Possible brute force attack on web service, need help troubleshoot the issues

Category: Server Usage

CanopyValley
Asked:
2013-06-13 2:17 pm EST

Hits: 384
We found there are couple thousand of the following message in the past two days. Every now and then the webpage return internal error and we suspect this is related.

We trace the IP address is back to inMotionHosting and we try to make sense of it what is happening?

Could you please kindly assist?

Message found within ERROR_LOG file which can be found under apache
[Wed Jun 12 21:40:01 2013] [error] [client 74.124.219.74] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "62"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "canopyvalley.com"] [uri "/index.php"] [unique_id "UblNIUp820oAAHSkHaUAAAAk"]

You must login before you can ask a follow up question.

You must login before you can submit an answer.

OTHER ANSWERS

0

Arn
Staff
15,484 Points
2013-06-13 4:48 pm EST
Hello CanopyValley,

It appears that something within your code is probably parsing through the site and it's triggering the mod security rule. You can find and disable specific mod security rules and I did request a systems person review it and go ahead and disable the specific rule for you. This will hopefully resolve the issue you're seeing. If you have any further question or issue with this action please let us know. Make sure you review the article on finding and disabling the specific mod security rules if you require more information.

Regards,

Arnel C.

You must login before you can post a comment about this answer.

thanks for the information. Do you have any additional steps / instruction on how to locate the scripts that is scanning the server? I have check all the cron tab and did not locate any script we have schedule to run will do such. thanks!
CanopyValley
32 Points
2013-06-13 5:01 pm EST
Hi CanopyValley,

You're welcome! There really are no additional steps. The best way to isolate what's happening is to be looking at the Apache error log as you have done - it identifies where the code is coming from in the error (in many cases it id's the "index" file). Remember that you would need root access in order to perform the changes identified by the Find and Disable Specific Mod Security rules. I hope this helps to answer your question. Let us know if you have any further questions or require further assistance.

Regards,

Arnel
Arn
15,484 Points
Staff
2013-06-13 5:24 pm EST
Like this Question?

News / Announcements

WordPress wp-login.php brute force attack
Updated 2014-07-17 06:43 pm EST
Hits: 201086

Related Articles

It looks like there are no related articles.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!