High CPU Usage due to aggressive vulnerability scanning (l9scan / LeakIX) - Server Morty

[talesaz]

Hello everyone,

I host my Flask application (AtenaHub.app.br) on the **Morty** server. Recently, I noticed a sudden and huge spike in my CPU usage. To understand what was going on, I analyzed my `access_log` and `error.log`, and it turns out my account is under a massive automated vulnerability scanning and directory fuzzing attack.

While my application code is safe, the sheer volume of requests is forcing ModSecurity to work overtime, which is draining my CPU quota.

Here is some evidence from my logs:

**1. Aggressive Fuzzing by Scanners (like LeakIX / l9scan):**
They are flooding the server looking for open ports, `.env` files, and `.git` folders.

```text
139.59.136.184 - - [07/Jun/2026:20:41:29 +0000] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.3393e2435313e29313e25363; +https://leakix.net)"
146.190.103.103 - - [07/Jun/2026:20:41:40 +0000] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.3393e2435313e29313e25363; +https://leakix.net)"

```

**2. ModSecurity doing its job (but consuming CPU):**
ModSecurity is correctly blocking these requests with 403s, including attempts to access environment variables and even PHP injection exploits.

```text
[security2:error] [pid 1684739:tid 1684785] [client 146.190.63.248:0] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"]

[security2:error] [pid 1684739:tid 1684775] [client 146.190.63.248:0] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)php://(std(in|out|err)|(in|out)put|fd|memory|temp|filter)" at ARGS_NAMES:\xadd cgi.force_redirect=0... [msg "COMODO WAF: PHP Injection Attack: I/O Stream Found"]

```

I would like to ask for your advice on the best practice here to save my CPU quota:

1. Should I just block these specific User-Agents and IPs via `.htaccess`?
2. Is there a better internal tool in Plesk you recommend for this?

I want to make sure I handle this efficiently without causing trouble for the shared server. Any suggestions are greatly appreciated!

Thank you!
 

[MoneyBroz]

Just add these two lines in the .htaccess file for the domain being attacked,

deny from 139.59.136.0/24

deny from 146.190.103.0/24

If the attacks continue from this same range, change the above to

deny from 139.59.0.0/16

deny from 146.190.0.0/16

[wolstech]

.htaccess file is going to be your best friend here as moneybroz said above.
 

We've had to block these scanners on our own sites as well as help other users with the same (usually on our other plans after they got suspended over it).