[drupal-support] Problem (hacker attempt to access FrontPage extensions--and then some)

Larry Garfield larry at garfieldtech.com
Tue Aug 9 17:50:26 UTC 2005 

I've been seeing similar, although not to frontpage pages, I believe.  Most 
are for search.jsp, with the full request being a URL for some other site 
that has nothing to do with me.  I've been wondering if they're hacker 
attacks or if someone has his DNS misconfigured.

On Tuesday 09 August 2005 11:17 am, Gunther Herzog wrote:
> Hello drupal-support,
>
>   Ever since installing Drupal, my log seems to be
>   bombarded daily with requests for (in order of
>   frequency:
>
>   _vti_bin/_vti_aut/fp30reg.dll
>   stat-cgi/awstats.pl
>
>   and just lately...
>
>   scripts/..\\..//winnt/system32/cmd.exe
>
>   Luckily none of these accessible (or even
>   installed) on my reasonably-secure Linux/Apache
>   box.
>
>   Are these well-known security loopholes? I've
>   devised a strategy to at least get them out of
>   my Drupal logs, and am posting here for folks to
>   pick apart in case there is a more elegant
>   solution. What I've done:
>
>   Added a new mod_rewrite rule to .htaccess, as
>   follows:
>
> #======[start of sample code]======
> <IfModule mod_rewrite.c>
>   RewriteEngine on
>
>   #Block attempts to run suspicious code
>   RewriteCond %{REQUEST_URI} "stat-cgi/awstats.pl" [OR]
>   RewriteCond %{REQUEST_URI} "_vti_bin/_vti_aut/fp30reg.dll"
>   RewriteRule .* - [G,L]
>
>   # snipped rest of Drupal rewrite rules here
>
> </IfModule>
> #======[end of sample code]======
>
>   This seems to have done the trick thus far, at
>   least when it comes to keeping my Drupal log
>   from clogging up. Hopefully the "Gone" header
>   result will prevent repetitive attempts as well.
>   Though I am seriously contemplating more
>   aggressive tactics, such as:
>
>   * Auto-redirecting them to their own IP address.
>   * Auto-reporting them on appropriate abuse
>   groups on USENET
>
> --
> Best regards,
>  Gunther                          mailto:storysmith at softhome.net

-- 
Larry Garfield			AIM: LOLG42
larry at garfieldtech.com		ICQ: 6817012

"If nature has made any one thing less susceptible than all others of 
exclusive property, it is the action of the thinking power called an idea, 
which an individual may exclusively possess as long as he keeps it to 
himself; but the moment it is divulged, it forces itself into the possession 
of every one, and the receiver cannot dispossess himself of it."  -- Thomas 
Jefferson

More information about the drupal-support mailing list