[squid-users] Mod-security blocking my proxy server

From: Tek Bahadur Limbu <teklimbu@dont-contact.us>
Date: Tue, 13 Mar 2007 13:23:20 +0545

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

A domain hosting site running mod-security is blocking one of my proxy
server. They have provided me the following security logs for the
reason.

Note: I have modified the site and IP of my proxy server.

Does the logs below mean that some of my clients are abusing my proxy
server?

[Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match "<script" at THE_REQUEST
[hostname "somesite.com"] [uri
"/pressrelease_details.php?id=>'><ScRiPt%20%0a%0d>alert(121446072)%3B</S
cRiPt>"]

[Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match "<script" at THE_REQUEST
[hostname "somesite.com"] [uri
"/pressrelease_details.php?id=</title><ScRiPt%20%0a%0d>alert(1853475877)
%3B</ScRiPt>"]

[Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match "<script" at THE_REQUEST
[hostname "somesite.com"] [uri
"/pressrelease_details.php?id=>\\"><ScRiPt%20%0a%0d>alert(1640807322)%3B
</ScRiPt>"]

[Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match
"<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|appl
et|activex|chrome)[[:space:]]*>" at REQUEST_URI [hostname
"somesite.com"] [uri
"/pressrelease_details.php?id=<%00script>alert(2038864227)%3B</script>"]

[Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match "<script" at THE_REQUEST
[hostname "somesite.com"] [uri
"/pressrelease_details.php?id=--><ScRiPt%20%0a%0d>alert(114595006)%3B</S
cRiPt>"]

[Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI
[hostname "somesite.com"] [uri
"/pressrelease_details.php?id=+%26cat+/etc/passwd%26"]

[Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security:
Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI
[hostname "somesite.com"] [uri
"/pressrelease_details.php?id=+%0acat+/etc/passwd%0a"]

Any kind of help and feedback are highly appreciated.

Thanking you..

- --

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6
Pr6zzwkH8HD8qdoq8kIvrVY=
=u2e+
-----END PGP SIGNATURE-----
Received on Tue Mar 13 2007 - 01:38:40 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:02 MDT