Re: Apache Logs

[jm <jm () hcn com au>]

Hi Tony,

I doubt it's coming from outside your network, I'd be looking at local 
processes.

Do you have combined logging enabled? If so check the access_log for 
matching hits and check out what the user agent is, it might give you 
some tips as to where it's coming from.

Are the entries still occuring? If so a packet capture might help :)

Cheers,

Jason

tony barry wrote:
> Thanks for your reply Jason,
>
> I am aware that ::1 is localhost IPv6 which is why I am concerned. 
>
> How does someone outside our network send a packet to Apache which
> appears to originate from the localhost?
>
> On Tue, 2007-04-17 at 13:38 +1000, jm wrote:
> > Doubtful Tony, ::1 is localhost IPv6.
> >
> > $ /sbin/ifconfig lo
> > lo        Link encap:Local Loopback
> >            inet addr:127.0.0.1  Mask:255.0.0.0
> >            inet6 addr: ::1/128 Scope:Host
> >            UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >            RX packets:2725 errors:0 dropped:0 overruns:0 frame:0
> >            TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0
> >            collisions:0 txqueuelen:0
> >            RX bytes:7365015 (7.0 MiB)  TX bytes:7365015 (7.0 MiB)
> >
> > Cheers,
> >
> > Jason
> >
> >
> >
> > tony barry wrote:
> > > Hi List,
> > >
> > > I recently found the following in my Apache error logs.
> > >
> > >
> > > [Sun Apr 15 21:15:50 2007] [error] [client 222.84.146.84] mod_security:
> > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > >
> > > [Mon Apr 16 05:07:24 2007] [error] [client 222.137.34.211] mod_security:
> > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > >
> > > [Mon Apr 16 18:45:22 2007] [error] [client 222.137.123.38] mod_security:
> > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > >
> > > [Mon Apr 16 18:50:41 2007] [error] [client 222.243.165.41] mod_security:
> > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > [severity "EMERGENCY"] [hostname "my ip here"] [uri "/"]
> > >
> > > [Mon Apr 16 21:40:59 2007] [error] [client ::1] mod_security: Access
> > > denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
> > > "EMERGENCY"] [uri "/"]
> > >
> > > [Mon Apr 16 21:41:00 2007] [error] [client ::1] mod_security: Access
> > > denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
> > > "EMERGENCY"] [uri "/"]
> > >
> > > [Mon Apr 16 21:41:02 2007] [error] [client ::1] mod_security: Access
> > > denied with code 406. Pattern match "^$" at HEADER("HOST") [severity
> > > "EMERGENCY"] [uri "/"]
> > >
> > > [Mon Apr 16 22:11:40 2007] [error] [client 222.137.123.38] mod_security:
> > > Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT")
> > > [severity "EMERGENCY"] [hostname "my ip here7"] [uri "/"]
> > >
> > >
> > > Looking back in the logs I found many instances of this error message
> > > but of real concern are the two entries with [client ::1] which is what
> > > caught my attention. Have I been hacked?