C
Chris@
Guest
I am running mod_security on a Plesk box with the gotroot.com rule set (except for the badip and blacklist rules). I have just now noticed some hacker-related files showing up in my /tmp folder. I am guessing these must be related to mod_security. They all look something like this:
20070309-012705-12.34.56.78-request_body-sazTGj
The 12.34.56.78 is an IP address, it's different for each file. I have several of these, and the contents are different, some contain "Hacked by..." type messages, some are empty, some contain e-mail messages. When I scan the audit_log for the IP address, it always comes back as being triggered by a "PUT " request method, and the user agent is always "Microsoft Data Access Internet Publishing Provider DAV 1.1".
Can someone verify these are created by mod_security? I did a lot of Web searching and I'm having trouble verifying that this is the case. If they are, why are they only created by a specific type of trigger (the "PUT" request with the specific user agent)?
20070309-012705-12.34.56.78-request_body-sazTGj
The 12.34.56.78 is an IP address, it's different for each file. I have several of these, and the contents are different, some contain "Hacked by..." type messages, some are empty, some contain e-mail messages. When I scan the audit_log for the IP address, it always comes back as being triggered by a "PUT " request method, and the user agent is always "Microsoft Data Access Internet Publishing Provider DAV 1.1".
Can someone verify these are created by mod_security? I did a lot of Web searching and I'm having trouble verifying that this is the case. If they are, why are they only created by a specific type of trigger (the "PUT" request with the specific user agent)?