Elxis CMS Forum
Support => Security => Topic started by: jimmyz on January 27, 2010, 17:21:54
-
Hi fellows. I read in my (apache) error_log:
[Mon Jan 25 23:59:54 2010] [error] [client 89.210.44.23] ModSecurity: Warning. Pattern match "^\\w+:/" at REQUEST_URI_RAW. [file "/etc/httpd/conf.d/mod_securtiy.conf"] [line "197"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] [hostname "xxxxxx.gr"] [uri "/banners/13.html"] [unique_id "SgyGl38AAAEAADUNr4XXXXXX"]
What does this mean?
What where they trying to do?
-
It reported a blocked attack by Mod Security Rules ...
-
Hi, Farhad.
I can see, apache's ModSecurity was triggered by a pattern in the requested url, matching ^\\w+:/, as expected from directive in line 197 of /etc/httpd/conf.d/mod_securtiy.conf. The message printed out was "Proxy access attempt" and the severity of such an attack was described as "CRITICAL".
This is part of the access_log
89.210.44.23 - - [25/Jan/2010:23:59:54 +0200] "GET http:/xxxxxx.gr/banners/13.html HTTP/1.0" 404 4608 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",
which indicates that the attacker took a 404 error.
Whois reports this IP as a user of Hellas On Line SA - a DSL provider.
Was someone trying to use my hosting server (apache) as a proxy (through elxis)?
-
No , No need to worry about that
he/she tried to access your web site through a proxy ...
Your hosting provider tried to block his/her attempt
-
Thanks, Farhad.
I assume that the proxy was a bad one. I successfully tried guardster.com, without generating any error messages.
Cheers :)