-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 13 Mar 2007 15:54:03 +0800 Adrian Chadd <adrian@xxxxxxxxxxxxxxx> wrote: > On Tue, Mar 13, 2007, Tek Bahadur Limbu wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Dear All, > > > > A domain hosting site running mod-security is blocking one of my > > proxy server. They have provided me the following security logs for > > the reason. > > > > Note: I have modified the site and IP of my proxy server. > > > > Does the logs below mean that some of my clients are abusing my > > proxy server? > > Yup. Well, either that, or one of your clients has a hacked machine > which is then issueing thse silly scripting vulnerabilities in the > URI. > > Either way, figure out what your client is doing. Thanks Adrian for your quick reply. I will further investigate the offending client. > > > > Adrian > > > > > > > [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match "<script" > > at THE_REQUEST [hostname "somesite.com"] [uri > > "/pressrelease_details.php?id=>'><ScRiPt%20%0a%0d>alert(121446072)% > > 3B</S > > cRiPt>"] > > > > [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match "<script" > > at THE_REQUEST [hostname "somesite.com"] [uri > > "/pressrelease_details.php?id=</title><ScRiPt%20%0a%0d>alert > > (1853475877) %3B</ScRiPt>"] > > > > [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match "<script" > > at THE_REQUEST [hostname "somesite.com"] [uri > > "/pressrelease_details.php?id=>\\"><ScRiPt%20%0a%0d>alert > > (1640807322)%3B </ScRiPt>"] > > > > [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match > > "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about| > > appl > > et|activex|chrome)[[:space:]]*>" at REQUEST_URI [hostname > > "somesite.com"] [uri > > "/pressrelease_details.php?id=<%00script>alert(2038864227)% > > 3B</script>"] > > > > [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match "<script" > > at THE_REQUEST [hostname "somesite.com"] [uri > > "/pressrelease_details.php?id=--><ScRiPt%20%0a%0d>alert(114595006)% > > 3B</S > > cRiPt>"] > > > > [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match > > "/etc/passwd" at REQUEST_URI [hostname "somesite.com"] [uri > > "/pressrelease_details.php?id=+%26cat+/etc/passwd%26"] > > > > [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] > > mod_security: Access denied with code 406. Pattern match > > "/etc/passwd" at REQUEST_URI [hostname "somesite.com"] [uri > > "/pressrelease_details.php?id=+%0acat+/etc/passwd%0a"] > > > > > > Any kind of help and feedback are highly appreciated. > > > > Thanking you.. > > > > > > - -- > > > > > > With best regards and good wishes, > > > > Yours sincerely, > > > > Tek Bahadur Limbu > > > > (TAG/TDG Group) > > Jwl Systems Department > > > > Worldlink Communications Pvt. Ltd. > > > > Jawalakhel, Nepal > > > > http://www.wlink.com.np > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2.2 (FreeBSD) > > > > iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6 > > Pr6zzwkH8HD8qdoq8kIvrVY= > > =u2e+ > > -----END PGP SIGNATURE----- > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level bandwidth-capped VPSes available in WA - > - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFF9lv+VrOl+eVhOvYRAtRVAJ9OAiX1/O3pY+Dw2UfPXnSU99LVtQCfY3qn t93hJQ/BUqRBPQZJ0VfRCy8= =Vnmj -----END PGP SIGNATURE-----
