Best practices? - HackAttack - ModSecurity: Access denied with code 501


Hello All,

I’ve been seeing some recent hacking activity on one of the sites I maintain. They aren’t getting through, probably script kiddies from .ru

[Tue Sep 28 03:58:55 2010] [error] [client] ModSecurity: Access denied with code 501 (phase 2). Pattern match “\./proc/self/environ” at ARGS:controller. [file “/dh/apache2/template/etc/mod_sec2/mod_sec.conf”] [line “5”] [msg “/proc/self/environ access”] [data “./proc/self/environ”] [severity “CRITICAL”] [tag “WEB_ATTACK/COMMAND_INJECTION”] [hostname “”] [uri “/”] [unique_id “TKHKb63sk0UAAFT-zxIAAAAJ”]

[Thu Sep 23 20:57:14 2010] [error] [client] - This IP has been consistent across several days.

Reverse lookup: PTR record: [TTL 10800s] [A=] PTR record: loseschü [TTL 1800s] [A=] PTR record: [TTL 3600s] [A=] PTR record: [TTL 3600s] [A=None] ERROR There is no A record for (may be negatively cached).

Besides the usual, insure latest updates etc… what do You normally do in this situation.

I’ve banned IP’s but that only gets so far. I can ban a range but that might limit some legit users.

Thanks for your help…