Security Basics mailing list archives

Re: Apache Logs

From: jm <jm () hcn com au>
Date: Tue, 17 Apr 2007 13:38:00 +1000

Doubtful Tony, ::1 is localhost IPv6.

$ /sbin/ifconfig lo
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2725 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7365015 (7.0 MiB)  TX bytes:7365015 (7.0 MiB)

Cheers,

Jason



tony barry wrote:

Hi List,

I recently found the following in my Apache error logs.


[Sun Apr 15 21:15:50 2007] [error] [client 222.84.146.84] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 05:07:24 2007] [error] [client 222.137.34.211] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 18:45:22 2007] [error] [client 222.137.123.38] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 18:50:41 2007] [error] [client 222.243.165.41] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 21:40:59 2007] [error] [client ::1] mod_security: Access
denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
"EMERGENCY"] [uri "/"]

[Mon Apr 16 21:41:00 2007] [error] [client ::1] mod_security: Access
denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
"EMERGENCY"] [uri "/"]

[Mon Apr 16 21:41:02 2007] [error] [client ::1] mod_security: Access
denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
"EMERGENCY"] [uri "/"]

[Mon Apr 16 22:11:40 2007] [error] [client 222.137.123.38] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here7"] [uri "/"]


Looking back in the logs I found many instances of this error message
but of real concern are the two entries with [client ::1] which is what
caught my attention. Have I been hacked?

Current thread:

Apache Logs tony barry (Apr 16)
- Re: Apache Logs jm (Apr 16)
  - Re: Apache Logs tony barry (Apr 17)
    - Re: Apache Logs jm (Apr 17)
    - Re: Apache Logs tony barry (Apr 19)
- Re: Apache Logs security.xentek (Apr 17)