LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2006, 12:56 PM   #1
JediKnight2
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Rep: Reputation: 15
Understanding an access log and what modsecurity did


Ok first my server locked up this morning with
Feb 14 07:14:49 server1 kernel: Out of Memory: Killed process 18253 (httpd).
So I am trying to figure that one out, but I find this in my access_log

85.192.4.78 - - [14/Feb/2006:06:08:56 -0500] "GET / HTTP/1.0" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
218.39.172.79 - - [14/Feb/2006:06:08:59 -0500] "GET / HTTP/1.1" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
221.139.207.34 - - [14/Feb/2006:06:08:59 -0500] "GET / HTTP/1.1" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
221.10.124.34 - - [14/Feb/2006:06:09:03 -0500] "GET / HTTP/1.0" 500 1013 "http://casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
211.178.140.50 - - [14/Feb/2006:06:09:06 -0500] "GET / HTTP/1.1" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
219.249.103.98 - - [14/Feb/2006:06:09:08 -0500] "GET / HTTP/1.1" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
218.39.172.79 - - [14/Feb/2006:06:09:09 -0500] "GET / HTTP/1.1" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
85.192.4.78 - - [14/Feb/2006:06:09:09 -0500] "GET / HTTP/1.0" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
221.10.124.34 - - [14/Feb/2006:06:09:10 -0500] "GET / HTTP/1.0" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
221.139.207.34 - - [14/Feb/2006:06:09:10 -0500] "GET / HTTP/1.1" 500 1013 "http://online-casino.mcr8.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"

I dont have that website on my system, but then mod_security spits this out

[Tue Feb 14 06:08:50 2006] [error] [client 219.249.103.98] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OFVU6EAixYYAAA3UCp0AAAAA"]
[Tue Feb 14 06:08:50 2006] [error] [client 211.178.140.50] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OFfBTUAixYYAAEdNf@YAAAAD"]
[Tue Feb 14 06:08:50 2006] [error] [client 218.39.172.79] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OFp-n0AixYYAAG5RKN4AAAAN"]
[Tue Feb 14 06:08:50 2006] [error] [client 85.192.4.78] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OF0kfEAixYYAAHKskhAAAAAK"]
[Tue Feb 14 06:08:50 2006] [error] [client 221.139.207.34] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OF1urUAixYYAAHMpBeUAAAAO"]
[Tue Feb 14 06:08:51 2006] [error] [client 24.91.80.71] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OGc-UEAixYYAACXGop0AAAAJ"]
[Tue Feb 14 06:08:56 2006] [error] [client 211.178.140.50] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OK8ZckAixYYAAHMmghEAAAAG"]
[Tue Feb 14 06:08:56 2006] [error] [client 219.249.103.98] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OLDtoEAixYYAAEdOgFwAAAAE"]
[Tue Feb 14 06:08:56 2006] [error] [client 85.192.4.78] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OLwVs0AixYYAAEdMHusAAAAC"]
[Tue Feb 14 06:08:59 2006] [error] [client 218.39.172.79] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OOABc0AixYYAAHMnITMAAAAI"]
[Tue Feb 14 06:08:59 2006] [error] [client 221.139.207.34] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OOT7uUAixYYAAEdNf@cAAAAD"]
[Tue Feb 14 06:09:03 2006] [error] [client 221.10.124.34] mod_security: Access denied with code 500. Pattern match "[\\\\w\\\\-_.]*(casino|roulette)\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "ORuFNEAixYYAAA3UCp4AAAAA"]
[Tue Feb 14 06:09:06 2006] [error] [client 211.178.140.50] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OUw9g0AixYYAAHMpBeYAAAAO"]
[Tue Feb 14 06:09:08 2006] [error] [client 219.249.103.98] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OXH5Z0AixYYAACXGop4AAAAJ"]
[Tue Feb 14 06:09:09 2006] [error] [client 218.39.172.79] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OXi46kAixYYAAG5RKN8AAAAN"]
[Tue Feb 14 06:09:09 2006] [error] [client 85.192.4.78] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OYC@10AixYYAAHKskhEAAAAK"]
[Tue Feb 14 06:09:10 2006] [error] [client 221.10.124.34] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OYLH5UAixYYAAHMmghIAAAAG"]
[Tue Feb 14 06:09:10 2006] [error] [client 221.139.207.34] mod_security: Access denied with code 500. Pattern match "(online)+[\\\\w\\\\-_.]*(prescription|casino|roulette|slot)+[\\\\w\\\\-_.]*\\\\.[a-z]{2,}" at HEADER("Referer") [hostname "www.HIDDENBYME.com"] [uri "/"] [unique_id "OYRL@UAixYYAAEdMHuwAAAAC"]

SO I am just tryin to figure out what is going on and just exactly what was attempted
 
Old 02-15-2006, 06:33 AM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Blog Entries: 4

Rep: Reputation: 78
http://casino.mcr8.com is the referrer, almost certainly spoofed.
Looks like some sort of bot-net DOS attack, since the hits are 2-3/second.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
New SQUID user: How to clear the "access.log" and "store.log" automatically? yuzuohong Linux - Networking 2 12-02-2006 06:37 AM
Squid access.log to MS Access mephitic Linux - Software 0 10-30-2004 05:45 PM
Understanding var/log entries Boss Hoss Linux - Hardware 14 10-14-2004 03:20 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 02:21 PM
My squid won't fill /var/log/squid/access.log linuxlah Linux - General 5 10-06-2003 11:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration