[rt-users] strange issue with deny.hosts and request tracker sorting

[S P]

Hi all,
We have a really weird issue, currently running RT4.0.8 but it was also 
present before we upgraded from 3.8.4 to 4.0.8 on CentOS 6.3 w/ 
2.6.32-279.14.1.el6.x86_64 on x86_64, Apache/2.2.15 on Xeon CPU E5607 @ 
2.27GHz, 4 core.

When performing certain functions in the web interface, such as sorting 
a list of tickets by number or priority, a mystery process writes the IP 
address of the user to hosts.deny (blocking access to all services on 
the server) and after a short period of time, the address is purged from 
hosts.deny and the user doing the sorting can once again access RT.

The IPs for these users are already present in hosts.allow (and are 
obviously being ignored). Fail2ban is not installed. Denyhosts is not 
installed. SELinux is disabled. We only have about 3000 tickets in RT, 
and performance is great. Except when you go to sort a list (could be 
10, or 200 tickets) and you're locked out momentarily. Additionally, 
OSSEC reports "A web attack returned code 200 (success)" at the moment 
the IP is written to hosts.deny and apache access log reads:

GET 
/Search/Results.html?Format=%27%20%20%20%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__id__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3A%23%27%2C%0A%27%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__Subject__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3ASubject%27%2C%0A%27__QueueName__%27%2C%0A%27__Priority__%27%2C%0A%27__CreatedRelative__%27%2C%0A%27__LastUpdatedRelative__%27&Order=DESC&OrderBy=id&Page=1&Query=Owner%20%3D%20%27assistant%27%20AND%20Status%20%3D%20%27open%27&Rows=100 
HTTP/1.1" 200 32147 
"https://rt.mydomain.org/Search/Results.html?Format=%27%20%20%20%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__id__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3A%23%27%2C%0A%27%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__Subject__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3ASubject%27%2C%0A%27__QueueName__%27%2C%0A%27__Priority__%27%2C%0A%27__CreatedRelative__%27%2C%0A%27__LastUpdatedRelative__%27&Order=ASC&OrderBy=id&Page=1&Query=Owner%20%3D%20%27assistant%27%20AND%20Status%20%3D%20%27open%27&Rows=100" 
"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0"

Other logs are of little help. Here's the relevant portion of httpd conf:
AddDefaultCharset UTF-8
DocumentRoot /opt/rt4/share/html
         <Location />
             Order allow,deny
             Allow from all
             SetHandler modperl
             PerlResponseHandler Plack::Handler::Apache2
             PerlSetVar psgi_app /opt/rt4/sbin/rt-server
         </Location>
         <Perl>
             use Plack::Handler::Apache2;
             Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");
         </Perl>

Thank you in advance for any help you might be able to offer. I'd love 
to know what is writing to deny.hosts.

- Sean