Hello.
I'm receiving a large amount of the following types of log entries in my apache error_log. Wondering what the best course of action is and what does the ssl:info entry mean - is this an attacker trying to find the port on which ssl is operating? I have csf and mod_security.
I'm receiving a large amount of the following types of log entries in my apache error_log. Wondering what the best course of action is and what does the ssl:info entry mean - is this an attacker trying to find the port on which ssl is operating? I have csf and mod_security.
Code:
[Sat Sep 05 03:42:58.640018 2020] [ssl:info] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] AH01964: Connection to child 213 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 03:42:58.872228 2020] [:error] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] [client 20XX:aXX:c3XX::a747:XXc0] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\\\\[To Parent Directory\\\\]<\\\\/[Aa]><br>)" at RESPONSE_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "30"] [id "950130"] [rev "2"] [msg "Directory Listing"] [data "Matched Data: <title>Index of /</title>\\x0a </head>\\x0a <body>\\x0a<h1>Index of found within RESPONSE_BODY: <!DOCTYPE HTML PUBLIC \\x22-//W3C//DTD HTML 3.2 Final//EN\\x22>\\x0a<html>\\x0a <head>\\x0a <title>Index of /</title>\\x0a </head>\\x0a <body>\\x0a<h1>Index of /</h1>\\x0a <table>\\x0a <tr><th valign=\\x22top\\x22> </th><th><a href=\\x22?C=N;O=D\\x22>Name</a></th><th><a href=\\x22?C=M;O=A\\x22>Last modified</a></th><th><a href=\\x22?C=S;O=A\\x22>Size</a></th><th><a href=\\x22?C=D;O=A\\x22>Description</a></th><..."] [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-disclosure"] [hostname "xxxxxxxxxx.com"] [uri "/"] [unique_id "X1NBgnKk4DVpdfujct-QRAAAANU"]
[Sat Sep 05 03:42:58.872322 2020] [core:info] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] AH00128: File does not exist: /home/xxxxxxxxxx.com/public_html/xxxxxxxxxx.com/403.shtml
[Sat Sep 05 03:42:58.872572 2020] [:error] [pid 3990:tid 47740868409088] [client 20xx:a747:xxxxx::a747:c3c0:xxxxx] [client 20XX:aXX:c3XX::a747:XXc0] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "39"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 4): Directory Listing"] [tag "event-correlation"] [hostname "xxxxxxxxxx.com"] [uri "/"] [unique_id "X1NBgnKk4DVpdfujct-QRAAAANU"]
[Sat Sep 05 03:43:43.667189 2020] [ssl:info] [pid 3990:tid 47740772775680] [client 20XX:aXX:c3XX::a747:XXc0:61263] AH01964: Connection to child 200 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 03:44:15.340332 2020] [ssl:info] [pid 3990:tid 47740755965696] [client 20XX:aXX:c3XX::a747:XXc0:55074] AH01964: Connection to child 192 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 03:44:15.670722 2020] [core:info] [pid 3990:tid 47740755965696] [client 20XX:aXX:c3XX::a747:XXc0:55074] AH00128: File does not exist: /home/xxxxxxxxxx.com/public_html/XXXXXXX/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
[Sat Sep 05 21:16:43.836770 2020] [ssl:info] [pid 11056:tid 47740847396608] [client 20XX:aXX:c3XX::a747:XXc0:57137] AH01964: Connection to child 395 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:17:16.630967 2020] [ssl:info] [pid 11056:tid 47740857902848] [client 20XX:aXX:c3XX::a747:XXc0:51899] AH01964: Connection to child 400 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:17:50.328790 2020] [ssl:info] [pid 11056:tid 47740866307840] [client 20XX:aXX:c3XX::a747:XXc0:61847] AH01964: Connection to child 404 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:18:24.025547 2020] [ssl:info] [pid 11056:tid 47740762269440] [client 20XX:aXX:c3XX::a747:XXc0:53424] AH01964: Connection to child 387 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:18:56.531811 2020] [ssl:info] [pid 10943:tid 47740774876928] [client 20XX:aXX:c3XX::a747:XXc0:63596] AH01964: Connection to child 73 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:19:28.263850 2020] [ssl:info] [pid 11056:tid 47740851599104] [client 20XX:aXX:c3XX::a747:XXc0:53002] AH01964: Connection to child 397 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:20:00.411424 2020] [ssl:info] [pid 11056:tid 47740866307840] [client 20XX:aXX:c3XX::a747:XXc0:60225] AH01964: Connection to child 404 established (server xxxxxxxxxx.com:443)
[Sat Sep 05 21:20:33.626445 2020] [ssl:info] [pid 11056:tid 47740874712832] [client 20XX:aXX:c3XX::a747:XXc0:65404] AH01964: Connection to child 408 established (server xxxxxxxxxx.com:443)
goes on for hundreds of entries. . .