Email Reporting Format

Post Reply
InetBiz
Junior Member
Posts: 16
Joined: 31 Aug 2009, 21:16

Email Reporting Format

Post by InetBiz »

I use the contents of the email report from upload scripts to file abuse reports. It currently does not report the destination IP or the time the violation occurred. This information is useful in abuse reports.

Code: Select all

Scanning web upload script file...
Web upload script user: nobody (99)
Web upload script owner:  ()
Web upload script: /home/xxxxxx/public_html/catalog/admin/banner_manager.php
Remote IP: xxx.xxx.xxx.xxx
Deleted: No
Quarantined: Yes [/home/quarantine/nobody/20120418-100647-T47Kd0Wnv1EAAD4uFIoAAAAT-file-7u7xKx.1334758008_1]

NOTE: This alert may be a ModSecurity false-positive as /home/gr8gear/public_html/catalog/admin/banner_manager.php does not exist
InetBiz
Junior Member
Posts: 16
Joined: 31 Aug 2009, 21:16

Re: Email Reporting Format

Post by InetBiz »

I was told to create a suggestion in the forums from Ticket #ZGZ-900-79132. Owning three licenses, I expect this request to carry weight. Thanks!
InetBiz
Junior Member
Posts: 16
Joined: 31 Aug 2009, 21:16

Re: Email Reporting Format

Post by InetBiz »

It ALSO needs to BLOCK the IP on repeated attempts to upload the same exploit script! We were just hit with over 2000 attempts to the same file from various IPs around the world.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Email Reporting Format

Post by chirpy »

We will consider it in the future but cannot provide any guarantees or timescales. If you want to block based on the ModSecurity triggers, then you have to use the csf option LF_CXS to block attacking IP addresses, as it isn't possible for the cxs process to do so directly with this type of block as the script is running under the nobody account when ModSecurity invokes it.
Post Reply