Re: [squid-users] Mod-security blocking my proxy server

From: Adrian Chadd <adrian@dont-contact.us>
Date: Tue, 13 Mar 2007 15:54:03 +0800

On Tue, Mar 13, 2007, Tek Bahadur Limbu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear All,
>
> A domain hosting site running mod-security is blocking one of my proxy
> server. They have provided me the following security logs for the
> reason.
>
> Note: I have modified the site and IP of my proxy server.
>
> Does the logs below mean that some of my clients are abusing my proxy
> server?

Yup. Well, either that, or one of your clients has a hacked machine which
is then issueing thse silly scripting vulnerabilities in the URI.

Either way, figure out what your client is doing.

Adrian

>
>
> [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match "<script" at THE_REQUEST
> [hostname "somesite.com"] [uri
> "/pressrelease_details.php?id=>'><ScRiPt%20%0a%0d>alert(121446072)%3B</S
> cRiPt>"]
>
> [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match "<script" at THE_REQUEST
> [hostname "somesite.com"] [uri
> "/pressrelease_details.php?id=</title><ScRiPt%20%0a%0d>alert(1853475877)
> %3B</ScRiPt>"]
>
> [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match "<script" at THE_REQUEST
> [hostname "somesite.com"] [uri
> "/pressrelease_details.php?id=>\\"><ScRiPt%20%0a%0d>alert(1640807322)%3B
> </ScRiPt>"]
>
> [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match
> "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|appl
> et|activex|chrome)[[:space:]]*>" at REQUEST_URI [hostname
> "somesite.com"] [uri
> "/pressrelease_details.php?id=<%00script>alert(2038864227)%3B</script>"]
>
> [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match "<script" at THE_REQUEST
> [hostname "somesite.com"] [uri
> "/pressrelease_details.php?id=--><ScRiPt%20%0a%0d>alert(114595006)%3B</S
> cRiPt>"]
>
> [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI
> [hostname "somesite.com"] [uri
> "/pressrelease_details.php?id=+%26cat+/etc/passwd%26"]
>
> [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security:
> Access denied with code 406. Pattern match "/etc/passwd" at REQUEST_URI
> [hostname "somesite.com"] [uri
> "/pressrelease_details.php?id=+%0acat+/etc/passwd%0a"]
>
>
> Any kind of help and feedback are highly appreciated.
>
> Thanking you..
>
>
> - --
>
>
> With best regards and good wishes,
>
> Yours sincerely,
>
> Tek Bahadur Limbu
>
> (TAG/TDG Group)
> Jwl Systems Department
>
> Worldlink Communications Pvt. Ltd.
>
> Jawalakhel, Nepal
>
> http://www.wlink.com.np
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (FreeBSD)
>
> iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6
> Pr6zzwkH8HD8qdoq8kIvrVY=
> =u2e+
> -----END PGP SIGNATURE-----

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
Received on Tue Mar 13 2007 - 01:44:55 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:02 MDT