#Web_Attacks
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
mariespooky
Mind empty
3K posts
goddess-bruh
472 posts
into-existence
Eternal Prosper
2K posts
jiggledepot
Jiggle 🍑 (OPEN)
69 posts
echo-ichigo05
Rifat Zaman| MA Animation
111 posts
Fun Fact
1,644 Tumblr posts in 1 second.
webdesignersolutions · 8 years ago
Link
I get a lot of modsecurity results in Apache error logs on a daily basis (Apache 2.4 on Centos 6.9 with many WP sites on) my understand is that these are just showing that modsecurity is doing its job here.
[Sun Dec 10 20:17:53.759787 2017] [:error] [pid 4300:tid 139925334730496] [client 173.44.164.74:44065] [client 173.44.164.74] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)| (?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?: (?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:comment. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "123"] [id "950006"] [msg "System Command Injection"] [data "/id-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/wp-comments-post.php"] [unique_id "Wi3cwdGY1lz@BVkGs1dm9gAAApI"], referer: http://www.mysite.com/software/post-title/
so this pattern match is what the attacker is trying to insert into my site correct? Can anyone tell what its trying to do here? I can see that its a fairly complex regex string and it seems to be trying to add .exe to something….
thanks
Submitted December 10, 2017 at 06:29PM by easy_c0mpany80 https://www.reddit.com/r/webhosting/comments/7iym0m/question_about_modsecurity_results_in_apache/?utm_source=ifttt
from Blogger http://webdesignersolutions1.blogspot.com/2017/12/question-about-modsecurity-results-in.html via IFTTT
#IFTTT#WordPress
0 notes
webdesignersolutions · 8 years ago
Text
Question about ModSecurity results in Apache error_log
I get a lot of modsecurity results in Apache error logs on a daily basis (Apache 2.4 on Centos 6.9 with many WP sites on) my understand is that these are just showing that modsecurity is doing its job here.
[Sun Dec 10 20:17:53.759787 2017] [:error] [pid 4300:tid 139925334730496] [client 173.44.164.74:44065] [client 173.44.164.74] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)| (?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?: (?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:comment. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "123"] [id "950006"] [msg "System Command Injection"] [data "/id-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/wp-comments-post.php"] [unique_id "Wi3cwdGY1lz@BVkGs1dm9gAAApI"], referer: http://www.mysite.com/software/post-title/
so this pattern match is what the attacker is trying to insert into my site correct? Can anyone tell what its trying to do here? I can see that its a fairly complex regex string and it seems to be trying to add .exe to something....
thanks
Submitted December 10, 2017 at 06:29PM by easy_c0mpany80 https://www.reddit.com/r/webhosting/comments/7iym0m/question_about_modsecurity_results_in_apache/?utm_source=ifttt from Blogger http://webdesignersolutions1.blogspot.com/2017/12/question-about-modsecurity-results-in.html via IFTTT
#IFTTT#Blogger
0 notes
webdesignersolutions · 8 years ago
Text
Question about ModSecurity results in Apache error_log via /r/webhosting
Question about ModSecurity results in Apache error_log
I get a lot of modsecurity results in Apache error logs on a daily basis (Apache 2.4 on Centos 6.9 with many WP sites on) my understand is that these are just showing that modsecurity is doing its job here.
[Sun Dec 10 20:17:53.759787 2017] [:error] [pid 4300:tid 139925334730496] [client 173.44.164.74:44065] [client 173.44.164.74] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)| (?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?: (?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:comment. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "123"] [id "950006"] [msg "System Command Injection"] [data "/id-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/wp-comments-post.php"] [unique_id "Wi3cwdGY1lz@BVkGs1dm9gAAApI"], referer: http://www.mysite.com/software/post-title/
so this pattern match is what the attacker is trying to insert into my site correct? Can anyone tell what its trying to do here? I can see that its a fairly complex regex string and it seems to be trying to add .exe to something....
thanks
Submitted December 10, 2017 at 06:29PM by easy_c0mpany80 via reddit https://www.reddit.com/r/webhosting/comments/7iym0m/question_about_modsecurity_results_in_apache/?utm_source=ifttt
#IFTTT#reddit
0 notes