homepage Welcome to WebmasterWorld Guest from 54.161.214.221
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Need help with RewriteRule RegExpr
How do I allow all files in one bait directory, after exclusions?
Wizcrafts




msg:1508645
 3:56 pm on Jun 4, 2003 (gmt 0)

I hate to bother you all with this, but I thought I had the rule set to allow excluded bots to access files in my spider bait directory. Yesterday a Zeus bot tried to access the bait but was 403'd. It got as far as /contact-info.html, which then sends attackers to /Bait/honeypot.html, which then sends it to several odd named .html files and one .cgi file(the poison script), for database poisoning. All these miscellaneous files are in the "/Bait" directory.

Here is what I had in .htaccess that blocked the badbot:

RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule!^(includes/403\.html¦cgi-bin/MKCounter\.cgi¦robots\.txt¦contact-info\.html¦cgi-bin/contact-info\.cgi¦[b]Bait/.*[/b]) - [F]

Here is what I am changing it to to try to allow badbots to eat the bait: Is this correct, incorrect, or is it too much for what I want to do?

RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule!^(includes/403\.html¦cgi-bin/MKCounter\.cgi¦robots\.txt¦contact-info\.html¦cgi-bin/contact-info\.cgi¦[b]Bait/\w*\.(html¦cgi)[/b]) - [F]

Thanks in advance, Wiz

 

jdMorgan




msg:1508646
 6:14 am on Jun 6, 2003 (gmt 0)

Wiz,

Pulling out all the other unrelated stuff, we get:

RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule !^Bait/.* - [F]

Which is just fine. If the requested resource is not in /Bait/ (or the other removed dirs/files), then it gets a 403. The ".*" on the end is redundant, but won't do anything other than slow things down a little.

The change you made should not be necessary. I'd would look elsewhere for the problem. Maybe that request was from a "spoofed" Zeus, like "Mozilla/4.0 (compatible; Zeus blah blah)" or maybe it requested "bait", not "Bait"? Or maybe there are other RewriteConds not shown? ...Just guesses, but I'm stumped - It should have worked.

Jim

Wizcrafts




msg:1508647
 1:44 pm on Jun 6, 2003 (gmt 0)


Maybe that request was from a "spoofed" Zeus, like "Mozilla/4.0 (compatible; Zeus blah blah)" or maybe it requested "bait", not "Bait"? Or maybe there are other RewriteConds not shown?

Hi Jim;

The UA was Zeus 2.6 and it had just visited my contact-info poison page, which is permitted in the Rewrite line:
RewriteRule!^(includes/403\.html¦cgi-bin/MKCounter\.cgi¦robots\.txt¦[b]contact-info\.html[/b]¦cgi-bin/contact-info\.cgi¦Bait/.*) - [F]
It entered my site and went for the contact-info.html page, then activated the link to send it to the major poison directory named Bait, and the honeypot file. It attempted to follow this link but my Regular expression was incorrect and it remained blocked by my 403 ruleset. That rewrite condition set is fairly long and thorough, and gets updated regularly.

I solved the exclusion problem by typing out two separate allowances for the Bait directory, one for all html files, Bait/.*\.html and one for Bait/contact-info\.cgi, and tacking them to the end of the Rewrite rule. I was trying to get both with one wildcard rule but didn't have the Regexpr correct with Bait/.*.

I tested my rules in Wannabrowser before and after adding the two new rules and it now works as desired. Any bot following the poison link on /contact-info.html will be treated to a gourmet dinner in my /Bait/ directory.

If you can see how I could allow access for ANY .html AND ANY .cgi files in the Bait directory, in one short expr, let me know. ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved