Internal Server Error When Saving
Do you get a server error after editing the configuration?
Internal Server Error
in your browser?
If your hosting provider has Mod_Security in place on the apache server. It may be caused because it recognizes it as a rootkit attack. This attack is for known rootkits, remote toolkits, etc.
This is from Savannah W-ITS,
Review web logs on a regular basis and think about adding filters from IP addresses that are abusive (don't forget to look at the sub-networks). For example, if don't do business overseas, you can disable access from those areas. Currently (as of Fall 2008) most of the web SPAM posting attempts or RootKit/SQL attacks are coming from central Europe for China. Once you eliminate access the bad guys will (most likely) go after easier prey.
Here is the guidelines from a hosting provider on how to fix this on a per instance basis.
The first thing to do is log in to the terminal. Once in type " cat
/usr/local/apache/logs/error_log | grep 500 | grep <type the domain name
here>" it should spit out a bunch of stuff you will be looking for ones that
look similar to this:
[Tue Feb 10 08:45:30 2009] [error] [client 18.104.22.168] ModSecurity: Access denied with code 4 06 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp| dat|txt|js|html?|tmp|asp)\\x20?\\?" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2/rootki ts.conf"] [line "3"] [id "390144"] [rev "1"] [msg "Rootkit attack: Generic Attempt to install ro otkit"] [severity "CRITICAL"] [hostname "joomlacomponentmanager.com"] [uri "/component//administ rator/components/com_pollxt/conf.pollxt.php"] [unique_id "s1DzyUPjj4QAAGYrEicAAAAM"]
From that long list the only real thing you need is the id which on this one
You then use a text editor of your choice and go to
/usr/local/apache/conf/httpd.conf go to the vhost entry for the domain.
Then type on its own lines:
<Location "/administrator">SecRuleRemoveById 390144</Location>
Then restart apache.