[Modsecurity] do you know why I get this hit?

ET etharp at earthlink.net
Mon Jul 17 18:23:21 EDT 2006 

do you know why I get this hit? from IP 200.208.159.132 and 
http://europa-eu-un.org:80/articles/el/article_2128_el.htm?

A computer at IP 200.208.159.132 (of course I 'whois' it) is hitting my 
home (personal)
webserver, and leaves a log entry;

200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST 
/javascript:void();? HTTP/1.1" 500 2668

the " POST /Javascript:void();? "

caught my attention, and the fact it gets caught by modsecurity for "^$"
then I got to noticing I have had an unsual number of hits where 
newlan=greek shows up just lately. as I read further up on the logs I 
notice this page as a referer

http://europa-eu-un.org:80/articles/el/article_2128_el.htm?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is from my access log;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
host156-94-static.34-85-b.business.telecomitalia.it - - 
[17/Jul/2006:10:12:34 -0400] "GET /index.php?newlang=greek HTTP/1.0" 200 
30998

host156-94-static.34-85-b.business.telecomitalia.it - - 
[17/Jul/2006:10:12:34 -0400] "GET /index.php?newlang=greek HTTP/1.0" 200 
30998 "http://europa-eu-un.org:80/articles/el/article_2128_el.htm?" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

host156-94-static.34-85-b.business.telecomitalia.it - - 
[17/Jul/2006:10:12:34 -0400] "GET /index.php?newlang=greek HTTP/1.0" 200 
30998 "http://europa-eu-un.org:80/articles/el/article_2128_el.htm?" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is also from my access log;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST 
/javascript:void();? HTTP/1.1" 500 2668

200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST 
/javascript:void();? HTTP/1.1" 500 2668 
"http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST 
/javascript:void();? HTTP/1.1" 500 2668 
"http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

200.208.159.132 - - [17/Jul/2006:10:14:10 -0400] "GET 
/index.php?newlang=greek HTTP/1.1" 200 30998

200.208.159.132 - - [17/Jul/2006:10:14:10 -0400] "GET 
/index.php?newlang=greek HTTP/1.1" 200 30998 
"http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

200.208.159.132 - - [17/Jul/2006:10:14:10 -0400] "GET 
/index.php?newlang=greek HTTP/1.1" 200 30998 
"http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

200.208.159.132 - - [17/Jul/2006:10:14:28 -0400] "POST 
/javascript:void();? HTTP/1.1" 506 2668

200.208.159.132 - - [17/Jul/2006:10:14:28 -0400] "POST 
/javascript:void();? HTTP/1.1" 506 2668 
"http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

200.208.159.132 - - [17/Jul/2006:10:14:28 -0400] "POST 
/javascript:void();? HTTP/1.1" 506 2668 
"http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"








~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
this is from the mod security log (audit_log)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
========================================
Request: 200.208.159.132 - - [17/Jul/2006:10:14:01 --0400] "POST 
/javascript:void();? HTTP/1.1" 500 2668
Handler: type-map
----------------------------------------
POST /javascript:void();? HTTP/1.1
Via: 1.0 BRMAO2SRVISA02
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)
Host: ed-tharp.is-a-geek.org:80
Referer: http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek
Connection: Keep-Alive
mod_security-message: Access denied with code 500. Pattern match "^$" at 
HEADER
mod_security-action: 506

28
[POST payload not available]

HTTP/1.1 500 Internal Server Error
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Vary: accept-language, accept-charset
========================================
Request: 200.208.159.132 - - [17/Jul/2006:10:14:28 --0400] "POST 
/javascript:void();? HTTP/1.1" 500 2668
Handler: type-map
----------------------------------------
POST /javascript:void();? HTTP/1.1
Via: 1.0 BRMAO2SRVISA02
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)
Host: ed-tharp.is-a-geek.org:80
Referer: http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek
Connection: Keep-Alive
mod_security-message: Access denied with code 500. Pattern match "^$" at 
HEADER
mod_security-action: 506

28
[POST payload not available]

HTTP/1.1 500 Internal Server Error
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Vary: accept-language, accept-charset

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- 
reg. Linux User 167806
webhome http://ed-tharp.is-a-geek.org

More information about the Modsecurity mailing list