open proxy cracking attempt?

Forum Moderators: phranque

Message Too Old, No Replies

open proxy cracking attempt?

help to redirect.

foodel

8:46 am on Oct 26, 2004 (gmt 0)

Hi,
I don't run a proxy so I just find these annoying. Mostly from China and Korea, with a few from the US. Apache logs them like this,
"GET [hpcgi1.nifty.com...] HTTP/1.0" 404 217 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
IP and date removed, the browser entry is sometimes different or doesn't exist.
What I'd like to do is rewrite it to localhost. I've tried several things the last of which is this, which doesn't work!
Redirect permanent (.*)nifty.com(.*)$ [127.0.0.1...]
Also tried, over several months, RedirectMatch, RedirectMatch permanent and numerous other strings based on the log entry from http to .com and strings based on ProxyJ, proxy etc. So far I've been blocking ranges of IPs, but the n'er do wells just find another open proxy(?) to use. Anyone have any ideas on a redirect that could be done as I'm running out of firewall rule space?
TIA,
del 8-)

jdMorgan

3:04 pm on Oct 26, 2004 (gmt 0)

foodel,

Welcome to WebmasterWorld!

I'd suggest you use mod_rewrite to test Apache's {THE_REQUEST} variable and return a 403-Forbidden response if it contains both a canonical URI (e.g. contains 'GET /http://somedomain') *and* the domain in that URI is *not* your own. Don't bother trying to redirect them anywhere -- they don't follow redirects.

Jim

foodel

5:43 pm on Oct 26, 2004 (gmt 0)

Hi,
Thanks Jim, it looks to me that something like this

RewriteEngine on
RewriteRule ^.*nifty.com/* [F]

in .htaccess, not sure about that though, should do the trick. It's probably wrong but at least I'm going in the right direction and I can tweak it.
When my eyes stop bleeding I'll check out some more rewrite rule config options. ;-)