Requests with multiple repetitions of domain name

Forum Moderators: phranque

Message Too Old, No Replies

Requests with multiple repetitions of domain name

http://example.com//http://example.com

MatthewHSE

12:50 am on Jan 19, 2007 (gmt 0)

I'm seeing a lot of requests lately on one of my sites like the following:

http://www.example.com//example.com//example.com/https:/example.com/signup.php

I think they're malicious, as they always come in a bunch at a time from the same IP and with the referer very similar to the request.

These are becoming annoying so I'd like to serve requests like this a 403. I assume I need to come up with a rewrite rule to use in .htaccess that would detect repetitions of 'http' or my domain name. The problem is I have no idea how to do such a thing or what method would be best.

Has anyone else come up with a way to successfully combat these requests?

Thanks,

Matthew

jdMorgan

3:07 am on Jan 20, 2007 (gmt 0)

It's most likely a defective script written by someone who doesn't know how to construct HTTP requests. They are including the domain name in the request header where it doesn't belong, as well as in the "Host:" header, where it does belong.

Something like:


RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /*(http://)?([^.]+\.)*example\.com(:[0-9]{1,5})?/ [NC]
RewriteRule .? - [F]

should work for any variation of your "example.com" domain appearing in the request. It will not block "normal" requests to your server.

Jim

[edited by: jdMorgan at 3:09 am (utc) on Jan. 20, 2007]