Best practices? - HackAttack - ModSecurity: Access denied with code 501


#1

Hello All,

I’ve been seeing some recent hacking activity on one of the sites I maintain. They aren’t getting through, probably script kiddies from .ru

[Tue Sep 28 03:58:55 2010] [error] [client 69.73.180.30] ModSecurity: Access denied with code 501 (phase 2). Pattern match “\./proc/self/environ” at ARGS:controller. [file “/dh/apache2/template/etc/mod_sec2/mod_sec.conf”] [line “5”] [msg “/proc/self/environ access”] [data “./proc/self/environ”] [severity “CRITICAL”] [tag “WEB_ATTACK/COMMAND_INJECTION”] [hostname “www.domainnamehere.com”] [uri “/”] [unique_id “TKHKb63sk0UAAFT-zxIAAAAJ”]

[Thu Sep 23 20:57:14 2010] [error] [client 212.72.183.208] - This IP has been consistent across several days.
[client 85.214.112.2]
[client 174.142.97.203]
[client 91.144.147.99]

Reverse lookup:

212.72.183.208 PTR record: vif1.cyberwebserver-02.de. [TTL 10800s] [A=212.72.183.208]
85.214.112.2 PTR record: loseschürfer.de. [TTL 1800s] [A=85.214.112.2]
174.142.97.203 PTR record: a2.viralhosts.com. [TTL 3600s] [A=174.142.97.203]
91.144.147.99 PTR record: net147.144.91-99.espenza.ru. [TTL 3600s] [A=None] ERROR There is no A record for net147.144.91-99.espenza.ru. (may be negatively cached).

Besides the usual, insure latest updates etc… what do You normally do in this situation.

I’ve banned IP’s but that only gets so far. I can ban a range but that might limit some legit users.

Thanks for your help…

Jw