kuai Posted April 30, 2009 Posted April 30, 2009 hey all, I was looking at the server logs and my admin/database section is getting scanned, probed, at whatever you want to call it for a way to breech security. it keeps getting a 302 error. the program is targeting a specific ip address and port number. this individual obviously knows what he/she is doing. I checked the host ip address and it's from different parts of the world each time. My guess is that these are zombie machines doing this person's dirty work. How can I set the .htaccess file to block a specific address and port along with this Agent called "revolt". I considering rerouting this agent to homeland security or the fbi and let them have some fun. Thanks in advance, Kuai
Guest Posted April 30, 2009 Posted April 30, 2009 hey all, I was looking at the server logs and my admin/database section is getting scanned, probed, at whatever you want to call it for a way to breech security. it keeps getting a 302 error. the program is targeting a specific ip address and port number. this individual obviously knows what he/she is doing. I checked the host ip address and it's from different parts of the world each time. My guess is that these are zombie machines doing this person's dirty work. How can I set the .htaccess file to block a specific address and port along with this Agent called "revolt". I considering rerouting this agent to homeland security or the fbi and let them have some fun. Thanks in advance, Kuai I know what you mean. You can ban via htaccess taht based on user agent. RewriteCond %{HTTP_USER_AGENT} ^core-project/1.0 [OR] as an example. There is a thread thatrelates to this sort of banning. There is an addon called IP Trap that is based on IP address. I use both. I hope it it effective, but time will tell. Execution is the only remedy.
kuai Posted April 30, 2009 Author Posted April 30, 2009 Thanks CoopCo. I guess that would work. could someone look at this to see if it is written correctly, and whether or not I need the #start and #end on this. I'll insert the original and then the one rerouted to the fbi. I'm getting tired of this. One day it's revolt and the next it's MFS(morfeus F'ng scanner). # Start of .htaccess change. RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^Morfeus RewriteCond %{HTTP_USER_AGENT} ^revolt RewriteRule ^.*$ - [F] # End of .htaccess change. here's the kicker: # Start of .htaccess change. RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^revolt RewriteCond %{HTTP_USER_AGENT} ^Morfeus RewriteCond %{HTTP_USER_AGENT} ^Yanga RewriteRule /* http://www.fbi.gov [L,R] # End of .htaccess change.
MrPhil Posted April 30, 2009 Posted April 30, 2009 RewriteCond %{HTTP_USER_AGENT} ^Morfeus RewriteCond %{HTTP_USER_AGENT} ^revolt would work only if the User Agent is "Morfeus" and it's also "revolt". You need the [OR] flag after all but the last line: RewriteCond %{HTTP_USER_AGENT} ^Morfeus [OR] RewriteCond %{HTTP_USER_AGENT} ^revolt I'm not sure the FBI or DHS would be amused to have hackers redirected to them, but what are the hackers going to do... file a complaint? :) It would be amusing to find if their web page is vulnerable to attack...
kuai Posted April 30, 2009 Author Posted April 30, 2009 Thanks. I'm going to give it a try and see if a dark car starts watching the house. LOL Kuai
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.