Re: [mod-security-users] What this eror means exactly
Brought to you by:
victorhora,
zimmerletw
From: Ofer S. <OferS@Breach.com> - 2007-08-13 20:20:06
|
This is certainly an HTTP snippet, so I would not put it on telnet to the wrong port. =20 + Might be a new worm or attack vector,=20 =20 + I would try to look up the source addresses (http://centralops.net/co/ is a good tool to use). Are they expected IP addresses or foreign ones (China?). If they are expected IPs, it would look again like a communication problem. If they belong to the same ADSL provider, it might after all be the same guy. =20 + Is the snippet we have (okie: 969e171d3bf458c0b7d32d9dda1fe360=3D-; mbfcookie[lang]=3Dfr) part of normal traffic to your site? If so it = looks like a communication issue. =20 ~ Ofer =20 From: Alexandre SALEM [mailto:ale...@gm...]=20 Sent: Monday, August 13, 2007 5:28 PM To: Ofer Shezaf Cc: mod...@li... Subject: Re: [mod-security-users] What this eror means exactly =20 Hi, It happened yesterday with 3 different ip. The request is the same. Maybe its concerning an unsuccessfull telnet on port 80. Cause today i have not this error. What you think ? Alex 2007/8/13, Ofer Shezaf <Of...@br...>: Section B includes the request as received by ModSecurity. As you can see it is invalid. What we see as a request is a part of There might be several reasons for that: =20 + Original request is actually bad due to a communication or setup problem at the client =20 + Some unknown attack method. =20 + Some setup problem in your network/server problem at your end. =20 Is it something that happens a lot? For different users or always from a specific IP? Always the same request or different fragments? =20 ~ Ofer =20 From: Alexandre SALEM [mailto:ale...@gm...]=20 Sent: Monday, August 13, 2007 1:45 PM To: Ofer Shezaf Subject: Re: [mod-security-users] What this eror means exactly =20 Hi! Here is the whole part : --ca4f0000-A-- ... --ca4f0000-B-- okie: 969e171d3bf458c0b7d32d9dda1fe360=3D-; mbfcookie[lang]=3Dfr --ca4f0000-F-- HTTP/1.1 400 Bad Request Content-Length: 226 Connection: close Content-Type: text/html; charset=3Diso-8859-1 --ca4f0000-H-- Apache-Error: [file ".\\server\\core.c"] [line 3485] [level 3] Invalid URI in request okie: 969e171d3bf458c0b7d32d9dda1fe360=3D-; mbfcookie[lang]=3Dfr\r Stopwatch: 1186909825109375 0 (- - -) Producer: ModSecurity=20 v2.1.0 (Apache 2.x) Server: Apache/2.2.4 (Win32) PHP/5.2.3 --ca4f0000-Z-- =20 2007/8/13, Ofer Shezaf <Of...@br...>:=20 Can you also send the request part of the audit log record? =20 Seems like the request is not sent or not parsed correctly along the way. =20 Thanks ~ Ofer =20 From: mod...@li... [mailto: mod...@li... <mailto:mod...@li...> ] On Behalf Of Alexandre SALEM Sent: Monday, August 13, 2007 1:13 PM To: mod...@li... Subject: [mod-security-users] What this eror means exactly =20 Hi guys, I`m triggering this error and I don't know why : --955b0000-F-- HTTP/1.1 400 Bad Request Content-Length: 226 Connection: close Content-Type: text/html; charset=3Diso-8859-1 --955b0000-H-- Apache-Error: [file ".\\server\\core.c"] [line 3485] [level 3] Invalid URI in request okie: mbfcookie[lang]=3Dfr; 969e171d3bf458c0b7d32d9dda1fe360=3D-\r Stopwatch: 1186942580671875 0 (- - -) Producer: ModSecurity v2.1.0 (Apache 2.x) Server: Apache/2.2.4 (Win32) PHP/5.2.3 Thx for your help =20 =20 =20 |