Atomicorp

Filename: /20091113/20091113-1154/20091113-115428-UnfuyVLFTwQAACJ0hCsAAAAS
Vhost: plesk2.mydomain.co.uk
Logname: /var/log/httpd/audit_log
Rule ID:340148

-94bc5835-A--
[13/Nov/2009:11:54:28 +0000] UnfuyVLFTwQAACJ0hCsAAAAS 212.183.134.209 9798 82.197.79.4 80

--94bc5835-B--
POST /admin-create-edit-page.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-gb,en;q=0.5
Content-Length: 3329
Cookie: __utma=18801184.1347178227.1254491515.1258029153.1258045996.8; __utmz=18801184.1254491515.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=bhi9rpp8h2to3cc3d8nkd99v31
Host: http://www.domain1.co.uk
Referer: http://www.domain1.co.uk/admin-create-e ... ?catid=993
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Content-Type: multipart/form-data;boundary=---------------------------29614486029253
Connection: keep-alive
Keep-Alive: 300

--94bc5835-I--
i%5fnme=Eye+Test+saves+girls+sight&n%5fnws%5ftitle=HAINE+%26+SMITH+HIT+THE+HEADLINES+AFTER+%27TEST+SAVES+GIRL%27S+SIGHT%27&n%5fnws%5fdateday=30&n%5fnws%5fdatemonth=10&n%5fnws%5fdateyear=2008&n%5fnws%5fsnippet=The+Gazette+%26+Herald+reports+how+a+cancerous+tumour+was+diagnosed+in+a+young+patient+following+a+routine+eye+examination+at+Haine+%26+Smith%2e%2e%2e&n%5fnws%5fitem=%3cp+class%3d%22content%22%3e%0d%0aWiltshire+paper%2c+the+Gazette+%26amp%3b+Herald+recently+reported+how+a+cancerous+tumour+was+diagnosed+in+a+young+girl+following+a+routine+eye+examination+at+Haine+%26amp%3b+Smith%2e+%0d%0a%3c%2fp%3e%0d%0a%3cp+class%3d%22content%22%3e%0d%0aCeri+Kilty+from+Wroughton+was+unaware+that+there+was+anything+wrong+when+she+decided+to+take+her+daughter+Ella+for+her+first+eye+test+at+Haine+%26amp%3b+Smith+in+Regent+Street%2c+Swindon%2e+However+consequently%2c+five%2dyear+old+Ella+was+diagnosed+with+Retinoblastoma%2c+a+fast+growing+form+of+childhood+eye+cancer%2e+%0d%0a%3c%2fp%3e%0d%0a%3cp+class%3d%22content%22%3e%0d%0aThe+optometrist+noticed+that+Ella+had+a+shadow+over+her+left+eye+and+suspecting+that+something+wasn%26rsquo%3bt+right%2c+referred+her+straight+to+hospital+that+evening%2e+%0d%0a%3c%2fp%3e%0d%0a%3cp+class%3d%22content%22%3e%0d%0a%3cimg+src%3d%22resources%2fo%5fella4%2ejpg%22+alt%3d%22%22+hspace%3d%2210%22+vspace%3d%2210%22+align%3d%22left%22+%2f%3eOver+the+next+two+weeks%2c+consultants+confirmed+that+Ella+did+in+fact+have+Retinoblastoma+and+it+was+decided+that+her+eye+should+be+removed+at+the+Royal+London+Eye+Hospital%2e+%0d%0a%3c%2fp%3e%0d%0a%3cp+class%3d%22content%22%3e%0d%0aThankfully%2c+the+operation+was+successful+and+due+to+the+quick+diagnosis+and+treatment+there+was+no+need+for+chemotherapy%2e+Ella%2c+described+by+Ceri+as+%26lsquo%3bthe+happiest+girl+you+could+wish+to+meet%26rsquo%3b%2c+has+since+had+a+prosthetic+eye+fitted%2e+%0d%0a%3c%2fp%3e%0d%0a%3cp%3e%0d%0a%3cspan+class%3d%22content%22%3e%3c%2fspan%3e%3cspan+class%3d%22content%22%3eCeri+told+the+newspaper%3a+%26lsquo%3bWhen+I+stop+and+think+what+might+have+happened+if+I+had+not+taken+her+to+the+opticians+then+it+hits+me+hard%2e%26rsquo%3b%3c%2fspan%3e+%0d%0a%3c%2fp%3e%0d%0a%3cp+class%3d%22content%22%3e%0d%0aWhile+fortunate+Ella+continues+to+enjoy+swimming+and+dancing%2c+her+mum+wholeheartedly+encourages+other+parents+to+take+their+children+for+a+free+NHS+eye+test%2e+Her+daughter%26rsquo%3bs+experience+emphasises+that+a+visit+to+the+opticians+can+identify+far+more+important+health+issues+than+a+simple+need+for+spectacles%2e+%0d%0a%3c%2fp%3e%0d%0a&thsstatus=1&perms%5f1=3&catid=993&submitx=save&undocatid=

--94bc5835-F--
HTTP/1.1 403 Forbidden
Last-Modified: Mon, 03 Mar 2008 13:37:16 GMT
ETag: "e3815d-3c4-447887c74db00"
Accept-Ranges: bytes
Content-Length: 964
Connection: close
Content-Type: text/html

--94bc5835-H--
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "623"] [id "340148"] [rev "61"] [msg "Atomicorp.com WAF Rules: Cross Site Scripting Attack"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(< ?((img|i?frame) ?src|a ?href) ?= ?(ogg|gopher|zlib|(ht|f)tps?)\:/|alert ?\(|<? ((java|vb)?script|applet|activex|chrome) ?>|" ?> ?<|" ?[a-z]+ ?<.*>|> ?"? ?>|< ?/?i?frame|\%env)" at ARGS:n_nws_item.
Action: Intercepted (phase 2)
Stopwatch: 1258113268707017 172195 (81041* 157687 -)
Producer: ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/).
Server: Apache/2.2.3 (CentOS)

--94bc5835-Z--
======================================== and the second:

Filename: /20091112/20091112-1250/20091112-125005-@4fQ9lLFTwQAABJ3XD4AAAAE
Vhost: plesk2.mydomain.co.uk
Logname: /var/log/httpd/audit_log
Rule ID:340147

--8e936720-A--
[12/Nov/2009:12:50:05 +0000] @4fQ9lLFTwQAABJ3XD4AAAAE 212.183.140.21 16652 82.197.79.4 80

--8e936720-B--
POST /admin-create-edit-page.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-gb,en;q=0.5
Content-Length: 3129
Cookie: __utma=18801184.1347178227.1254491515.1256650612.1258029153.7; __utmz=18801184.1254491515.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=sssp1h545o1s6u4aknbktb40b0; __utmb=18801184.2.10.1258029153; __utmc=18801184
Host: http://www.domain1.co.uk
Referer: http://www.domain1.co.uk/admin-create-e ... tid=220939
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Content-Type: multipart/form-data;boundary=---------------------------24805172915303
Connection: keep-alive
Keep-Alive: 300

--8e936720-I--
i%5fnme=Haine+%26+Smith+give+%c2%a3500+to+Help+for+Heroes&n%5fnws%5ftitle=Haine+%26+Smith+give+%c2%a3500+to+Help+for+Heroes&n%5fnws%5fdateday=20&n%5fnws%5fdatemonth=07&n%5fnws%5fdateyear=2009&n%5fnws%5fsnippet=We+were+pleased+to+present+our+third+cheque+for+%c2%a3500+to+Help+for+Heroes%2e%2e%2e&n%5fnws%5fitem=%3cp+style%3d%22margin%3a+0cm+0cm+0pt%22+class%3d%22content%22%3e%0d%0a%26nbsp%3b%0d%0a%3c%2fp%3e%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%22+class%3d%22content%22%3e%0d%0aWe%26nbsp%3bwere+pleased+to+present+another+cheque+for+%26pound%3b500+to+Help+for+Heroes%2c+the+charity+which+provides+support+to+the+organisations+caring+for+our+wounded+service+men+and+women%2e+%0d%0a%3c%2fp%3e%0d%0a%26nbsp%3b+%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%22+class%3d%22content%22%3e%0d%0aCharity+Co%2dfounder%2c+Emma+Parry+says%3b+%26ldquo%3bOver+the+next+two+years+we+aim+to+raise+a+further+%26pound%3b20+million+to+supplement+the+available+facilities+and+care%2c+so+that+service+personnel+in+rehabilitation+get+the+very+best+of+treatment%2e%26rdquo%3b+%0d%0a%3c%2fp%3e%0d%0a%26nbsp%3b+%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%22+class%3d%22MsoNormal%22%3e%0d%0a%3cfont+face%3d%22Arial%22+size%3d%223%22%3e%3cspan+class%3d%22content%22%3eHaine+%26amp%3b+Smith+have+donated+over+%26pound%3b1500+to+the+charity+since+the+start+of+our+fundraising+initiative+and+will+continue+to+donate+a+%26pound%3b1+from+every+eye+examination+booked+at+their+Amesbury%2c+Warminster+and+Wootton+Basset+practices%2e%3c%2fspan%3e+%3c%2ffont%3e%0d%0a%3c%2fp%3e%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%22+class%3d%22MsoNormal%22%3e%0d%0a%3cfont+face%3d%22Arial%22+size%3d%223%22%3e%3c%2ffont%3e%0d%0a%3c%2fp%3e%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%22+class%3d%22MsoNormal%22%3e%0d%0a%26nbsp%3b%0d%0a%3c%2fp%3e%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%3b+text%2dalign%3a+center%22+class%3d%22MsoNormal%22+align%3d%22center%22%3e%0d%0a%3cimg+style%3d%22width%3a+377px%3b+height%3a+284px%22+src%3d%22resources%2fo%5falison%5f%26amp%3b%5fkelly%5f%5f%5f%5f%5f%5f20%5f07%5f09%2ejpg%22+alt%3d%22%22+width%3d%221790%22+height%3d%221364%22+%2f%3e+%0d%0a%3c%2fp%3e%0d%0a%3cp+style%3d%22margin%3a+0cm+0cm+0pt%3b+text%2dalign%3a+center%22+class%3d%22MsoNormal%22+align%3d%22center%22%3e%0d%0a%26nbsp%3b%0d%0a%3c%2fp%3e%0d%0a%3cp%3e%0d%0a%3cspan+class%3d%22content%22+style%3d%22font%2dsize%3a+10pt%3b+line%2dheight%3a+150%25%22%3eAlison+Quick+%28right%29%2c+Manager+of+Haine+%26amp%3b+Smith+in%26nbsp%3bWarminster+presents+Help+for+Heroes%26rsquo%3b+Kelly+Dolan+with+a+cheque+for+%26pound%3b500%2e+%3c%2fspan%3e%0d%0a%3c%2fp%3e%0d%0a&thsstatus=0&perms%5f1=3&catid=220939&submitx=save&undocatid=

--8e936720-F--
HTTP/1.1 403 Forbidden
Last-Modified: Mon, 03 Mar 2008 13:37:16 GMT
ETag: "e3815d-3c4-447887c74db00"
Accept-Ranges: bytes
Content-Length: 964
Connection: close
Content-Type: text/html; charset=UTF-8

--8e936720-H--
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "618"] [id "340147"] [rev "53"] [msg "Atomicorp.com WAF Rules: Generic XSS filter"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|" ?> ?<|" ?[a-z]+ ?<.*>|> ?"? ?(>|<)|< ?/?i?frame|\%env)" at ARGS:n_nws_item.
Action: Intercepted (phase 2)
Stopwatch: 1258030205751542 23238 (14923* 20578 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); 200911111521.
Server: Apache/2.2.3 (CentOS)

--8e936720-Z--

Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); 200911111521.

[root@plesk2 ~]# asl -u
Checking for updates..
ASL version is current: 2.2.1 [OK]
APPINV rules are current: 200909281645 [OK]
CLAMAV rules are current: 200910130949 [OK]
Updating GEOMAP to 200911161105: updated [OK]
Updating MODSEC to 200911161105: updated [OK]
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
OSSEC rules are current: 200812011901 [OK]
[root@plesk2 ~]#

[12/Nov/2009:12:50:05 +0000] @4fQ9lLFTwQAABJ3XD4AAAAE 212.183.140.21 16652 82.197.79.4 80