-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear All, A domain hosting site running mod-security is blocking one of my proxy server. They have provided me the following security logs for the reason. Note: I have modified the site and IP of my proxy server. Does the logs below mean that some of my clients are abusing my proxy server? [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "<script" at THE_REQUEST [hostname "somesite.com"] [uri "/pressrelease_details.php?id=>'><ScRiPt%20%0a%0d>alert(121446072)%3B</S cRiPt>"] [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "<script" at THE_REQUEST [hostname "somesite.com"] [uri "/pressrelease_details.php?id=</title><ScRiPt%20%0a%0d>alert(1853475877) %3B</ScRiPt>"] [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "<script" at THE_REQUEST [hostname "somesite.com"] [uri "/pressrelease_details.php?id=>\\"><ScRiPt%20%0a%0d>alert(1640807322)%3B </ScRiPt>"] [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|appl et|activex|chrome)[[:space:]]*>" at REQUEST_URI [hostname "somesite.com"] [uri "/pressrelease_details.php?id=<%00script>alert(2038864227)%3B</script>"] [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "<script" at THE_REQUEST [hostname "somesite.com"] [uri "/pressrelease_details.php?id=--><ScRiPt%20%0a%0d>alert(114595006)%3B</S cRiPt>"] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI [hostname "somesite.com"] [uri "/pressrelease_details.php?id=+%26cat+/etc/passwd%26"] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI [hostname "somesite.com"] [uri "/pressrelease_details.php?id=+%0acat+/etc/passwd%0a"] Any kind of help and feedback are highly appreciated. Thanking you.. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6 Pr6zzwkH8HD8qdoq8kIvrVY= =u2e+ -----END PGP SIGNATURE-----