Are there any valid URLs ending in

.txt

on the server?

Are there any valid URLs that do use query strings?

Are requests for the ?base_folder parameter ever valid?

The idea is to make a much more robust pattern to match.

Just illustrating the RewriteCond:

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /([^.\ ]*\.)+txt\?\?\?\ HTTP/

Jim

@g1smd: no, no, and no.

@ jdMorgan: Thanks! I'm going to give that a try!

Oh snap. I give up.

I tried

RewriteRule ^[A-Z]+\ /([^.\ ]*\.)+txt\?\?\?\ [mysite.com...] [NC]

and

RewriteRule ^[A-Z]+\ /([^.\ ]*\.)+txt\?\?\?\ /banme.php [NC]

Then I put in the URL that the attacker was trying to use and I got the usual 404 error instead of being banned.

Thanks for trying to help me tho. Really appreciate it. I think I'll just live with it.

You must use a RewriteCond as I posted above, in order to "see" those trailing question marks. In fact, they may even end up encoded, in which case you'll need to match "\%3[Ff]" instead of "\?" (or use the [NC] flag on the RewriteCond).

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /([^.\ ]*\.)+txt\?\?\?\ HTTP/ [NC]
RewriteRule .* /banme.php [L]

- or -

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /([^.\ ]*\.)+txt\%3f\%3f\%3f\ HTTP/ [NC]
RewriteRule !^banme\.php$ /banme.php [L]

(The second also rule excludes 'banme.php itself from processing the RewriteCond -- might be a tiny bit faster)

Jim

TY TY TY I'll give that a try.

I *just* found this while searching the 'net for something un-related and it worked (since the cretins like to also use the expression "=http" in the request). Figures I'd find something, after several days of searching, while trying to find something else!

RewriteCond %{QUERY_STRING} ^.*=(ht¦f)tp\://.*$ [NC]
# Allow yourself, for SMF Forum Package Manager upgrades.
# Set it to your own IP address so you are the only one who won't be blocked.
#RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$ [NC]
RewriteRule .* - [F,L]

Since the answers to my questions were 'no', 'no' and 'no', you don't actually need to specifically test for three question marks.

You can simply ban anything looking for any text file other than robots.txt, or anything that requests any URL with a query string attached, or anything asking for base_folder.php or any combination of those.

thanks g1smd... :) that's what I was googling for but couldn't find a working example. I tried doing a rewrite for anything looking for anything ending in .txt, but nothing I tried worked. I would try the same URL they were using and I'd get a 404, not a 403. I wanted a 403.

The one I found on a page that talks about protecting one's web site was exactly the thing I needed. I was actually looking for how to ban or redirect countries by using geoip when I stumbled upon the article...I saw it mention the =http and realized..eureka! that this is the same thing these cretins use all the time :D The code the author supplied which I posted above works perfectly for the malicious code attempt.

I'm all good to go now, thanks, guys for trying to help. You're living dolls and have a Happy New Year.

Note that [L] used with [F] is redundant; [F] always implies [L], so you don't need to specify it and waste CPU time and bytes. :)

Jim

Ooooo thankies! I was just doing a copy and paste of the original code and that's what they had on their site so I used it. I'll fix it. Thanks!

I'd guess that at least 99% of all tutorial and example .htaccess code on the web is either sub-optimum, or has major flaws.

Beware of anything posted anywhere on the web, and make sure you understand what every character does before posting it to a live server.

Thanks! Guess I'll have to find a good book or something. I've tried to understand it, but at my age, something old has to fall out of my head before something new will go in. :S

Yeah, I know that feeling. I find a huge pile of 'old stuff' on the floor after the conclusion of every project... :) Observing the 41st anniversary of Woodstock will bring *very* mixed emotions...

Jim

LOL I "feel your pain"....