403s still driving up php processes

Discussion in 'General' started by felosi, Sep 19, 2007.

  1. felosi

    felosi New Member

    Ok, I guess this is because autoindex kicks in for the 403 but there needs to be a better way because to block someone does no good because they will still get 403s and execute php each time.
    the measure I took was adding a 403.shtml But I think in general something should be different so it doesnt execute php each time there is a 403

    For example I had this site getting attacked. I noticed a flaw in the way the bots were attacking. They was all hitting site.com//index.php notice the double slashes. So I made a mod security rule to block this.

    Problem was I still kept on seeing a high resource usage from this user. As well as their php processes running out.

    Anyway its a simple fix just a suggestion, When you add the shtml files the php processes will go way down as well as server load

    here is an example of the attack

    210.17.144.130 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    156.34.8.177 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    156.34.8.177 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
    210.17.144.130 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"


    I also noticed that this drove transfer usage up as well. I just now added the shtml file. I will see if it makes a difference as far as that goes
  2. mistwang

    mistwang LiteSpeed Staff

    Our directory auto index is implemented with PHP, however, the 403 response should not invoke auto index. So, it should be something else. Maybe a PHP powered 403 custom error page.
  3. felosi

    felosi New Member

    hmm, Im an idiot. I gotta pinpoint what was causing that. Was a blog so may have been somethin built in like wordpress has.
    I was thinking it was autoindex or some other php page.
    Sorry about that, I thought for sure it was invoking some kind of php process because they was all getting 403s yet the php processes and load was high.
    where does the forbidden page located?

Share This Page