Re: Apache Logs

[tony barry <tony () no-bull co nz>]

FYI

I've done a bit of research and it seems that the messages originate
from Apaches internal dummy connection due to changes in version 2.2.
It seems to be a new process for killing off excess child processes.
More research to be done but at least now I know no one is in my system.



On Wed, 2007-04-18 at 10:59 +1000, jm wrote:
> Hi Tony,
>
> I doubt it's coming from outside your network, I'd be looking at local 
> processes.
>
> Do you have combined logging enabled? If so check the access_log for 
> matching hits and check out what the user agent is, it might give you 
> some tips as to where it's coming from.
>
> Are the entries still occuring? If so a packet capture might help :)
>
> Cheers,
>
> Jason
>
> tony barry wrote:
> > Thanks for your reply Jason,
> >
> > I am aware that ::1 is localhost IPv6 which is why I am concerned. 
> >
> > How does someone outside our network send a packet to Apache which
> > appears to originate from the localhost?
> >
> > On Tue, 2007-04-17 at 13:38 +1000, jm wrote:
> > > Doubtful Tony, ::1 is localhost IPv6.
> > >
> > > $ /sbin/ifconfig lo
> > > lo        Link encap:Local Loopback
> > >            inet addr:127.0.0.1  Mask:255.0.0.0
> > >            inet6 addr: ::1/128 Scope:Host
> > >            UP LOOPBACK RUNNING  MTU:16436  Metric:1
> > >            RX packets:2725 errors:0 dropped:0 overruns:0 frame:0
> > >            TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0
> > >            collisions:0 txqueuelen:0
> > >            RX bytes:7365015 (7.0 MiB)  TX bytes:7365015 (7.0 MiB)
> > >
> > > Cheers,
> > >
> > > Jason
> > >
> > >
> > >
> > > tony barry wrote:
> > > > Hi List,
> > > >
> > > > I recently found the following in my Apache error logs.
> > > >
> > > >
> > > > [Sun Apr 15 21:15:50 2007] [error] [client 222.84.146.84] mod_security:
> > > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > > >
> > > > [Mon Apr 16 05:07:24 2007] [error] [client 222.137.34.211] mod_security:
> > > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > > >
> > > > [Mon Apr 16 18:45:22 2007] [error] [client 222.137.123.38] mod_security:
> > > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > > >
> > > > [Mon Apr 16 18:50:41 2007] [error] [client 222.243.165.41] mod_security:
> > > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > > >
> > > > [Mon Apr 16 21:40:59 2007] [error] [client ::1] mod_security: Access
> > > > denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
> > > > "EMERGENCY"] [uri "/"]
> > > >
> > > > [Mon Apr 16 21:41:00 2007] [error] [client ::1] mod_security: Access
> > > > denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
> > > > "EMERGENCY"] [uri "/"]
> > > >
> > > > [Mon Apr 16 21:41:02 2007] [error] [client ::1] mod_security: Access
> > > > denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
> > > > "EMERGENCY"] [uri "/"]
> > > >
> > > > [Mon Apr 16 22:11:40 2007] [error] [client 222.137.123.38] mod_security:
> > > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > > [severity "EMERGENCY"] [hostname "my ip here7"] [uri "/"]
> > > >
> > > >
> > > > Looking back in the logs I found many instances of this error message
> > > > but of real concern are the two entries with [client ::1] which is what
> > > > caught my attention. Have I been hacked?