request failed. This is serious badness and things are severely screwed up if this ever occurs.


Operation timeout. The specified time-out period was reached according to the conditions.


The FTP PORT command returned error. This mostly happens when you haven’t specified a good enough address for libcurl to use. See CURLOPT_FTPPORT.


The FTP REST command returned error. This should never happen if the server is sane.


The server does not support or accept range requests.


This is an odd error that mainly occurs due to internal confusion.


A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.


The download could not be resumed because the specified offset was out of the file boundary.


A file given with FILE:// couldn’t be opened. Most likely because the file path doesn’t identify an existing file. Did you check file permissions?


LDAP cannot bind. LDAP bind operation failed.


LDAP search failed.


Function not found. A required zlib function was not found.


Aborted by callback. A callback returned “abort” to libcurl.


Internal error. A function was called with a bad parameter.


Interface error. A specified outgoing interface could not be used. Set which interface to use for outgoing connections’ source IP address with CURLOPT_INTERFACE.


Too many redirects. When following redirects, libcurl hit the maximum amount. Set your limit with CURLOPT_MAXREDIRS.


An option passed to libcurl is not recognized/known. Refer to the appropriate documentation. This is most likely a problem in the program that uses libcurl. The error buffer might contain more specific information about which exact option it concerns.


A telnet option string was Illegally formatted.


The remote server’s SSL certificate or SSH md5 fingerprint was deemed not OK.


Nothing was returned from the server, and under the circumstances, getting nothing is considered an error.


The specified crypto engine wasn’t found.


Failed setting the selected SSL crypto engine as default!


Failed sending network data.


Failure with receiving network data.


problem with the local client certificate.


Couldn’t use specified cipher.


Peer certificate cannot be authenticated with known CA certificates.


Unrecognized transfer encoding.


Invalid LDAP URL.


Maximum file size exceeded.


Requested FTP SSL level failed.


When doing a send operation curl had to rewind the data to retransmit, but the rewinding operation failed.


Initiating the SSL Engine failed.


The remote server denied curl to login (Added in 7.13.1)


File not found on TFTP server.


Permission problem on TFTP server.


Out of disk space on the server.


Illegal TFTP operation.


Unknown TFTP transfer ID.


File already exists and will not be overwritten.


This error should never be returned by a properly functioning TFTP server.


Character conversion failed.


Caller must register conversion callbacks.


Problem with reading the SSL CA cert (path? access rights?)


The resource referenced in the URL does not exist.


An unspecified error occurred during the SSH session.


Failed to shut down the SSL connection.


Socket is not ready for send/recv wait till it’s ready and try again. This return code is only returned from curl_easy_recv and curl_easy_send (Added in 7.18.2)


Failed to load CRL file (Added in 7.19.0)


Issuer check failed (Added in 7.19.0)


The FTP server does not understand the PRET command at all or does not support the given argument. Be careful when using CURLOPT_CUSTOMREQUEST, a custom LIST command will be sent with PRET CMD before PASV as well. (Added in 7.20.0)


Mismatch of RTSP CSeq numbers.


Mismatch of RTSP Session Identifiers.


Unable to parse FTP file list (during FTP wildcard downloading).


Chunk callback reported error.


(For internal use only, will never be returned by libcurl) No connection available, the session will be queued. (added in 7.30.0)


Failed to match the pinned key specified with CURLOPT_PINNEDPUBLICKEY.


Status returned failure when asked with CURLOPT_SSL_VERIFYSTATUS.


Stream error in the HTTP/2 framing layer.


An API function was called from inside a callback.


These error codes will never be returned. They were used in an old libcurl version and are currently unused.


This is the generic return code used by functions in the libcurl multi interface. Also consider curl_multi_strerror.


This is not really an error. It means you should call curl_multi_perform again without doing select() or similar in between. Before version 7.20.0 this could be returned by curl_multi_perform, but in later versions this return code is never used.


Things are fine.


The passed-in handle is not a valid CURLM handle.


An easy handle was not good/valid. It could mean that it isn’t an easy handle at all, or possibly that the handle already is in used by this or another multi handle.


You are doomed.


This can only be returned if libcurl bugs. Please report it to us!


The passed-in socket is not a valid one that libcurl already knows about. (Added in 7.15.4)


curl_multi_setopt() with unsupported option (Added in 7.15.4)


An easy handle already added to a multi handle was attempted to get added a second time. (Added in 7.32.1)


An API function was called from inside a callback.


The “share” interface will return a CURLSHcode to indicate when an error has occurred. Also consider curl_share_strerror.


All fine. Proceed as usual.


An invalid option was passed to the function.


The share object is currently in use.


An invalid share object was passed to the function.


Not enough memory was available. (Added in 7.12.0)


The requested sharing could not be done because the library you use don’t have that particular feature enabled. (Added in 7.23.0)