Hi Leute,
könnte mir jemand bisschen behiflich sein und mir sagen was die bestimmten Zeilen bei den Logfiles zu bedeuten haben? Verstehe schon das meiste doch wollte man eure Meinung hören
mod_security2:
Habe diese Meldungen teilweise enorm oft mehrmals in einer Minute etc.
Was genau bedeutet das alles?
Vielen Dank
könnte mir jemand bisschen behiflich sein und mir sagen was die bestimmten Zeilen bei den Logfiles zu bedeuten haben? Verstehe schon das meiste doch wollte man eure Meinung hören
mod_security2:
Code:
[Tue Jan 29 12:11:57 2013] [error] [client 209.45.75.195] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/modsecurity2/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "88.198.115.115"] [uri "/phpMyAdmin-2.5.7/index.php"] [unique_id "UQeufVjGc3MAAGCBhasAAAAM"]
[Tue Jan 29 12:11:57 2013] [error] [client 209.45.75.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity2/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "88.198.115.115"] [uri "/phpMyAdmin-2.5.7-pl1/index.php"] [unique_id "UQeufVjGc3MAAGBdFz8AAAAC"]
Code:
[Mon Jan 28 23:36:29 2013] [error] [client 62.112.36.231] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Jan 29 01:12:24 2013] [error] [client 94.102.51.246] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^\\w+:/" at REQUEST_URI_RAW. [file "/etc/apache2/modsecurity2/modsecurity_crs_20_protocol_violations.conf"] [line "74"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] [hostname "24x7-allrequestsallowed.com"] [uri "/"] [unique_id "UQcT6FjGc3MAAEO0uq4AAAAD"]
[Tue Jan 29 01:26:19 2013] [error] [client 77.1.156.146] request failed: error reading the headers
Code:
[29/Jan/2013:17:22:30 +0100] [my2life.de/sid#7f4a096ebc90][rid#7f4a09f5f9d0][/index.php][2] Warning. Match of "rx (?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|gif)|B(?:%pdf|\\.ra)\\b)" against "RESPONSE_BODY" required. [file "/etc/apache2/modsecurity2/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"]
[29/Jan/2013:17:22:30 +0100] [my2life.de/sid#7f4a096ebc90][rid#7f4a09f5f9d0][/index.php][2] Warning. Match of "rx (?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|gif)|B(?:%pdf|\\.ra)\\b)" against "RESPONSE_BODY" required. [file "/etc/apache2/modsecurity2/modsecurity_crs_50_outbound.conf"] [line "66"] [id "970902"] [msg "PHP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"]
Code:
[29/Jan/2013:17:21:43 +0100] [www.my2life.de/sid#7f4a096ebc90][rid#7f4a09f5f9d0][/][2] Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/modsecurity2/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]Habe diese Meldungen teilweise enorm oft mehrmals in einer Minute etc.
Was genau bedeutet das alles?
Vielen Dank