Is this a Hack Attempt ??

[Fastian]

I am not very found or seeing error logs of my site. Normally there r just 404 error messages.
But by chance I just looked at them and I am surprised to see a security error message.
The entire log is full of something like this

Code: [Select]

[Thu Mar 16 21:36:23 2006] [error] [client 202.125.129.28] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [hostname "www.mydomain.com"] [uri "/contact.php"]
[Fri Mar 17 02:10:28 2006] [error] [client 213.42.2.25] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [hostname "www.mydomain.com"] [uri "/register.php"]
[Tue Mar 14 22:52:27 2006] [error] [client 202.59.80.60] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [hostname "www.mydomain.com"] [uri "/postcard.img17.htm"]
[Tue Mar 14 11:19:37 2006] [error] [client 203.175.64.10] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [hostname "www.mydomain.com"] [uri "/admin/settings.php"]

Most of the time it is with Register.php

Then someone is looking for a file " displayimage.php " which doesnt exist and it never was.

So I am just curious to know what is this mod_security and what is happening with my site ? 

[V@no]

And what is the accessed url? (you should be able get that info from access log files)

[Fastian]

Corresponding to the entries of "displayimage.php"
It looks to be a search bot but i dont know why its looking for something that was never there.

Code: [Select]

129.186.128.28 - - [16/Mar/2006:09:13:18 -0800] "GET /robots.txt HTTP/1.1" 200 803 "-" "MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+)"
129.186.128.28 - - [16/Mar/2006:09:13:18 -0800] "GET /displayimage.php?album=random&cat=0&pos=-1089 HTTP/1.1" 404 510 "-" "MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+)"

For the entries of "mod_security"
I found these 3 IP detail access log. (Not complete)

Could it be the cause of some Web Downloader or something ??

[V@no]

I dont know, what is in your robots.txt file?
As of displayimage.php url it is for Coppermine Photo Gallery, you probably used it in the past and bots still remmeber it...

As of pattern match, it matches the email address. So when someone trying to submit an email address, via register.php, contact.php or even admin/settings.php mod_security will trigger error.

It seems whoever setup mod_security on your server turned on "paranoid" security level. Basicaly contact your hoster and ask them to remove this pattern, and wait untill some other patter matches....

Bottom line, it was not a hacking attempt, you may rellax 

[Fastian]

Thanks V@no
Me Relax now 

My site is hosted by Startlogic.com. It’s on shared server along with 181 other websites. So I wonder if they would do anything on my request.

Besides this warning message I don’t have any trouble (I think so).
I hope this in not a big security issue? M I right ?? Should I inform them?

I dont know, what is in your robots.txt file?
As of displayimage.php url it is for Coppermine Photo Gallery, you probably used it in the past and bots still remmeber it...

What kind of silly bots we have here ??
I stopd using coppermine about 14 months before & I have removed everything related to it about one year before.
But still its looking for it. What a pity?

About robots.txt -- I am attaching it. Its in my subfolder.
I have 4images in my subfolder of Primary domain. But to user it look like a whole new different domain. This is  because of “Host Multiple domain” feature from my host.

[V@no]

My site is hosted by Startlogic.com. It’s on shared server along with 181 other websites. So I wonder if they would do anything on my request.

Besides this warning message I don’t have any trouble (I think so).
I hope this in not a big security issue? M I right ?? Should I inform them?

You should, because with their mod_security settings nobody will be able use email addresses in a form with POST method...thats just stupid!

What kind of silly bots we have here ??
I stopd using coppermine about 14 months before & I have removed everything related to it about one year before.
But still its looking for it. What a pity?

...tell you the truth, I had this problem too, yahoo for example, still showing my old domain, that was not in use for almost 3 years now...I just cant get them to change it...stupid system...

[Fastian]

After about 14 days of my support ticket, I finally got reply from the so called 24 hours online support team with these words
(You can imagine my frustration over this )

Dear Fastian,

Thank you for contacting StartLogic technical support.

You need to put the following line into your .htaccess file.

SecFilterInheritance Off
That should take care of it.

What I am trying to know here is, since I  musing Mod "Search engine friendly urls" and I have about 10 lines of code in my .htaccess file.
So where should I Add it?? Start or end.

BTW, will some one like to tell if this is going to cause any other issue?

[V@no]

So where should I Add it?? Start or end.

add it at the start.

BTW, will some one like to tell if this is going to cause any other issue?

This will only disable filters that mod_security uses when scanning contents.
If you dont know what other rules your hoster added to these filters, this is the way to go, but if you know other rules, then you could use SecFilterRemove XXX XXX XXX where XXX is the rules IDs you want to disable.
Reference:
http://www.modsecurity.org/documentation/modsecurity-apache/stable/03-configuration.html

[Fastian]

This will only disable filters that mod_security uses when scanning contents.
If you dont know what other rules your hoster added to these filters, this is the way to go, but if you know other rules, then you could use SecFilterRemove XXX XXX XXX where XXX is the rules IDs you want to disable.
Reference:
http://www.modsecurity.org/documentation/modsecurity-apache/stable/03-configuration.html

After reading all the pages that come with the above link, I thought that Disabling mod_security Totally will not be such a good idea.

(Somewhere in the article its motion that it prevents various kind of DOS attack and other hack attempts if its configured properly)

So I started searching Google and after going through 4/5 sites I came up with this

SecFilterScanPOST Off

With my limited knowledge, I don’t exactly know what I have done here, but it seems its working fine.
My error log is no more getting mod_security warnings.

So V@no would u please just tell me if I m doing right thing here?

What would u prefer ?

SecFilterScanPOST Off
Or
SecFilterInheritance Off

[V@no]

Sorry, I dont know anything about mod_security, so I cant tell..
but since all your problems came from POST submitions, then I guess disabling POST filtering would be better...