Security Basics mailing list archives
Re: Apache Logs
From: tony barry <tony () no-bull co nz>
Date: Fri, 20 Apr 2007 07:34:50 +1200
FYI I've done a bit of research and it seems that the messages originate from Apaches internal dummy connection due to changes in version 2.2. It seems to be a new process for killing off excess child processes. More research to be done but at least now I know no one is in my system. On Wed, 2007-04-18 at 10:59 +1000, jm wrote:
Hi Tony, I doubt it's coming from outside your network, I'd be looking at local processes. Do you have combined logging enabled? If so check the access_log for matching hits and check out what the user agent is, it might give you some tips as to where it's coming from. Are the entries still occuring? If so a packet capture might help :) Cheers, Jason tony barry wrote:Thanks for your reply Jason, I am aware that ::1 is localhost IPv6 which is why I am concerned. How does someone outside our network send a packet to Apache which appears to originate from the localhost? On Tue, 2007-04-17 at 13:38 +1000, jm wrote:Doubtful Tony, ::1 is localhost IPv6. $ /sbin/ifconfig lo lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2725 errors:0 dropped:0 overruns:0 frame:0 TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:7365015 (7.0 MiB) TX bytes:7365015 (7.0 MiB) Cheers, Jason tony barry wrote:Hi List, I recently found the following in my Apache error logs. [Sun Apr 15 21:15:50 2007] [error] [client 222.84.146.84] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 05:07:24 2007] [error] [client 222.137.34.211] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 18:45:22 2007] [error] [client 222.137.123.38] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 18:50:41 2007] [error] [client 222.243.165.41] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 21:40:59 2007] [error] [client ::1] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("HOST") [severity "EMERGENCY"] [uri "/"] [Mon Apr 16 21:41:00 2007] [error] [client ::1] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("HOST") [severity "EMERGENCY"] [uri "/"] [Mon Apr 16 21:41:02 2007] [error] [client ::1] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("HOST") [severity "EMERGENCY"] [uri "/"] [Mon Apr 16 22:11:40 2007] [error] [client 222.137.123.38] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here7"] [uri "/"] Looking back in the logs I found many instances of this error message but of real concern are the two entries with [client ::1] which is what caught my attention. Have I been hacked?
Current thread:
- Apache Logs tony barry (Apr 16)
- Re: Apache Logs jm (Apr 16)
- Re: Apache Logs tony barry (Apr 17)
- Re: Apache Logs jm (Apr 17)
- Re: Apache Logs tony barry (Apr 19)
- Re: Apache Logs tony barry (Apr 17)
- Re: Apache Logs jm (Apr 16)
- Re: Apache Logs security.xentek (Apr 17)