On Tue, Mar 13, 2007, Tek Bahadur Limbu wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear All, > > A domain hosting site running mod-security is blocking one of my proxy > server. They have provided me the following security logs for the > reason. > > Note: I have modified the site and IP of my proxy server. > > Does the logs below mean that some of my clients are abusing my proxy > server?
Yup. Well, either that, or one of your clients has a hacked machine which is then issueing thse silly scripting vulnerabilities in the URI. Either way, figure out what your client is doing. Adrian > > > [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match "<script" at THE_REQUEST > [hostname "somesite.com"] [uri > "/pressrelease_details.php?id=>'><ScRiPt%20%0a%0d>alert(121446072)%3B</S > cRiPt>"] > > [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match "<script" at THE_REQUEST > [hostname "somesite.com"] [uri > "/pressrelease_details.php?id=</title><ScRiPt%20%0a%0d>alert(1853475877) > %3B</ScRiPt>"] > > [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match "<script" at THE_REQUEST > [hostname "somesite.com"] [uri > "/pressrelease_details.php?id=>\\"><ScRiPt%20%0a%0d>alert(1640807322)%3B > </ScRiPt>"] > > [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match > "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|appl > et|activex|chrome)[[:space:]]*>" at REQUEST_URI [hostname > "somesite.com"] [uri > "/pressrelease_details.php?id=<%00script>alert(2038864227)%3B</script>"] > > [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match "<script" at THE_REQUEST > [hostname "somesite.com"] [uri > "/pressrelease_details.php?id=--><ScRiPt%20%0a%0d>alert(114595006)%3B</S > cRiPt>"] > > [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI > [hostname "somesite.com"] [uri > "/pressrelease_details.php?id=+%26cat+/etc/passwd%26"] > > [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: > Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI > [hostname "somesite.com"] [uri > "/pressrelease_details.php?id=+%0acat+/etc/passwd%0a"] > > > Any kind of help and feedback are highly appreciated. > > Thanking you.. > > > - -- > > > With best regards and good wishes, > > Yours sincerely, > > Tek Bahadur Limbu > > (TAG/TDG Group) > Jwl Systems Department > > Worldlink Communications Pvt. Ltd. > > Jawalakhel, Nepal > > http://www.wlink.com.np > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (FreeBSD) > > iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6 > Pr6zzwkH8HD8qdoq8kIvrVY= > =u2e+ > -----END PGP SIGNATURE----- -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
