Forum Moderators: phranque
Host: 201.50.***.207 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:40 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; WUU; PPC Mac OS X; en-US) AppleWebKit/778.7 (KHTML, like Geco, Safari) OmniWeb/v210.76emDrive=C:\x81
---------------------------------------------------------
Host: 217.227.***.193 /signUp.php?ref=ec0lag
Http Code: 200 Date: May 20 00:55:39 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; LTQ; PPC Mac OS X; en-US) AppleWebKit/583.2 (KHTML, like Geco, Safari) OmniWeb/v716.45ot=D:\\WIND\x81
---------------------------------------------------------
Host: 88.218.***.182 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:39 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; OON; PPC Mac OS X; en-US) AppleWebKit/185.0 (KHTML, like Geco, Safari) OmniWeb/v024.81temDrive=C\x81
---------------------------------------------------------
Host: 84.121.***.152 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:38 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; TGA; PPC Mac OS X; en-US) AppleWebKit/522.5 (KHTML, like Geco, Safari) OmniWeb/v164.73rama
---------------------------------------------------------
Host: 84.102.***.121 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:38 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; YFJ; PPC Mac OS X; en-US) AppleWebKit/127.4 (KHTML, like Geco, Safari) OmniWeb/v066.21stemDrive=\x81
---------------------------------------------------------
Host: 221.144.***.129 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:37 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; IHR; PPC Mac OS X; en-US) AppleWebKit/370.2 (KHTML, like Geco, Safari) OmniWeb/v721.81es
---------------------------------------------------------
Host: 83.135.***.247 /signUp.php?ref=ec0lag
Http Code: 200 Date: May 20 00:55:37 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; DKB; PPC Mac OS X; en-US) AppleWebKit/121.6 (KHTML, like Geco, Safari) OmniWeb/v767.38Drive=C:
---------------------------------------------------------
Host: 80.38.***.40 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:37 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; EOW; PPC Mac OS X; en-US) AppleWebKit/800.4 (KHTML, like Geco, Safari) OmniWeb/v834.74Drive=C:
---------------------------------------------------------
Host: 211.61.***.8 /signUp.php?ref=ec0lag
Http Code: 200 Date: May 20 00:55:37 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; YMA; PPC Mac OS X; en-US) AppleWebKit/440.7 (KHTML, like Geco, Safari) OmniWeb/v\xe137.02temDrive=C\x81
---------------------------------------------------------
Host: 190.49.***.39 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:36 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; UIN; PPC Mac OS X; en-US) AppleWebKit/344.1 (KHTML, like Geco, Safari) OmniWeb/v552.66a
---------------------------------------------------------
Host: 83.211.***.18 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:36 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; YIJ; PPC Mac OS X; en-US) AppleWebKit/864.1 (KHTML, like Geco, Safari) OmniWeb/v677.56ip
---------------------------------------------------------
Host: 84.174.***.248 /signUp.php?ref=ec0lag
Http Code: 200 Date: May 20 00:55:36 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; CWA; PPC Mac OS X; en-US) AppleWebKit/577.2 (KHTML, like Geco, Safari) OmniWeb/v815.46temDrive=C\x81
---------------------------------------------------------
Host: 84.162.***.14 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:36 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; JYX; PPC Mac OS X; en-US) AppleWebKit/856.2 (KHTML, like Geco, Safari) OmniWeb/v732.76mDrive=C:
---------------------------------------------------------
Host: 81.193.***.187 /signUp.php?ref=1945777
Http Code: 200 Date: May 20 00:55:36 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (Macintosh; INJ; PPC Mac OS X; en-US) AppleWebKit/750.0 (KHTML, like Geco, Safari) OmniWeb/v651.53
Ok first thing I noticed was that they were all accessing the same page.. either "/signUp.php?ref=1945777" or.. "/signUp.php?ref=ec0lag".
Second thing they had no refered.. which is very uncommon.
Third each agent is just a little different, I will place * around where its different..
Agent: Mozilla/5.0 (Macintosh; *INJ*; PPC Mac OS X; en-US) AppleWebKit/*750.0* (KHTML, like Geco, Safari) OmniWeb/v*651.53*
Fourth, 10 straight mac requests in a row is unlikely, windows usually is 99% of the hits.
So yes someone is using someone kind of software to target my server.. but I really do not know if there is a way to prevent this?
I blocked these urls:
/signUp.php?ref=1945777
/signUp.php?ref=ec0lag
But thats not going to stop him from changing the ref value..
Any help would be appreciated.
I am running Linux, with Cpanel.
Thanks,
Andrew
[edited by: jdMorgan at 3:54 pm (utc) on May 20, 2006]
[edit reason] Obscured open-proxy private addresses [/edit]
In the Web root (homepage) directory .htaccess file, place or add the following:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ [A-Z]+;\ PPC\ Mac\ OS\ X;\ en-US\)\ AppleWebKit/[0-9.]+\ \(KHTML,\ like\ Geco,\ Safari\)\ OmniWeb/v
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{QUERY_STRING} ^ref=
RewriteRule ^signUp\.php$ /pest/blanco.html [L]
ErrorDocument 403 /pest/403null.html
#
Options +FollowSymLinks
RewriteEngine on
RewriteRule !^403null\.html$ - [F]
Function: An incoming request matching the top-level .htaccess rewriterule will be rewritten to "blanco.html" in the /pest subdirectory. The code there disallows access to any file, except for "403.html". Therefore, a 403-Forbidden error response will be invoked. The server will then use 403null.html as the error handler page. Access to this page *is* allowed, because of the rewriterule exclusion, so it gets served. But it's zero bytes in length, which means the content-body of the response to the client will be blank, and it will save you some bandwidth.
This code is written to block as few "innocent" clients as possible. This makes it easier to by-pass by changing the various paramters slightly. You may wish to tighten or loosen the requirements to generate a 403-Forbidden response, based on your past or future experience with this attack.
Because of the formatting imposed by the forum software, one or more of the lines above may be wrapped. Each of the .htaccess directives with their arguments must be placed on a single line, so correct as necessary.
Only one "RewriteEngine on" directive is required in each .htaccess file; It you've already got one there, don't add another one.
The "Options +FollowSymLinks" directive *may* be needed, or it may not be allowed -- That depends of the server configuration. If it is missing but needed, or if it is present but not allowed, you will likely get a 500-Server error, and a message in youe server error file detailing the problem.
Some servers are configured to disallow the use of mod_rewrite, other Apache modules, or even .htaccess files. This kind of problem must be resolved with your hosting company.
This code is untested, and comes with no warranty, expressed or implied. It may contain typographical errors, rendering it inoperative. Use at you own risk. Support will be limited. Yadda, yadda...
I also don't recommend that anyone try this who is not familiar with mod_rewrite and regular expressions. Such persons may not be equipped with even the vocabulary required to get the code working, given the variations in server configurations and requirements, etc. Because of the small number of contributing members, this forum is not capable of supporting "code requests" or providing timely "support." It is a discussion forum, and not a help desk. -- Any users of this code should be aware that it is up to them to do the necessary research to fully understand the code and its effects on their server before testing it.
For more information, see the documents cited in our forum charter [webmasterworld.com] and the tutorials in the Apache forum section of the WebmasterWorld library [webmasterworld.com].
Jim
