Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 3461 views
  • Users 0 members are here
Options
Suggested

[7.951][DUPLICATE][CLOSED] reverse proxy

utm_kid
Hello friends !

please check the log where u will find there was some attempt to get directy access 


is the log format of log reporting is chage (this is question or this is a bug )

prvisally it was -----2010:06:13-15:43:54 acenn reverseproxy: [Sun Jun 13 15:43:54 2010] [error] [client 86.109.166.208] ModSecurity: Warning. Operator GE matched 20 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/REF_xKTvtEIXmU.rules"] [line "929"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 20, SQLi=, XSS=): Comment Evasion Attempt"] [hostname "support.mydomain"] [uri "/phpMyAdmin//scripts/setup.php"] [unique_id "TBSvYj0RwasAABpQNe4AAABT"]
2010:06:13-15:43:54 acenn reverseproxy: srcip="86.109.166.208" localip="mypublicip" size="169" user="-" host="86.109.166.208" method="GET" statuscode="404" time="177572" url="/phpMyAdmin//scripts/setup.php" server="support.mydomain" referer="-" cookie="-" set-cookie="-"
2010:06:13-15:46:15 acenn reverseproxy: [Sun Jun 13 15:46:15 2010] [error] [client 86.109.166.208] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/REF_xKTvtEIXmU.rules"] [line "927"] [msg "Inbound Anomaly Score (Total Inbound Score: 10, SQLi=, XSS=): Comment Evasion Attempt"] [hostname "support.mydomain"] [uri "/phpmyadmin//scripts/setup.php"] [unique_id "TBSv7z0RwasAABoyHnwAAAAQ"]


now i am getting ------

2010:06:26-07:58:55 acenn reverseproxy: srcip="217.172.164.247" localip="mypublicip" size="182" user="-" host="217.172.164.247" method="GET" statuscode="403" time="803" url="/index.php" server="support.mydomain" referer="-" cookie="-" set-cookie="-"
2010:06:26-07:58:55 acenn reverseproxy: [Sat Jun 26 07:58:55 2010] [error] [client 217.172.164.247] Hostname in HTTP request does not match the server name
2010:06:26-07:58:55 acenn reverseproxy: srcip="217.172.164.247" localip="mypublicip" size="187" user="-" host="217.172.164.247" method="GET" statuscode="403" time="1029" url="/extras/update.php" server="support.mydomain" referer="-" cookie="-" set-cookie="-"


there is no count of reverse proxy  requests served today,it is always 0 requests served today (i am monitoring this from last 8 days )





acenn:/home/login # cd /var/sec/chroot-reverseproxy/var/log/audit/
acenn:/var/sec/chroot-reverseproxy/var/log/audit # ls
20100511  20100626
acenn:/var/sec/chroot-reverseproxy/var/log/audit # cd 20100626/
acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100626 # ls
20100626-0758
acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100626 # cd 20100626-0758/
acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100626/20100626-0758 # ls
20100626-075856-TCVl6D0RwasAABo-UfIAAABE
acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100626/20100626-0758 # file 2                                                                             0100626-075856-TCVl6D0RwasAABo-UfIAAABE
20100626-075856-TCVl6D0RwasAABo-UfIAAABE: ASCII text

acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100626/20100626-0758 # cat 20                                                                             100626-075856-TCVl6D0RwasAABo-UfIAAABE
--3149d07e-A--
[26/Jun/2010:07:58:56 +051800] TCVl6D0RwasAABo-UfIAAABE 217.172.164.247 43209 61                                                                             .17.193.171 80
--3149d07e-B--
GET  HTTP/1.1

--3149d07e-H--
Apache-Error: [file "core.c"] [line 3502] [level 3] Invalid URI in request GET                                                                               HTTP/1.1
Stopwatch: 1277519336097067 390 (- - -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.15 (Unix) proxy_html/3.1.2 mod_ssl/2.2.15 OpenSSL/0.9.8h

--3149d07e-Z--
acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100626/20100626-0758 #

 please check this link also 

https://community.sophos.com/products/unified-threat-management/astaroorg/f/102/t/69654 


acenn:/var/sec/chroot-reverseproxy/var/log/audit/20100511/20100511-0936 # cat 20100511-093651-S\@jX23n3QXQAAHfxCUUAAABD
--7099de72-A--
[11/May/2010:09:36:51 +051800] S@jX23n3QXQAAHfxCUUAAABD 75.126.74.190 50302 121.247.65.116 80
--7099de72-B--
GET  HTTP/1.1

--7099de72-H--
Apache-Error: [file "core.c"] [line 3502] [level 3] Invalid URI in request GET  HTTP/1.1
Stopwatch: 1273550811784356 3474 (- - -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.15 (Unix) proxy_html/3.1.2 mod_ssl/2.2.15 OpenSSL/0.9.8h

--7099de72-Z--


 rpm -ql chroot-reverseproxy-2.2.15-74.g005e4a9 |grep -i log
/var/sec/chroot-reverseproxy/usr/apache/bin/logresolve
/var/sec/chroot-reverseproxy/usr/apache/bin/rotatelogs
/var/sec/chroot-reverseproxy/usr/apache/modules/mod_log_config.so
/var/sec/chroot-reverseproxy/var/log
/var/sec/chroot-reverseproxy/var/log/apache2
/var/sec/chroot-reverseproxy/var/log/audit
acenn:/var/log #






""""""""""""""""there is all the way different issues when i try to download log i notice file is called .gz but when u download the same file with .zip 

but down u click download button it download .gz file 

please check image 
"""""""""""""""
thanks


edit:::::r u still working on this 

***** MantisID: 13659 *****(new)

MantisID: 12760
MantisID: 12343 (this two repoted in some other thread)
if yes that is ok but pls inform
Parents Reply Children
No Data
Unfiltered HTML