Hello everyone,

Ive been using modsecurity with your delayed ruleset to help protect my apache2 web server for some time now. Its been working great until just recently. I was thumbing through my servers web access logs and found some entries that are worrying me. My question is how can I write a new rule for modsec that will block this unauthorized access and how can I test to ensure the new rule is working. I suppose I could write a mod_rewrite rule for this if I had to, but I would much rather write a modsec rule for this. Thanks for your time.

The unauthorized access:
120.38.196.182 - - [22/Apr/2012:17:17:06 -0600] "GET http://5566.net/ HTTP/1.1" 200 9101

Modsecurity Version:
ModSecurity for Apache/2.6.1

Modsecuirty ruleset:
modsec-201202181610

Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
deflate_module (static)
log_config_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
dir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
unique_id_module (shared)
headers_module (shared)
php5_module (shared)
evasive20_module (shared)
security2_module (shared)

Can you expand a little on what you want to do? For example, is that your domain? What do you want to block, just that specific request or something broader? And what happens when that request is made to your system?

Hello again,

I will try to provide whatever details are required to the best of my ability.
5566.net is not my domain. It appears a clever hacker has found a way to use that request to open external domains through my server. When that request is made, my server seams to act like a type of proxy server. As you can see in my previous post I do not have any sort of proxy modules loaded on my server. Which leads me to belive im dealing with some sorta new exploit. I would like to block any requests that try to load external domains through my server. I'll provide a few examples of legit requests and abusive requests below.

example of legit request:
"GET /index.php HTTP/1.1"

examples of requests that I want to block:
"GET http://5566.net/ HTTP/1.1"
"GET http://www.5566.net/ HTTP/1.1"
"GET http://*.*.*/ HTTP/1.1"

Thanks in advance,
-Volts

Thats interesting, so you dont have any proxy modules loaded and yet apache is proxying? Have you tested those URLs yourself to see if they are actually proxying? Or is the 200 error being returned from your domain because you have something else intercepting these requests?

And if it is proxying, whats your hostname as I'd love to see how apache is doing that.