Dear Christian,

So many thanks!
For the sake of completeness here is the complete log entry:

--b1820656-A--
[29/Dec/2008:23:12:29 +0100] xU3lkMMYTucAAGNDUFwAAAAY 85.114.141.195 2703 195.24.78.232 80
--b1820656-B--
GET /phpmyadmin/main.php HTTP/1.0
Host: 195.24.78.232

--b1820656-F--
HTTP/1.1 400 Bad Request
Content-Length: 289
Connection: close
Content-Type: text/html; charset=iso-8859-1

--b1820656-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Message: Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]
Action: Intercepted (phase 2)
Stopwatch: 1230588749931920 535 (172 405 -)
Producer: ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/); core ruleset/1.6.1; core ruleset/1.6.1.
Server: Apache

--b1820656-K--
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "phase:2,chain,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,auditlog,pass,t:none"
SecRule "&REQUEST_HEADERS:User-Agent" "@eq 0" "phase:2,skip:1,t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:960009,tag:PROTOCOL_VIOLATION/MISSING_HEADER,severity:4"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4"
SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d\\.]+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST"
SecRule "RESPONSE_STATUS" "@rx ^400$" "phase:5,t:none,chain,log,auditlog,pass,msg:'Invalid request',id:960913,severity:2"
SecRule "RESPONSE_STATUS" "@rx ^400$" "phase:5,t:none,chain,log,auditlog,pass,msg:'Invalid request',id:960913,severity:2"

--b1820656-Z--

--1b0adb5e-A--
[29/Dec/2008:23:12:29 +0100] xU3lasMYTucAAGMsTgQAAAAX 85.114.141.195 2702 195.24.78.231 80
--1b0adb5e-B--
GET /phpmyadmin/main.php HTTP/1.0
Host: 195.24.78.231

I have 100ds like this one coming from the same IP as you can see from the beginning of the second log entry...

SO many thanks again...

On Wed, Dec 31, 2008 at 12:11 AM, Christian Bockermann <chris@jwall.org> wrote:
Hi Ioannis!


Am 30.12.2008 um 22:18 schrieb Ioannis Angelopoulos:

My audit log is FULL (almost 2Megs full) of text like the following:

--b1820656-A--
[29/Dec/2008:23:12:29 +0100] xU3lkMMYTucAAGNDUFwAAAAY 85.114.141.195 2703 195.24.78.232 80
--b1820656-B--
GET /phpmyadmin/main.php HTTP/1.0
Host: 195.24.78.232

The rule Host header is a numeric IP address obviously matches and the audit action is generated.

The above IP 85.114.141.195 appears in my log 304 times and the log is 24hours old!
Also the other IP 195.24.78.232 is the IP of one of the local ifaces.

My question is what the above might mean ?!? Is it necessarily a malicious act (e.g. the  85.114.141.195 is an open proxy) and many people connect through it trying to fetch phpmyadmin (which btw does not exist) or could it be something else normal ??? Does this IP sound familiar to you ?

In your case (as phpmyadmin does not exist), this is probably just someone scanning for vulnerable applications. As you did not present the complete AuditLog entry, we can only assume that it was created due to a rule checking for a non-numerical host header. This says the "attacker" (i.e. scanner) just looks for any server (he will probably try a lot other IP addresses as well) providing a phpmyadmin application.

One key issue, why an attacker does use IP addresses in this case might simply be: they're enumerable. Hostnames are not (at least not in an easy way). So this is just be a wild probe.

The interesting part here is what Apache/ModSecurity did send back. Most likely it is rule #960017 which will make Apache respond with a 400 error page. So nothing bad happened, in order to make this rule a little bit more quiet you could simply modify its actions by substituting "log" with "nolog" and "auditlog" with "noauditlog".


Best regards and a happy new year to you as well (as to all others, of course),

   Chris