How can I have APF block script kiddies that mod_security detects?

Posted by Gaia on Server Fault See other posts from Server Fault or by Gaia
Published on 2010-04-22T15:50:56Z Indexed on 2010/04/22 15:53 UTC
Read the original article Hit count: 377

Filed under:
|
|

In one of the vhosts' error_log I found thousands of lines like these, all from the same IP:

[Mon Apr 19 08:15:59 2010] [error] [client 61.147.67.206] mod_security: Access denied with code 403. Pattern match "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\\\(.*\\\\)\\\\;" at THE_REQUEST [id "330001"] [rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "//webmail/config.inc.php?p=phpinfo();"]

Given how obvious the situation is, how come mod_security isnt automatically adding at least that IP to deny rules? There is no way someone hasnt thought of this before...

© Server Fault or respective owner

Related posts about security

Related posts about mod-security