I've just recently posted this in Chirpy's modsecurity forum, but I thought I would try here as well.
For the past 4 days, about every hour (or less), from a different offending domain, I am receiving this email from my server:
I've searched on just about everything in the above log entry, and really haven't found anything.
Again, this has happened about 100 times in the past 3 days, each time it's a different domain/ip. My server seems ok, none of my customers have mentioned any issues, I just want to find out what this is, and if there's a way to stop it.
Thanks,
Jeff
For the past 4 days, about every hour (or less), from a different offending domain, I am receiving this email from my server:
Code:
Time: Wed May 19 12:15:58 2010 -0400
IP: 208.43.255.250 (208.43.255.250-static.reverse.softlayer.com)
Failures: 8 (mod_security)
Interval: 300 seconds
Blocked: Yes
Log entries:
[Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAFQtS0kAAAAJ"] [Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAF8ZOfQAAAAN"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAF2vB8UAAAAF"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5usjAAAAAH"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5vs20AAAAK"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5wtKoAAAAO"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5ssCEAAAAD"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5tsNcAAAAG"]
Again, this has happened about 100 times in the past 3 days, each time it's a different domain/ip. My server seems ok, none of my customers have mentioned any issues, I just want to find out what this is, and if there's a way to stop it.
Thanks,
Jeff