Forum Moderators: phranque
I noticed in my access log that a lot of attacks look like this:
http://www.example.com/components/com_component/errors.php?error=http://www.reallybaddomain.com/l333tbi1t.txt?
So I found some nifty rules to block urls with "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} ftp\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
RewriteRule ^(.*)$ index.php [F,L]
This works like a charm ;D
Now I noticed that a some bad guys replace ":" with "%3A".
So I created the rule
RewriteCond %{QUERY_STRING} http\%3A
Unfortunately I can't log in in Joomla 1.0.x (Joomla 1.5.x works fine though) because this url is blocked:
http://www.example.com/index.php?option=cookiecheck&return=http%3A%2F%2Fwww.example.com%2F
So I need a line to block urls with http%3A in them, only not in case they are from your own domain. Can anybody help me in this?
[edited by: jdMorgan at 4:01 pm (utc) on Sep. 12, 2008]
[edit reason] Please use example.com [/edit]
Combining your original three RewriteConds, cleaning up a bit, and adding an exclusion for the query name/value pair return=(your own site) gives:
RewriteCond %{QUERY_STRING} (https?¦ftp)(\:¦\%3A) [NC]
RewriteCond %{QUERY_STRING} !return=http\%3A\%2F\%2Fwww\.example\.com(\%2F)?&? [NC]
RewriteRule \.php[45]?$ - [F]
Change all broken pipe "¦" characters above to solid pipe characters before use; Posting on this forum modifies the pipe characters.
Jim
[edited] Tweaked security aspects of exclusion pattern. [edited]
[edited by: jdMorgan at 4:03 pm (utc) on Sep. 12, 2008]
Thanks for your great help in this. I'll apply these new rules this evening.
