DeveloperSide.NET Forums
October 20, 2019, 07:39:45 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Security  (Read 23936 times)
0 Members and 1 Guest are viewing this topic.
natcolley
Customer, Basic Support
Jr. Member
*****
Posts: 69


View Profile WWW
« on: February 13, 2008, 04:46:20 PM »

This is unrelated to the sigterm issue. When I was looking at the error logs, I saw this:
Code:
[Tue Feb 12 20:19:55 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_HEADERS:Cookie. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "ad.yieldmanager.com"] [uri "/st?ad_type=iframe&ad_size=728x90&site=140464&section_code=12054307&cb=1202869194967719&ycg=m&yyob=1956&pub_redirect_unencoded=1&pub_redirect=http://us.ard.yahoo.com/SIG=14tf0448g/M=619213.12054307.12499351.10748017/D=mail/S=150500152:N/Y=YAHOO/EXP=1202876394/L=N2qqpM6.Jpn0kVOvR2bXQwCXnGM3fUeyU8oABhu9/B=HpYhBdj8a5k-/J=1202869194967719/A=4919325/R=0/*"] [unique_id "zyDrncCoAdIAAAH0bj0AAAD1"]
[Tue Feb 12 20:19:55 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:\\\\((?:\\\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\\\b\\\\W*?=|[^\\\\w\\\\x80-\\\\xFF]*?[\\\\!\\\\&\\\\|][^\\\\w\\\\x80-\\\\xFF]*?\\\\()|\\\\)[^\\\\w\\\\x80-\\\\xFF]*?\\\\([^\\\\w\\\\x80-\\\\xFF]*?[\\\\!\\\\&\\\\|])" at REQUEST_HEADERS:Cookie. [id "950010"] [msg "LDAP Injection Attack. Matched signature <)(:!>"] [severity "CRITICAL"] [hostname "ad.yieldmanager.com"] [uri "/st?ad_type=iframe&ad_size=728x90&site=140464&section_code=12054307&cb=1202869194967719&ycg=m&yyob=1956&pub_redirect_unencoded=1&pub_redirect=http://us.ard.yahoo.com/SIG=14tf0448g/M=619213.12054307.12499351.10748017/D=mail/S=150500152:N/Y=YAHOO/EXP=1202876394/L=N2qqpM6.Jpn0kVOvR2bXQwCXnGM3fUeyU8oABhu9/B=HpYhBdj8a5k-/J=1202869194967719/A=4919325/R=0/*"] [unique_id "zyDrncCoAdIAAAH0bj0AAAD1"]

Repeated many many times. Can you translate? It looks like someone tried to get into my laptop while I was getting my yahoo mail - but what I don't understand is that I wasn't browsing yahoo with apache. I guess that's just the nature of this attack? Is this something I should worry about? Do something about? Or is this just an attempt to serve an ad that is being interpreted as an attack?

Thx.
Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #1 on: February 13, 2008, 06:11:22 PM »

Probably nothing to worry about. Its just generic mod_security rulesets being activated with some URI pattern match.

Both clients are 127.0.0.1 so this did not come from outside.

You can check the ids of the rulesets, and comment them out under the mod_security ruleset files. mod_security really needs to be configured for your specific environment, and these day I keep it turned off mostly -- too much of a headache.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #2 on: February 13, 2008, 06:16:19 PM »

It could maybe have been a bad flash ad or something. Don't know. Is 'ad.yieldmanager.com' anything familiar? A google search says its some type of spy/adware that just pops up ads for no reason.
« Last Edit: February 13, 2008, 06:20:15 PM by admin » Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
natcolley
Customer, Basic Support
Jr. Member
*****
Posts: 69


View Profile WWW
« Reply #3 on: February 14, 2008, 06:01:12 AM »

Could be. I've had firefox crash on me in yahoo mail before, and they use a lot of flash ads.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!