InMotion Hosting Support Center

Brute Force Attack on Web Service

Category: Server Usage

2013-06-13 2:17 pm EST

Hits: 488
We found there are couple thousand of the following message in the past two days. Every now and then the webpage return internal error and we suspect this is related.

We trace the IP address is back to inMotionHosting and we try to make sense of it what is happening?

Could you please kindly assist?

Message found within ERROR_LOG file which can be found under apache
[Wed Jun 12 21:40:01 2013] [error] [client] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "62"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname ""] [uri "/index.php"] [unique_id "UblNIUp820oAAHSkHaUAAAAk"]

You must login before you can ask a follow up question.

You must login before you can submit an answer.



40,987 Points
2013-06-13 4:48 pm EST
Hello CanopyValley,

Thank you for your question about brute force attack on web service.

It appears that something within your code is probably parsing through the site and it's triggering the mod security rule. You can find and disable specific mod security rules and I did request a systems person review it and go ahead and disable the specific rule for you. This will hopefully resolve the issue you're seeing. If you have any further question or issue with this action please let us know. Make sure you review the article on finding and disabling the specific mod security rules if you require more information.


Arnel C.

You must login before you can post a comment about this answer.

thanks for the information. Do you have any additional steps / instruction on how to locate the scripts that is scanning the server? I have check all the cron tab and did not locate any script we have schedule to run will do such. thanks!
32 Points
2013-06-13 5:01 pm EST
Hi CanopyValley,

You're welcome! There really are no additional steps. The best way to isolate what's happening is to be looking at the Apache error log as you have done - it identifies where the code is coming from in the error (in many cases it id's the "index" file). Remember that you would need root access in order to perform the changes identified by the Find and Disable Specific Mod Security rules. I hope this helps to answer your question. Let us know if you have any further questions or require further assistance.


40,987 Points
2013-06-13 5:24 pm EST
Like this Question?

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!