[drupal-support] Problem (hacker attempt to access FrontPage
extensions--and then some)
Gunther Herzog
storysmith at softhome.net
Tue Aug 9 16:17:58 UTC 2005
Hello drupal-support,
Ever since installing Drupal, my log seems to be
bombarded daily with requests for (in order of
frequency:
_vti_bin/_vti_aut/fp30reg.dll
stat-cgi/awstats.pl
and just lately...
scripts/..\\..//winnt/system32/cmd.exe
Luckily none of these accessible (or even
installed) on my reasonably-secure Linux/Apache
box.
Are these well-known security loopholes? I've
devised a strategy to at least get them out of
my Drupal logs, and am posting here for folks to
pick apart in case there is a more elegant
solution. What I've done:
Added a new mod_rewrite rule to .htaccess, as
follows:
#======[start of sample code]======
<IfModule mod_rewrite.c>
RewriteEngine on
#Block attempts to run suspicious code
RewriteCond %{REQUEST_URI} "stat-cgi/awstats.pl" [OR]
RewriteCond %{REQUEST_URI} "_vti_bin/_vti_aut/fp30reg.dll"
RewriteRule .* - [G,L]
# snipped rest of Drupal rewrite rules here
</IfModule>
#======[end of sample code]======
This seems to have done the trick thus far, at
least when it comes to keeping my Drupal log
from clogging up. Hopefully the "Gone" header
result will prevent repetitive attempts as well.
Though I am seriously contemplating more
aggressive tactics, such as:
* Auto-redirecting them to their own IP address.
* Auto-reporting them on appropriate abuse
groups on USENET
--
Best regards,
Gunther mailto:storysmith at softhome.net
More information about the drupal-support
mailing list