Results 1 to 3 of 3
  1. #1
    Join Date
    Dec 2002
    Location
    USA
    Posts
    337

    ModSecurity Log - Googlebot?

    Upon reviewing my modsecurity log today, I found an interesting hit from google.

    -------------------

    Requesting IP: 66.249.65.67 is http://ws.arin.net/cgi-bin/whois.pl?...t=66.249.65.67

    Date: 2006-10-03

    Time: 07:10:16

    Handler: mod_gzip_handler

    Get: /page/index/1&show=25,07,2005?php%20echo%20$bmc_vars%5B'site_url'%5D;%20?%3E/profile.php?id=1

    Mod_Security-Message: Access denied with code 406. Pattern match "echo " at THE_REQUEST

    Mod_Security-Action: 406

    ------------

    The rule that set off this 406 response was:

    Code:
    SecFilterSelective THE_REQUEST "echo "

    What I find interesting is that I do not have any such URL structure on this website that google requested.

  2. #2
    Join Date
    Dec 2005
    Posts
    82
    Probably somebody put this link on a page in the internet and google just followed by the link while crawling.

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    I would remove that rule, its not the best rule.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •