My Web site is getting hit hard -- pretty much, requests every ten seconds or so -- for URLs like this:

/forums/showthread.php?t=http://hotrXXXXXXXXXaebywka.chat.ru/images/girl?

(Added the XXXs, so you don't get malware or virii from attempting to visit the site.)

Fortunately, my site is pretty secure against the attacks. Still, it's frustrating; I mean, you would think the Russians would know by now that their injection attacks aren't working on my site.

What I'd like to do is use .htaccess to redirect URLs that contain certain strings common in the injection attacks (girl, cmd.txt, check.txt, cs.txt, image.txt, .ru/) and redirect them to a .php script that I already have set up which will add their IP to the deny list in my .htaccess file.

I've searched far and wide through various .htaccess tutorials, and found nothing. Lots of references for redirecting whole URLs to other pages, but nothing for URLs including a certain string. I suck at regular expressions; I tried, and had no luck.

Any ideas? Again, all I want to do is redirect anyone trying to visit a URL that includes a certain string to something like /ban.php. Any better way that you might know of to deal with the attack?

I'd love to see this and the code for the ban.php script too.

Would be great to have the ban script go straight to APF, not just .htaccess - with a log function for audit.

The ban.php script is on the Dreamhosters forum (http://forum.dreamhosters.com/3rdparty/48909-URL-based-IP-ban-using-PHP-and-htaccess-automated.htm).


note: the lines for cookie1 and cookie2 are just what I use to detect my regular visitors, if they "accidentally" got banned I would probably know - just a safeguard, remove the lines if you don't know what your cookie names are or don't care, otherwise EDIT those two lines.

banjerks.php in main folder

<?php

$ip = "deny from $REMOTE_ADDRn" ;
$banip = '.htaccess';
$fp = fopen($banip, "a");
$write = fputs($fp, $ip);
fclose($fp);

//@ symbol hides errors from visitors
@mail('you@yourdmain.whatever',
'Banned IP '.$_SERVER['REMOTE_ADDR'].
' at '.$_SERVER['HTTP_REFERER'],
' IP '.$_SERVER['REMOTE_ADDR'].' banned'.
' request URI '.$_SERVER['REQUEST_URI'].
' referrer '.$_SERVER['HTTP_REFERER'].
' agent '.$_SERVER['HTTP_USER_AGENT'].
' cookie1 '.$_COOKIE['somecookie'].
' cookie2 '.$_COOKIE['someothercookieid']);
?>


From the recommended .htaccess file:


Options FollowSymLinks
RewriteEngine on
RewriteRule ^cgi-bin/formmail.pl /ban.php
RewriteRule ^cgi-bin/formmail.cgi /ban.php
RewriteRule ^cgi-bin/FormMail.pl /ban.php
RewriteRule ^cgi-bin/FormMail.cgi /ban.php
RewriteRule ^cgi-bin/formail.cgi /ban.php
RewriteRule ^formmail.php /ban.php
RewriteRule ^_vti_inf.html /ban.php
RewriteRule ^_vti_pvt /ban.php
Order Deny,Allow

Great for requests that end in these terms. However, it doesn't seem to work for the requests I'm getting, which end in "girl?" and "check.txt?". Even something like RewriteRule ^girl\? /ban.php doesn't work. I'd also like to redirect URLs that include a certain string, not just end in it.

Thanks for the script!

As I said, in an ideal world this would go straight to APF. But this is still an improvement for sure.

You could just let mod_security do the work for you?
If you download the got root rules, apply them to your mod_security install that will block most cases.

Then if you want to start blocking in your firewall, simply install CSF & LFD and enable the mod_security monitoring and IP's start to get blocked :)

What sdjl said.. I would just use mod_security or suhosin with CSF.


You could just let mod_security do the work for you?
If you download the got root rules, apply them to your mod_security install that will block most cases.

Then if you want to start blocking in your firewall, simply install CSF & LFD and enable the mod_security monitoring and IP's start to get blocked :)

mod_security and suhosin with CSF ;)