Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 84921 invoked from network); 21 May 2008 09:06:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 May 2008 09:06:07 -0000 Received: (qmail 10078 invoked by uid 500); 21 May 2008 09:05:58 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 10063 invoked by uid 500); 21 May 2008 09:05:58 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 10052 invoked by uid 99); 21 May 2008 09:05:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 May 2008 02:05:57 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of fayland@gmail.com designates 209.85.200.168 as permitted sender) Received: from [209.85.200.168] (HELO wf-out-1314.google.com) (209.85.200.168) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 May 2008 09:05:07 +0000 Received: by wf-out-1314.google.com with SMTP id 24so2196530wfg.15 for ; Wed, 21 May 2008 02:05:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=jYKrhUwUbLAhXsPT4e5e+7gX1wh/eG5EmiYefsSOEbM=; b=AnhxqzYlY6LpiYsHvbuiTW4J+qcMqRfnx7ufL3veI5X7+JrPA+CIXvRq9Z/FOtH7qbv7ZTscO3xohRqfd2SdSunXKq2uTZ5I/k62uNDTbfGsXaoROTlvVb4QV2C4roS7Oeyw1VzE6tk3rtMVVZSTcb+kCD7Sg2mtdb5FbMYrcFM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=t7dQEJJf1OvwSckYOrY1AYePxjVNUoM2SMLosf1/p+1C9ZDViGXciPB3Zcjs56JjSSWb5N2wIVv614+a+kxj2KwrR5/xWts6nhSc5P7QDiar1DzvoT78w1UGdX/8I0AAPRFDDj6QIwADe69yXvKICU/yP+4D2TYRckKleE3wlIQ= Received: by 10.142.188.4 with SMTP id l4mr3777214wff.92.1211360723384; Wed, 21 May 2008 02:05:23 -0700 (PDT) Received: from ?60.180.43.107? ( [60.180.43.107]) by mx.google.com with ESMTPS id 27sm2441539wfa.2.2008.05.21.02.05.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 21 May 2008 02:05:22 -0700 (PDT) Message-ID: <4833E5C3.8040609@gmail.com> Date: Wed, 21 May 2008 17:05:07 +0800 From: Fayland Lam User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: users@httpd.apache.org References: <48337B6B.5030104@gmail.com> <1621858946-1211354646-cardhu_decombobulator_blackberry.rim.net-628570794-@bxe051.bisx.produk.on.blackberry> In-Reply-To: <1621858946-1211354646-cardhu_decombobulator_blackberry.rim.net-628570794-@bxe051.bisx.produk.on.blackberry> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Re: POST content Attack? matt.farey@gmail.com wrote: > sounds like you could benefit from logging incoming request payloads. Consider mod security to sanitize requests and log, if you can't modify your perl script to do it, how do you modify the textarea data before doing the INSERT? Do you know what the perl script has been doing? Have you ensured that you files/permissions have not been modified? I think 11M is far too much for a text area, consider modifying that value in parts of your application that are not file uploads and/or truncating input inside you perl script. > not doubt that we limited the length of textarea in our Perl script. but it seems it's not reach there. and the request is hanging, or else, Perl will print an error. any more hint? Thanks, dude. > > Sent from my BlackBerry� wireless device > > -----Original Message----- > From: Fayland Lam > > Date: Wed, 21 May 2008 09:31:23 > To:users@httpd.apache.org > Subject: [users@httpd] POST content Attack? > > hi list. > > we are in attack I think. our Perl script is taking 2G to process one > request. > > 8: 18940 1567M 5.9M 1567M 1121M W 0.000s 0.000s 459 1.2.3.4 > www.xxsite.com POST /comment/post HTTP/1.0 > > that's from vmonitor. > > I'm wondering is there someone to put large content in our comment > textarea? > we limited size in Apache httpd.conf (LimitRequestBody 11000000) but it > doesn't help. > or it's not related to POST content? > > any hint is really appreciated. > > Thanks. > -- Fayland Lam // http://www.fayland.org/ Foorum based on Catalyst // http://www.foorumbbs.com/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org