Security Basics mailing list archives
Re: Apache Logs
From: jm <jm () hcn com au>
Date: Tue, 17 Apr 2007 13:38:00 +1000
Doubtful Tony, ::1 is localhost IPv6. $ /sbin/ifconfig lo lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2725 errors:0 dropped:0 overruns:0 frame:0 TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:7365015 (7.0 MiB) TX bytes:7365015 (7.0 MiB) Cheers, Jason tony barry wrote:
Hi List, I recently found the following in my Apache error logs. [Sun Apr 15 21:15:50 2007] [error] [client 222.84.146.84] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 05:07:24 2007] [error] [client 222.137.34.211] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 18:45:22 2007] [error] [client 222.137.123.38] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 18:50:41 2007] [error] [client 222.243.165.41] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"] [Mon Apr 16 21:40:59 2007] [error] [client ::1] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("HOST") [severity "EMERGENCY"] [uri "/"] [Mon Apr 16 21:41:00 2007] [error] [client ::1] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("HOST") [severity "EMERGENCY"] [uri "/"] [Mon Apr 16 21:41:02 2007] [error] [client ::1] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("HOST") [severity "EMERGENCY"] [uri "/"] [Mon Apr 16 22:11:40 2007] [error] [client 222.137.123.38] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "my ip here7"] [uri "/"] Looking back in the logs I found many instances of this error message but of real concern are the two entries with [client ::1] which is what caught my attention. Have I been hacked?
Current thread:
- Apache Logs tony barry (Apr 16)
- Re: Apache Logs jm (Apr 16)
- Re: Apache Logs tony barry (Apr 17)
- Re: Apache Logs jm (Apr 17)
- Re: Apache Logs tony barry (Apr 19)
- Re: Apache Logs tony barry (Apr 17)
- Re: Apache Logs jm (Apr 16)
- Re: Apache Logs security.xentek (Apr 17)