Tweet
For me this was mod_security, with the Atomic/gotroot rules.
The specific rule was:
#protocol violation
SecRule REQUEST_METHOD "POST" "deny,status:403,t:none,chain,rev:2,id:390616,rev: 2,phase:2,msg:Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header,severity:4"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
At file 10_asl_rules.conf
What hackers try to do is upload zip files with phishing sites, using the dvmessages.php . They use many different ips, and they try to upload dozen of files.
This happens on that rule, and because mod_security have configured the:
SecResponseBodyAccess On
This makes a very big load on apache and server, taking values to 650 of load and more, if you dont stop it.
You can prevent this, puting this rule on top of your mod_security rules:
SecRule REQUEST_URI "dvmessages.php" "id:220,nolog,drop"
(id: 200, because it needs to be the first rule to be read by apache)
The specific rule was:
#protocol violation
SecRule REQUEST_METHOD "POST" "deny,status:403,t:none,chain,rev:2,id:390616,rev: 2,phase:2,msg:Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header,severity:4"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
At file 10_asl_rules.conf
What hackers try to do is upload zip files with phishing sites, using the dvmessages.php . They use many different ips, and they try to upload dozen of files.
This happens on that rule, and because mod_security have configured the:
SecResponseBodyAccess On
This makes a very big load on apache and server, taking values to 650 of load and more, if you dont stop it.
You can prevent this, puting this rule on top of your mod_security rules:
SecRule REQUEST_URI "dvmessages.php" "id:220,nolog,drop"
(id: 200, because it needs to be the first rule to be read by apache)
Comment