[drupal-support] Problem (hacker attempt to access FrontPage extensions--and then some)

[Gunther Herzog]

Hello drupal-support,

  Ever since installing Drupal, my log seems to be
  bombarded daily with requests for (in order of
  frequency:

  _vti_bin/_vti_aut/fp30reg.dll
  stat-cgi/awstats.pl

  and just lately...

  scripts/..\\..//winnt/system32/cmd.exe

  Luckily none of these accessible (or even
  installed) on my reasonably-secure Linux/Apache
  box.

  Are these well-known security loopholes? I've
  devised a strategy to at least get them out of
  my Drupal logs, and am posting here for folks to
  pick apart in case there is a more elegant
  solution. What I've done:

  Added a new mod_rewrite rule to .htaccess, as
  follows:

#======[start of sample code]======
<IfModule mod_rewrite.c>
  RewriteEngine on
        
  #Block attempts to run suspicious code
  RewriteCond %{REQUEST_URI} "stat-cgi/awstats.pl" [OR]
  RewriteCond %{REQUEST_URI} "_vti_bin/_vti_aut/fp30reg.dll"
  RewriteRule .* - [G,L]

  # snipped rest of Drupal rewrite rules here

</IfModule>
#======[end of sample code]======

  This seems to have done the trick thus far, at
  least when it comes to keeping my Drupal log
  from clogging up. Hopefully the "Gone" header
  result will prevent repetitive attempts as well.
  Though I am seriously contemplating more
  aggressive tactics, such as:

  * Auto-redirecting them to their own IP address.
  * Auto-reporting them on appropriate abuse
  groups on USENET

-- 
Best regards,
 Gunther                          mailto:storysmith at softhome.net