Hello drupal-support,
Ever since installing Drupal, my log seems to be bombarded daily with requests for (in order of frequency:
_vti_bin/_vti_aut/fp30reg.dll stat-cgi/awstats.pl
and just lately...
scripts/..\..//winnt/system32/cmd.exe
Luckily none of these accessible (or even installed) on my reasonably-secure Linux/Apache box.
Are these well-known security loopholes? I've devised a strategy to at least get them out of my Drupal logs, and am posting here for folks to pick apart in case there is a more elegant solution. What I've done:
Added a new mod_rewrite rule to .htaccess, as follows:
#======[start of sample code]====== <IfModule mod_rewrite.c> RewriteEngine on
#Block attempts to run suspicious code RewriteCond %{REQUEST_URI} "stat-cgi/awstats.pl" [OR] RewriteCond %{REQUEST_URI} "_vti_bin/_vti_aut/fp30reg.dll" RewriteRule .* - [G,L]
# snipped rest of Drupal rewrite rules here
</IfModule> #======[end of sample code]======
This seems to have done the trick thus far, at least when it comes to keeping my Drupal log from clogging up. Hopefully the "Gone" header result will prevent repetitive attempts as well. Though I am seriously contemplating more aggressive tactics, such as:
* Auto-redirecting them to their own IP address. * Auto-reporting them on appropriate abuse groups on USENET