Request: 10.122.11.235 - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS] for 50000 ms
----------------------------------------
GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
####
Attacker’s address 10.122.11.235
Username:loginc,Password:exodus:PASS
####
open (LOGFILE2,"audit_log") || die " Error opening log file $logFile.\n";
#printf "\n";
while () {
if (/mod_security-message[:](.*)\./)
{
$MOD_SEC{$1}++
}
close (LOGFILE);
#--------------------------------------#
# Output the number of hits per file #
#--------------------------------------#
print "TOP $NUM_RECS_TO_PRINT PATTERN MATCH:\n";
print "-----------------------------\n\n";
$count=1;
foreach my $modsec (sort {$MOD_SEC{$b} <=> $MOD_SEC{$a}} (keys(%MOD_SEC))) {
last if ($count > $NUM_RECS_TO_PRINT);
print "$count\t$modsec= $MOD_SEC{$modsec} \n";
$count++;
}
print "\n\n";