Service Temporarily Unavailable?

software development

#1

Hi,

I have a script that tracks my eBay listings, which includes the referrer. Sometimes the referrer contains this: ebayisapi. For some reason, if that particular word is any part of the URL, I get this error: Service Temporarily Unavailable. This happens with all of my Dreamhost domains. Try it yourself, and go to yourdomain.com/?ebayisapi or even yourdomain.com/ebayisapi.html and see if it happens. Does anyone have an explanation?

Thanks,
Tom


#2

I can’t reproduce that problem on my site (maybe already fixed). Could it be a ModSecurity error? Your error log would show you what happened.

DreamHost runs ModSecurity in its Apache web servers to reject common attacks. I regularly see ModSecurity 503 (Service Unavailable) errors in my error logs. I’m glad that DreamHost is filtering out known attacks, but the downside is that overzealous ModSecurity patterns could accidentally block legitimate traffic.

Example ModSecurity 503 Error (data cleaned to protect the guilty):

[Sun Sep 21 19:21:16 2008] [error] [client X.X.X.X] ModSecurity: Access denied with code 503 (phase 2). Pattern match “=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?” at REQUEST_URI. [file “/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf”] [line “23”] [id “390144”] [rev “2”] [msg “Command shell attack: Generic Attempt to remote include command shell”] [severity “CRITICAL”] [hostname “example.com”] [uri “/skins/advanced/advanced1.php”] [unique_id “XXXXX”]


#3

Thanks for the response! I was checking my access log, but didn’t think to check my error log, and sure enough this is what it says:

mod_security: Access denied with code 503. Pattern match “eBayISAPI” at THE_REQUEST [severity “EMERGENCY”]

I know that scammers like to use “eBayISAPI” in their URL to make it look real when trying to steal someone’s eBay password, but this really poses a problem for me. I could use javascript to encode the URL, but I would have to revise hundreds of my eBay listings to do so. I’ve contact DH support so hopefully they will have a solution.

Thanks,
Tom


#4

I received a response from support and they showed me how to disable mod_security, so now all is well!