Apache error_log preenchido com blocos modsec

1

Desde que eu habilitei o modSecurity do Apache, verifiquei os logs e vi o seguinte constantemente como 24/7:

[Wed Jun 25 12:40:07 2014] [error] [client 112.215.65.61] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qY90KT6CAAAAVA0y8AAABL"]
[Wed Jun 25 12:43:27 2014] [error] [client 141.0.11.65] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qZv0KT6CAAAAcZh1sAAAIM"]
[Wed Jun 25 12:43:29 2014] [error] [client 206.53.152.12] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qZwUKT6CAAAH1gYr4AAAKW"]
[Wed Jun 25 12:46:22 2014] [error] [client 141.0.11.65] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qabkKT6CAAAAbNZCIAAAFN"]
[Wed Jun 25 12:52:15 2014] [error] [client 107.167.99.155] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qbz0KT6CAAAAhKOkYAAAGX"]
[Wed Jun 25 12:58:08 2014] [error] [client 82.145.218.187] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qdMEKT6CAAAAcZjdgAAAIQ"]
[Wed Jun 25 13:03:26 2014] [error] [client 82.145.208.232] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qebkKT6CAAAAs0ITQAAAFN"]
[Wed Jun 25 13:10:30 2014] [error] [client 114.124.33.113] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qgFkKT6CAAAAcZk08AAAIK"]
[Wed Jun 25 13:11:45 2014] [error] [client 206.53.152.51] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qgYUKT6CAAAAolo-kAAAEU"]
[Wed Jun 25 13:16:52 2014] [error] [client 180.254.31.12] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qhlEKT6CAAAAs0J2cAAAFC"]
[Wed Jun 25 13:19:20 2014] [error] [client 141.0.8.147] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qiKEKT6CAAAAs0KLMAAAFJ"]
[Wed Jun 25 13:30:04 2014] [error] [client 70.39.185.252] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qkrEKT6CAAAA8cQbUAAABM"]
[Wed Jun 25 13:30:28 2014] [error] [client 114.121.162.4] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qkxEKT6CAAABBb7gwAAAHX"]
[Wed Jun 25 13:36:06 2014] [error] [client 206.53.152.22] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qmFkKT6CAAABB48x8AAAIH"]
[Wed Jun 25 13:39:56 2014] [error] [client 114.79.12.226] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qm-EKT6CAAAA77N2YAAAGF"]
[Wed Jun 25 13:40:09 2014] [error] [client 141.0.9.105] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qnCUKT6CAAAA77N38AAAGQ"]
[Wed Jun 25 13:47:00 2014] [error] [client 112.215.36.145] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qopEKT6CAAABP7LCcAAAJG"]
[Wed Jun 25 13:48:38 2014] [error] [client 112.215.36.145] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qpBkKT6CAAABRWU@cAAACL"]
[Wed Jun 25 13:49:06 2014] [error] [client 82.145.217.197] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qpIkKT6CAAABLoqvcAAADC"]
[Wed Jun 25 13:51:54 2014] [error] [client 36.84.242.94] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qpykKT6CAAABLorFUAAADI"]
[Wed Jun 25 14:00:11 2014] [error] [client 82.145.218.69] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qru0KT6CAAABN69X4AAABP"]
[Wed Jun 25 14:07:38 2014] [error] [client 112.215.66.75] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qtekKT6CAAABO-FjYAAALD"]
[Wed Jun 25 14:10:40 2014] [error] [client 39.225.51.231] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6quMEKT6CAAABN6@l0AAABU"]
[Wed Jun 25 14:17:10 2014] [error] [client 39.211.241.27] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qvtkKT6CAAABpXRO4AAACE"]
[Wed Jun 25 14:17:11 2014] [error] [client 39.211.241.27] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qvt0KT6CAAABSGZtgAAAGS"]
[Wed Jun 25 14:22:51 2014] [error] [client 114.125.46.159] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qxC0KT6CAAABi4h5oAAAAR"]
[Wed Jun 25 14:32:32 2014] [error] [client 66.154.116.188] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qzUEKT6CAAAB1hCZQAAACP"]
[Wed Jun 25 14:35:16 2014] [error] [client 114.125.47.120] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6qz9EKT6CAAABz53voAAAKV"]
[Wed Jun 25 14:41:41 2014] [error] [client 141.0.10.206] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q1dUKT6CAAAB49BTQAAADB"]
[Wed Jun 25 14:48:08 2014] [error] [client 39.230.89.68] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q2@EKT6CAAABz55ZAAAAKA"]
[Wed Jun 25 14:48:09 2014] [error] [client 39.230.89.68] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q2@UKT6CAAACEBZSMAAAHB"]
[Wed Jun 25 14:49:49 2014] [error] [client 39.232.12.161] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q3XUKT6CAAACEBZhMAAAHR"]    
[Wed Jun 25 15:13:25 2014] [error] [client 82.145.216.47] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q85UKT6CAAACFjHAIAAAFE"]
[Wed Jun 25 15:16:19 2014] [error] [client 114.125.49.28] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q9k0KT6CAAACZ5T5QAAACC"]
[Wed Jun 25 15:19:04 2014] [error] [client 112.215.65.143] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q@OEKT6CAAACbVCqoAAAAB"]
[Wed Jun 25 15:24:43 2014] [error] [client 82.145.217.135] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6q-i0KT6CAAACdWNnkAAAKM"]
[Wed Jun 25 15:41:31 2014] [error] [client 114.125.44.244] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6rDe0KT6CAAACXbDmcAAADG"]
[Wed Jun 25 15:46:26 2014] [error] [client 82.145.217.64] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-OperaMini-Phone-UA. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6rEokKT6CAAACXbEJEAAADE"]    
[Wed Jun 25 15:50:15 2014] [error] [client 202.62.16.40] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6rFh0KT6CAAACnpjH4AAABC"]    
[Wed Jun 25 15:57:13 2014] [error] [client 82.145.208.208] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "143"] [id "1234123446"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.mysite.com"] [uri "/"] [unique_id "U6rHKUKT6CAAACvWPXQAAAHM"]

As classes Ip tendem a ser semelhantes, mas não posso bloquear classes inteiras / 16. De qualquer forma, isso é algo para se preocupar? O "ModSecurity: Acesso negado com o código 501" bloqueia o ataque ou devo colocar o comando drop? Obrigado

    
por Ivan 25.06.2014 / 17:15

1 resposta

1

Parece que o mod_sec está fazendo o seu trabalho. Você pode querer adicionar um fail2ban ao seu sistema e configurá-lo para banir os endereços IP que surgirem os registros repetidamente.

    
por 25.06.2014 / 17:20