Page 1 of 1

Email Reporting Format

Posted: 18 Apr 2012, 15:41
by InetBiz
I use the contents of the email report from upload scripts to file abuse reports. It currently does not report the destination IP or the time the violation occurred. This information is useful in abuse reports.

Code: Select all

Scanning web upload script file...
Web upload script user: nobody (99)
Web upload script owner:  ()
Web upload script: /home/xxxxxx/public_html/catalog/admin/banner_manager.php
Remote IP:
Deleted: No
Quarantined: Yes [/home/quarantine/nobody/20120418-100647-T47Kd0Wnv1EAAD4uFIoAAAAT-file-7u7xKx.1334758008_1]

NOTE: This alert may be a ModSecurity false-positive as /home/gr8gear/public_html/catalog/admin/banner_manager.php does not exist

Re: Email Reporting Format

Posted: 18 Apr 2012, 15:42
by InetBiz
I was told to create a suggestion in the forums from Ticket #ZGZ-900-79132. Owning three licenses, I expect this request to carry weight. Thanks!

Re: Email Reporting Format

Posted: 18 Apr 2012, 23:54
by InetBiz
It ALSO needs to BLOCK the IP on repeated attempts to upload the same exploit script! We were just hit with over 2000 attempts to the same file from various IPs around the world.

Re: Email Reporting Format

Posted: 24 Apr 2012, 10:31
by chirpy
We will consider it in the future but cannot provide any guarantees or timescales. If you want to block based on the ModSecurity triggers, then you have to use the csf option LF_CXS to block attacking IP addresses, as it isn't possible for the cxs process to do so directly with this type of block as the script is running under the nobody account when ModSecurity invokes it.