lorax,

I've tried many approaches, but there is "something funny going on" with these requests. So far, this is the first method that has worked. In .htaccess under Apache server:

RewriteRule umthi - [NC,F]

If I use the full filename, some variants seemed to get through, but this is a work-in-progress.

Jim

Hello jdMorgan,
Twas hoping you'd stop by. I just wasn't sure if a ReWriteRule would be enough or if (as it sounded in your Dec. post on this) I needed to write something a bit more sophisticated. It's slightly alarming the number of requests we've had for this since Feb 1 (12). So the rule you provided doesn't need an opening '^' or closing '$' - I'm a neophyte with mod_rewrite. The server didn't complain so I assume it's fine. ;)

No, that's straight off my server, and works as-is. I'm not really sure if it does any good to return a 403-Forbidden code, but at least they've been told to go away. I used to ban them by IP address, but there were simply too many IP addresses bloating up my deny list, and some of them were just proxies anyway.

Jim

Got it. Thanks.
Gregg

Since the intent of this request is apparently to generate a 404 (not found) error, wouldn't you at least partially counter it by simply creating a blank page named 'sumthin' so they just get a 200 with no further information?

JayC,

That's a possibility, but I don't know enough about the worm to consider that a good idea. I'd rather give them a 403, since a 200-OK might lead the requestor to believe that it was dealing with an already-infected machine or something.

No matter what the response code, the requestor is going to get a standard HTTP header with your server type and revision and all that.

Hopefully, some more info on this exploit will turn up.

Jim

That's a possibility, but I don't know enough about the worm to consider that a good idea.

Yeah, good point. I guess it was an instinctual "if they want a 404, give them somehing else," but without knowing exactly what the purpose of the request is it's impossible to know what the result -- or effectiveness -- of that might be.

I haven't really tried using rewrite rules,
just kind of taking notes etc...

Wouldn't something like:
RewriteCond whatever_cond_we_are_looking_for
RewriteRule ^.*$ [127.0.0.1...] [L]
or
RewriteRule ^.*$ [mydomain...] [L]

redirector.cgi just logs the request and sends a redirect
to [127.0.0.1...]

Would this redirect them back to their own server/computer without
returning headers from our own server and without logging unless we
used a redirector script?

Thanks
GeorgeGG

GeorgeGG,

These agents typically do not follow redirects, and any response from our server is going to contain the standard info about our server. You can test your own server using the WebmasterWorld server header checker [webmasterworld.com] to see this info.

It would be nice to be able to "black hole" requests for this "sumthin" file, but that requires access to the server firewall - an option many of us don't have.

Jim

These agents typically do not follow redirects

Thanks for that tibit of info...
Can get the headers using a script on my site but hadn't
thought about the server still giving the headers on a redirect...

requires access to the server firewall

heck I only have a personal website :)

Thanks again
GeorgeGG