Somebody kill my Apache with "Invalid method in request", please help...

[x-man]

My apache can`t work, they kill my apache in one second, I don`t know how but I know that they attack my MAIN SHARED IP and here is only few lines from apache error log:

tail -n 200 /usr/local/apache/logs/error_log | more

[Tue Jun 14 22:44:19 2005] [error] [client 24.23.214.254] Invalid method in request nck8f1fCarTTUsf
[Tue Jun 14 22:44:19 2005] [error] [client 24.23.214.254] Invalid method in request vCEH4WqcUY5Hf1U
[Tue Jun 14 22:44:19 2005] [error] [client 210.235.223.65] Invalid method in request eyKbSScnu
[Tue Jun 14 22:44:19 2005] [error] [client 60.93.4.4] Invalid method in request caDdcuj1Ry5i8kXuLV5IGAk
[Tue Jun 14 22:44:20 2005] [error] [client 67.22.199.217] Invalid method in request l1rz3MVMRT
[Tue Jun 14 22:44:20 2005] [error] [client 83.17.3.5] Invalid method in request 1ScncX0g764YM
[Tue Jun 14 22:44:20 2005] [error] [client 201.129.92.168] Invalid method in request J2NYO
[Tue Jun 14 22:44:20 2005] [error] [client 220.213.208.192] Invalid method in request vFKizAG
[Tue Jun 14 22:44:20 2005] [error] [client 61.200.104.147] Invalid method in request AuqX30rGaJEiL
[Tue Jun 14 22:44:21 2005] [error] [client 218.81.137.16] Invalid method in request K16NxgBp
[Tue Jun 14 22:44:21 2005] [error] [client 67.102.82.90] Invalid method in request I82SlesKeQ6CoEV
[Tue Jun 14 22:44:21 2005] [error] [client 202.108.158.106] Invalid method in request MJ2OKh2Z1
[Tue Jun 14 22:44:21 2005] [error] [client 218.235.162.214] Invalid method in request 9iUTotiu16sugjE51r
[Tue Jun 14 22:44:22 2005] [error] [client 172.216.252.106] Invalid method in request ILy5S8bSAFdTk
[Tue Jun 14 22:44:22 2005] [error] [client 201.137.158.231] Invalid method in request g4OPQhSa8PW8R5
[Tue Jun 14 22:44:22 2005] [error] [client 69.180.7.237] Invalid method in request ZmrJg1JEgSWPRM9oACb
[Tue Jun 14 22:44:22 2005] [error] [client 70.118.175.144] Invalid method in request sT
[Tue Jun 14 22:44:22 2005] [error] [client 222.148.40.156] Invalid method in request
[Tue Jun 14 22:44:22 2005] [error] [client 82.117.202.145] Invalid method in request CSIP
[Tue Jun 14 22:44:22 2005] [error] [client 137.205.78.253] Invalid method in request gQ8NgmZP
[Tue Jun 14 22:44:23 2005] [error] [client 60.30.245.176] Invalid method in request OLPWtghOfmcYsbymAooyoXS
[Tue Jun 14 22:44:23 2005] [error] [client 59.187.221.22] Invalid method in request gq5JDmquX3KItcn3K3cyfh61JODdpLVX8v8yA
[Tue Jun 14 22:44:24 2005] [error] [client 24.211.47.165] Invalid method in request 4Xc
[Tue Jun 14 22:44:24 2005] [error] [client 202.133.101.84] Invalid method in request RTggnnBaeiR
[Tue Jun 14 22:44:24 2005] [error] [client 220.29.161.31] Invalid method in request 0eJ0qx1
[Tue Jun 14 22:44:24 2005] [error] [client 221.77.98.12] Invalid method in request QbkU3DZ
[Tue Jun 14 22:44:25 2005] [error] [client 193.17.14.216] Invalid method in request mqMLTAYx
[Tue Jun 14 22:44:25 2005] [error] [client 66.167.147.113] Invalid method in request st3Yn1GEbDPg55seNpIjrI1gvqhVYa
[Tue Jun 14 22:44:25 2005] [error] [client 68.162.59.242] Invalid method in request 38a
[Tue Jun 14 22:44:25 2005] [error] [client 210.235.223.65] Invalid method in request nyR7Aa
[Tue Jun 14 22:44:25 2005] [error] [client 61.252.99.43] Invalid method in request mRY0m
[Tue Jun 14 22:44:25 2005] [error] [client 59.187.221.22] Invalid method in request lEZtym
[Tue Jun 14 22:44:25 2005] [error] [client 211.220.20.150] Invalid method in request Ha
[Tue Jun 14 22:44:25 2005] [error] [client 137.49.235.149] Invalid method in request lqs
[Tue Jun 14 22:44:25 2005] [error] [client 82.201.254.146] Invalid method in request FN6XPK3j94AoJgRa3EUgWK4yp7EwjVeSXq
[Tue Jun 14 22:44:26 2005] [error] [client 69.149.39.169] Invalid method in request d4ObqS
[Tue Jun 14 22:44:26 2005] [error] [client 24.46.216.104] Invalid method in request Nwy
[Tue Jun 14 22:44:27 2005] [error] [client 219.126.124.169] Invalid method in request NUnq
[Tue Jun 14 22:44:29 2005] [error] [client 24.46.217.123] Invalid method in request xJBoZlDlwdJ2ttrQ4xc
[Tue Jun 14 22:44:30 2005] [error] [client 219.116.174.36] Invalid method in request 6mhZuq4
[Tue Jun 14 22:44:30 2005] [error] [client 219.116.174.36] Invalid method in request zxFqkn
[Tue Jun 14 22:44:30 2005] [error] [client 24.187.32.65] Invalid method in request 4O7KclXpGGO0VNew4bvtp0L5cD
[Tue Jun 14 22:44:30 2005] [error] [client 84.68.17.201] Invalid method in request zKQWy
[Tue Jun 14 22:44:30 2005] [error] [client 201.6.151.243] Invalid method in request 90Z
[Tue Jun 14 22:44:30 2005] [error] [client 196.200.81.23] Invalid method in request h4
[Tue Jun 14 22:44:30 2005] [error] [client 70.97.171.23] Invalid method in request C3qJv
[Tue Jun 14 22:44:30 2005] [error] [client 62.79.105.247] Invalid method in request j
[Tue Jun 14 22:44:31 2005] [error] [client 172.206.177.65] Invalid method in request 7DlzS
[Tue Jun 14 22:44:31 2005] [error] [client 218.40.112.169] Invalid method in request 2mTC58FrG
[Tue Jun 14 22:44:35 2005] [error] [client 65.221.34.200] Invalid method in request Kw6VSHjDMR

somebody know how I can fic this, on my server I don`t have high load, all work fine but this kill apache and server can`t work, apache down in second after restart!!!

Please help people...whole day my server down and I can`t solve this problem

[MMarko]

Maybe mod_security can prevent these problems... install it if you didn't allready...

[x-man]

I don`t know why but mod_security don`t block this attack!!! I must add some special rules???

[MMarko]

Hm, don't know. Maybe

[alex2k]

I got this problem also
Anyone know how to fix it?

I already install mod_security

[kuwaitnt]

iam not sure but try to recompil the apache agine and test it

[x-man]

I can`t stop this stupid attack this is big problem, they don`t send much traffic to my server max 1.2Mbps and all work fine but this kill apache very fast with this "Invalid method in request", I don`t know why is this big problem for apache, and I don`t know why some software (like mod_security) can`t filter this traffic because this traffic is not like normal traffic....

[x-man]

iam not sure but try to recompil the apache agine and test it

That don`t help!! (to me)

[x-man]

Now I want block access to MAIN/SHARED IP and change IPs for all sites because this don`t want stop!!

What is best way to block access to this IP??

I try to block in iptables:
iptables -A INPUT -p tcp -d 1.1.1.1 --dport 80 -j REJECT

and this work fine few minutes but I don`t know why but something RESET this and I have again traffic to this IP, somebody know what can reset this in IPTABLES?? cPanel or firewall??

Also, I set this in my firewall but again nothing, again work few minutes and all back like before, again traffic to this IP...I don`t know what can be problem and how I can block traffic to this ip on my server??????


Thanks.

[MMarko]

Also, I set this in my firewall but again nothing, again work few minutes and all back like before, again traffic to this IP...I don`t know what can be problem and how I can block traffic to this ip on my server??????

Read mod_security manual and add your custom rule.

[Guda]

installing mod_security
rejects the requests, but the connections are still made, so the MaxClients limit is still exceeded...

and hell yes its annoying...

[webignition]

installing mod_security
rejects the requests, but the connections are still made, so the MaxClients limit is still exceeded...

and hell yes its annoying...

You could try turning off KeepAlive or reducing the value for KeepAliveTimeout to see if Apache then clears away these rejected requests more quickly.

[chirpy]

and hell yes its annoying...

As is cross-posting, please don't do it. Stick to one thread so that you don't confuse the issue by discussing your problem in multiple ones.

[SACHIN]

this is attack on apache server, you can stop this attack using firewalll.

you can install apf ....

[dgbaker]

Also look at installing apache mod_dosevasive.