Security Basics mailing list archives

Re: Apache Logs

From: tony barry <tony () no-bull co nz>
Date: Wed, 18 Apr 2007 07:09:55 +1200

Thanks for your reply Jason,

I am aware that ::1 is localhost IPv6 which is why I am concerned. 

How does someone outside our network send a packet to Apache which
appears to originate from the localhost?

On Tue, 2007-04-17 at 13:38 +1000, jm wrote:

Doubtful Tony, ::1 is localhost IPv6.

$ /sbin/ifconfig lo
lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:2725 errors:0 dropped:0 overruns:0 frame:0
           TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:7365015 (7.0 MiB)  TX bytes:7365015 (7.0 MiB)

Cheers,

Jason



tony barry wrote:

Hi List,

I recently found the following in my Apache error logs.


[Sun Apr 15 21:15:50 2007] [error] [client 222.84.146.84] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 05:07:24 2007] [error] [client 222.137.34.211] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 18:45:22 2007] [error] [client 222.137.123.38] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 18:50:41 2007] [error] [client 222.243.165.41] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]

[Mon Apr 16 21:40:59 2007] [error] [client ::1] mod_security: Access
denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
"EMERGENCY"] [uri "/"]

[Mon Apr 16 21:41:00 2007] [error] [client ::1] mod_security: Access
denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
"EMERGENCY"] [uri "/"]

[Mon Apr 16 21:41:02 2007] [error] [client ::1] mod_security: Access
denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
"EMERGENCY"] [uri "/"]

[Mon Apr 16 22:11:40 2007] [error] [client 222.137.123.38] mod_security:
Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
[severity "EMERGENCY"] [hostname "my ip here7"] [uri "/"]


Looking back in the logs I found many instances of this error message
but of real concern are the two entries with [client ::1] which is what
caught my attention. Have I been hacked?

Current thread:

Apache Logs tony barry (Apr 16)
- Re: Apache Logs jm (Apr 16)
  - Re: Apache Logs tony barry (Apr 17)
    - Re: Apache Logs jm (Apr 17)
    - Re: Apache Logs tony barry (Apr 19)
- Re: Apache Logs security.xentek (Apr 17)