After the recent security issues with TYPO3 I keep an especially close watch on my servers' mod_security logs. jumpurl atacks come from many IP addresses and they are already bore me. However today I saw something new and interesting:
Request: 126.96.36.199 188.8.131.52 - - [15/Feb/2009:15:26:10 +0200] "GET /bug/login_page.php HTTP/1.1" 403 220 "-" "Toata dragostea mea pentru diavola" A2x6cn8AAAIAAEygTEwAAAAs "-"
GET /bug/login_page.php HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
mod_security-message: Access denied with code 403. <rule is hidden> [severity "EMERGENCY"]
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=iso-8859-1
User agent and host look interesting. Host is the IP address of the server. This will show the default host on many servers, thus making it easy to detect various software on the server or even perform a DoS attack against the server. On this server all requests to the default host lead to an empty file.
Another interesting part was a user agent. I never saw such thing before. Searching the Internet revealed that it is some kind of vulnerability scanner. Good to know. Now it is in my mod_security rules too.
If you are curious what is "toata dragostea mea pentru diavola", it is Romanian. It means approximately "All my love is for the devil".