Help interpret my modsecurity log

A

Atavoo

Verified User
Joined
Jan 28, 2011
Messages
18
Hi there

The last few days my logs for modsecurity2 has started to grow rapidly. After deleting the excisting log and a reboot today i discovered the following lines inside the log a few minutes after successful reboot:

[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2355b20][/mysql/admin/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/"$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2355b20][/mysql/admin/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_L$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2332a70][/mysql/sqlmanager/][1] Access denied with code 400 (phase 2). Pattern match "^\$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2332a70][/mysql/sqlmanager/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ER$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#234b120][/mysql/mysqlmanager/][1] Access denied with code 400 (phase 2). Pattern match "$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#234b120][/mysql/mysqlmanager/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#245fe20][/phpmyadmin/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/" $
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#245fe20][/phpmyadmin/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LO$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#233aab0][/phpMyadmin/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/" $
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#233aab0][/phpMyadmin/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LO$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2347b10][/phpMyAdmin/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/" $
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2347b10][/phpMyAdmin/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LO$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#25fc7f0][/phpmyAdmin/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/" $
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#25fc7f0][/phpmyAdmin/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LO$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#233aab0][/phpmyadmin2/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/"$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#233aab0][/phpmyadmin2/][2] Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_L$
[28/Mar/2011:10:45:49 +0000] [188.138.43.161/sid#1cf7a00][rid#2334a80][/2phpmyadmin/][1] Access denied with code 400 (phase 2). Pattern match "^\w+:/"$


The IP-adress of all these lines (there are plenty more) points towards one of my nameservers, and is not the "server-IP".

Whats going on? There are several hundred lines that refers to the following paths (that doesn't even exist i might ad):

/program/
/dbadmin/
/db/
/database/
/mysqlmanager/
/phpmy-admin/

...and a lot more. Is someone trying to hack my server?
 
Im not expert on mod_security but yes, seems that someone is trying to access in random path for check vulnerability.

On this part of log seems to be all from same ip, so, you should ban that ip and check if any customer complain about the ban.


Regards

PS. all request are denied so, they try without success seems (at least for now).
 
SeLLeRoNe said:
On this part of log seems to be all from same ip, so, you should ban that ip and check if any customer complain about the ban.
Click to expand...

How do i figure out what ip-adress to ban? The only IP-adress in the log belongs to one of my nameservers.
 
ah ok, so this is (188.138.43.161) is your ip?

So, try to check in http logs for access to, for example, /mysql/admin/

Regards
 
Just checked the logs again... now these attacks is being generated from two other ip-adresses as well. These belong to my other nameserver and the third one is a dedicated ip-adress of my website.
 
Checked the logs and found a IP-adress from Budapest (according to RIPE) that is creating a lot of entries in Apaches error log.

[Mon Mar 28 10:45:58 2011] [error] [client 79.172.195.193] ModSecurity: Warning. Match of "rx ModSecurity" against "WEBSERVER_ERROR_LOG" required. [file "/etc/modsecurity2/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "65"] [id "960913"] [msg "Invalid request"] [severity "CRITICAL"] [hostname "188.138.43.181"] [uri "/phpMyAdmin-2.11.5.1-all-languages/"] [unique_id "TZBm5ryKKPoAAB-jT2sAAAAM"]

Whats the best way of banning this IP from accessing my server?
 
are you using any firewall like apf, kiss or csf?

if not, you should install one of those, i use to use csf cause i feel very confortable with it, you can find install script in this forum.

He is implemented into directadmin and so in directadmin you will find (in admin section) the CSF Link and into there a line for fast-block an IP.

Regards
 
SeLLeRoNe said:
are you using any firewall like apf, kiss or csf?

if not, you should install one of those, i use to use csf cause i feel very confortable with it, you can find install script in this forum.

He is implemented into directadmin and so in directadmin you will find (in admin section) the CSF Link and into there a line for fast-block an IP.

Regards
Click to expand...

Could you perhaps provide a link to that install script? What OS are you running? I'm running Debian.
 
You must log in or register to reply here.
Back
Top