Hello drupal-support,
Ever since installing Drupal, my log seems to be bombarded daily with requests for (in order of frequency:
_vti_bin/_vti_aut/fp30reg.dll stat-cgi/awstats.pl
and just lately...
scripts/..\..//winnt/system32/cmd.exe
Luckily none of these accessible (or even installed) on my reasonably-secure Linux/Apache box.
Are these well-known security loopholes? I've devised a strategy to at least get them out of my Drupal logs, and am posting here for folks to pick apart in case there is a more elegant solution. What I've done:
Added a new mod_rewrite rule to .htaccess, as follows:
#======[start of sample code]====== <IfModule mod_rewrite.c> RewriteEngine on
#Block attempts to run suspicious code RewriteCond %{REQUEST_URI} "stat-cgi/awstats.pl" [OR] RewriteCond %{REQUEST_URI} "_vti_bin/_vti_aut/fp30reg.dll" RewriteRule .* - [G,L]
# snipped rest of Drupal rewrite rules here
</IfModule> #======[end of sample code]======
This seems to have done the trick thus far, at least when it comes to keeping my Drupal log from clogging up. Hopefully the "Gone" header result will prevent repetitive attempts as well. Though I am seriously contemplating more aggressive tactics, such as:
* Auto-redirecting them to their own IP address. * Auto-reporting them on appropriate abuse groups on USENET
On Tue, 9 Aug 2005, Gunther Herzog wrote:
HI Gunther!
Ever since installing Drupal, my log seems to be bombarded daily with requests for (in order of frequency:
_vti_bin/_vti_aut/fp30reg.dll stat-cgi/awstats.pl
and just lately...
scripts/..\..//winnt/system32/cmd.exe
Luckily none of these accessible (or even installed) on my reasonably-secure Linux/Apache box.
Are these well-known security loopholes? I've
Yes, probably from virus/trojan infected windows machines.
This seems to have done the trick thus far, at least when it comes to keeping my Drupal log from clogging up. Hopefully the "Gone" header result will prevent repetitive attempts as well.
I doubt it.
Though I am seriously contemplating more aggressive tactics, such as:
- Auto-redirecting them to their own IP address.
- Auto-reporting them on appropriate abuse
groups on USENET
Well, the latter would probably cause some unwelcome results. I used to create scripts in place of the requested files that servered their answers v e r y slowly in the hope to slow the requstign machine down.
Cheers, Gerhard
I've been seeing similar, although not to frontpage pages, I believe. Most are for search.jsp, with the full request being a URL for some other site that has nothing to do with me. I've been wondering if they're hacker attacks or if someone has his DNS misconfigured.
On Tuesday 09 August 2005 11:17 am, Gunther Herzog wrote:
Hello drupal-support,
Ever since installing Drupal, my log seems to be bombarded daily with requests for (in order of frequency:
_vti_bin/_vti_aut/fp30reg.dll stat-cgi/awstats.pl
and just lately...
scripts/..\..//winnt/system32/cmd.exe
Luckily none of these accessible (or even installed) on my reasonably-secure Linux/Apache box.
Are these well-known security loopholes? I've devised a strategy to at least get them out of my Drupal logs, and am posting here for folks to pick apart in case there is a more elegant solution. What I've done:
Added a new mod_rewrite rule to .htaccess, as follows:
#======[start of sample code]======
<IfModule mod_rewrite.c> RewriteEngine on
#Block attempts to run suspicious code RewriteCond %{REQUEST_URI} "stat-cgi/awstats.pl" [OR] RewriteCond %{REQUEST_URI} "_vti_bin/_vti_aut/fp30reg.dll" RewriteRule .* - [G,L]
# snipped rest of Drupal rewrite rules here
</IfModule> #======[end of sample code]======
This seems to have done the trick thus far, at least when it comes to keeping my Drupal log from clogging up. Hopefully the "Gone" header result will prevent repetitive attempts as well. Though I am seriously contemplating more aggressive tactics, such as:
- Auto-redirecting them to their own IP address.
- Auto-reporting them on appropriate abuse
groups on USENET
-- Best regards, Gunther mailto:storysmith@softhome.net
On Aug 9, 2005, at 12:17 PM, Gunther Herzog wrote:
Hello drupal-support,
Ever since installing Drupal, my log seems to be bombarded daily with requests for (in order of frequency:
_vti_bin/_vti_aut/fp30reg.dll stat-cgi/awstats.pl
and just lately...
scripts/..\..//winnt/system32/cmd.exe
I keep getting requests for ")" I don't what they think ) would do.
-
Gerhard Killesreiter -
Gunther Herzog -
Larry Garfield -
Peter Apockotos