The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Somebody kill my Apache with "Invalid method in request", please help...

Discussion in 'EasyApache' started by x-man, Jun 14, 2005.

  1. x-man

    x-man Well-Known Member

    Joined:
    Jan 25, 2004
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    My apache can`t work, they kill my apache in one second, I don`t know how but I know that they attack my MAIN SHARED IP and here is only few lines from apache error log:

    tail -n 200 /usr/local/apache/logs/error_log | more

    [Tue Jun 14 22:44:19 2005] [error] [client 24.23.214.254] Invalid method in request nck8f1fCarTTUsf
    [Tue Jun 14 22:44:19 2005] [error] [client 24.23.214.254] Invalid method in request vCEH4WqcUY5Hf1U
    [Tue Jun 14 22:44:19 2005] [error] [client 210.235.223.65] Invalid method in request eyKbSScnu
    [Tue Jun 14 22:44:19 2005] [error] [client 60.93.4.4] Invalid method in request caDdcuj1Ry5i8kXuLV5IGAk
    [Tue Jun 14 22:44:20 2005] [error] [client 67.22.199.217] Invalid method in request l1rz3MVMRT
    [Tue Jun 14 22:44:20 2005] [error] [client 83.17.3.5] Invalid method in request 1ScncX0g764YM
    [Tue Jun 14 22:44:20 2005] [error] [client 201.129.92.168] Invalid method in request J2NYO
    [Tue Jun 14 22:44:20 2005] [error] [client 220.213.208.192] Invalid method in request vFKizAG
    [Tue Jun 14 22:44:20 2005] [error] [client 61.200.104.147] Invalid method in request AuqX30rGaJEiL
    [Tue Jun 14 22:44:21 2005] [error] [client 218.81.137.16] Invalid method in request K16NxgBp
    [Tue Jun 14 22:44:21 2005] [error] [client 67.102.82.90] Invalid method in request I82SlesKeQ6CoEV
    [Tue Jun 14 22:44:21 2005] [error] [client 202.108.158.106] Invalid method in request MJ2OKh2Z1
    [Tue Jun 14 22:44:21 2005] [error] [client 218.235.162.214] Invalid method in request 9iUTotiu16sugjE51r
    [Tue Jun 14 22:44:22 2005] [error] [client 172.216.252.106] Invalid method in request ILy5S8bSAFdTk
    [Tue Jun 14 22:44:22 2005] [error] [client 201.137.158.231] Invalid method in request g4OPQhSa8PW8R5
    [Tue Jun 14 22:44:22 2005] [error] [client 69.180.7.237] Invalid method in request ZmrJg1JEgSWPRM9oACb
    [Tue Jun 14 22:44:22 2005] [error] [client 70.118.175.144] Invalid method in request sT
    [Tue Jun 14 22:44:22 2005] [error] [client 222.148.40.156] Invalid method in request
    [Tue Jun 14 22:44:22 2005] [error] [client 82.117.202.145] Invalid method in request CSIP
    [Tue Jun 14 22:44:22 2005] [error] [client 137.205.78.253] Invalid method in request gQ8NgmZP
    [Tue Jun 14 22:44:23 2005] [error] [client 60.30.245.176] Invalid method in request OLPWtghOfmcYsbymAooyoXS
    [Tue Jun 14 22:44:23 2005] [error] [client 59.187.221.22] Invalid method in request gq5JDmquX3KItcn3K3cyfh61JODdpLVX8v8yA
    [Tue Jun 14 22:44:24 2005] [error] [client 24.211.47.165] Invalid method in request 4Xc
    [Tue Jun 14 22:44:24 2005] [error] [client 202.133.101.84] Invalid method in request RTggnnBaeiR
    [Tue Jun 14 22:44:24 2005] [error] [client 220.29.161.31] Invalid method in request 0eJ0qx1
    [Tue Jun 14 22:44:24 2005] [error] [client 221.77.98.12] Invalid method in request QbkU3DZ
    [Tue Jun 14 22:44:25 2005] [error] [client 193.17.14.216] Invalid method in request mqMLTAYx
    [Tue Jun 14 22:44:25 2005] [error] [client 66.167.147.113] Invalid method in request st3Yn1GEbDPg55seNpIjrI1gvqhVYa
    [Tue Jun 14 22:44:25 2005] [error] [client 68.162.59.242] Invalid method in request 38a
    [Tue Jun 14 22:44:25 2005] [error] [client 210.235.223.65] Invalid method in request nyR7Aa
    [Tue Jun 14 22:44:25 2005] [error] [client 61.252.99.43] Invalid method in request mRY0m
    [Tue Jun 14 22:44:25 2005] [error] [client 59.187.221.22] Invalid method in request lEZtym
    [Tue Jun 14 22:44:25 2005] [error] [client 211.220.20.150] Invalid method in request Ha
    [Tue Jun 14 22:44:25 2005] [error] [client 137.49.235.149] Invalid method in request lqs
    [Tue Jun 14 22:44:25 2005] [error] [client 82.201.254.146] Invalid method in request FN6XPK3j94AoJgRa3EUgWK4yp7EwjVeSXq
    [Tue Jun 14 22:44:26 2005] [error] [client 69.149.39.169] Invalid method in request d4ObqS
    [Tue Jun 14 22:44:26 2005] [error] [client 24.46.216.104] Invalid method in request Nwy
    [Tue Jun 14 22:44:27 2005] [error] [client 219.126.124.169] Invalid method in request NUnq
    [Tue Jun 14 22:44:29 2005] [error] [client 24.46.217.123] Invalid method in request xJBoZlDlwdJ2ttrQ4xc
    [Tue Jun 14 22:44:30 2005] [error] [client 219.116.174.36] Invalid method in request 6mhZuq4
    [Tue Jun 14 22:44:30 2005] [error] [client 219.116.174.36] Invalid method in request zxFqkn
    [Tue Jun 14 22:44:30 2005] [error] [client 24.187.32.65] Invalid method in request 4O7KclXpGGO0VNew4bvtp0L5cD
    [Tue Jun 14 22:44:30 2005] [error] [client 84.68.17.201] Invalid method in request zKQWy
    [Tue Jun 14 22:44:30 2005] [error] [client 201.6.151.243] Invalid method in request 90Z
    [Tue Jun 14 22:44:30 2005] [error] [client 196.200.81.23] Invalid method in request h4
    [Tue Jun 14 22:44:30 2005] [error] [client 70.97.171.23] Invalid method in request C3qJv
    [Tue Jun 14 22:44:30 2005] [error] [client 62.79.105.247] Invalid method in request j
    [Tue Jun 14 22:44:31 2005] [error] [client 172.206.177.65] Invalid method in request 7DlzS
    [Tue Jun 14 22:44:31 2005] [error] [client 218.40.112.169] Invalid method in request 2mTC58FrG
    [Tue Jun 14 22:44:35 2005] [error] [client 65.221.34.200] Invalid method in request Kw6VSHjDMR

    somebody know how I can fic this, on my server I don`t have high load, all work fine but this kill apache and server can`t work, apache down in second after restart!!!

    Please help people...whole day my server down and I can`t solve this problem :(
     
  2. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    Maybe mod_security can prevent these problems... install it if you didn't allready...
     
  3. x-man

    x-man Well-Known Member

    Joined:
    Jan 25, 2004
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I don`t know why but mod_security don`t block this attack!!! I must add some special rules???
     
  4. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    Hm, don't know. Maybe :)
     
  5. alex2k

    alex2k Active Member

    Joined:
    Sep 10, 2001
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    I got this problem also
    Anyone know how to fix it?

    I already install mod_security :(
     
  6. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    :rolleyes: iam not sure but try to recompil the apache agine and test it
     
  7. x-man

    x-man Well-Known Member

    Joined:
    Jan 25, 2004
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I can`t stop this stupid attack :( this is big problem, they don`t send much traffic to my server max 1.2Mbps and all work fine but this kill apache very fast with this "Invalid method in request", I don`t know why is this big problem for apache, and I don`t know why some software (like mod_security) can`t filter this traffic because this traffic is not like normal traffic....
     
  8. x-man

    x-man Well-Known Member

    Joined:
    Jan 25, 2004
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    That don`t help!! (to me)
     
  9. x-man

    x-man Well-Known Member

    Joined:
    Jan 25, 2004
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Now I want block access to MAIN/SHARED IP and change IPs for all sites because this don`t want stop!!

    What is best way to block access to this IP??

    I try to block in iptables:
    iptables -A INPUT -p tcp -d 1.1.1.1 --dport 80 -j REJECT

    and this work fine few minutes but I don`t know why but something RESET this and I have again traffic to this IP, somebody know what can reset this in IPTABLES?? cPanel or firewall??

    Also, I set this in my firewall but again nothing, again work few minutes and all back like before, again traffic to this IP...I don`t know what can be problem and how I can block traffic to this ip on my server??????


    Thanks.
     
  10. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    Read mod_security manual and add your custom rule.
     
  11. Guda

    Guda Member
    PartnerNOC

    Joined:
    Aug 16, 2001
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    1
    installing mod_security
    rejects the requests, but the connections are still made, so the MaxClients limit is still exceeded...

    and hell yes its annoying...
     
  12. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    You could try turning off KeepAlive or reducing the value for KeepAliveTimeout to see if Apache then clears away these rejected requests more quickly.
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As is cross-posting, please don't do it. Stick to one thread so that you don't confuse the issue by discussing your problem in multiple ones.
     
  14. SACHIN

    SACHIN Guest

    install firewall..

    this is attack on apache server, you can stop this attack using firewalll.

    you can install apf .... :cool:
     
  15. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Also look at installing apache mod_dosevasive.
     
  16. SACHIN

    SACHIN Guest

    same problem

    Hello..

    if some attacking with diffeent ip and coninuesly attacking how can we block using apf..
    we already blocked 4000 ip and attack is still going on.................


    :confused:
     
  17. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've seen this patern before... recently.
    Give me a few minutes to track it down on my servers...
     
  18. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think I found it.
    Snort sid 15 is pretty close to the matching query.
    What you could do, is install snort+snortsam+acid, and monitor for that specific attack (enable all the http rules in Snort). Once you locate the right one, set snort to firewall the Source IP address for say, 900 minutes. snortsam will allow you to do this.
    http://root0.net/snort/ is a quick and easy method to install and intigrate all the needed modules to get this going. The nice thing about snort, is it listens at the Network card, so it can intercept the signal before it even reaches Apache.
    I hope this helps. With tweaking, you can use it for everything else as well, from firewalling port scanners, to banning invalid SSH attempts, and so on.
     

Share This Page