Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Need help with RewriteRule RegExpr

How do I allow all files in one bait directory, after exclusions?



3:56 pm on Jun 4, 2003 (gmt 0)

10+ Year Member

I hate to bother you all with this, but I thought I had the rule set to allow excluded bots to access files in my spider bait directory. Yesterday a Zeus bot tried to access the bait but was 403'd. It got as far as /contact-info.html, which then sends attackers to /Bait/honeypot.html, which then sends it to several odd named .html files and one .cgi file(the poison script), for database poisoning. All these miscellaneous files are in the "/Bait" directory.

Here is what I had in .htaccess that blocked the badbot:

RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule!^(includes/403\.html¦cgi-bin/MKCounter\.cgi¦robots\.txt¦contact-info\.html¦cgi-bin/contact-info\.cgi¦[b]Bait/.*[/b]) - [F]

Here is what I am changing it to to try to allow badbots to eat the bait: Is this correct, incorrect, or is it too much for what I want to do?

RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule!^(includes/403\.html¦cgi-bin/MKCounter\.cgi¦robots\.txt¦contact-info\.html¦cgi-bin/contact-info\.cgi¦[b]Bait/\w*\.(html¦cgi)[/b]) - [F]

Thanks in advance, Wiz


6:14 am on Jun 6, 2003 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member


Pulling out all the other unrelated stuff, we get:

RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule !^Bait/.* - [F]

Which is just fine. If the requested resource is not in /Bait/ (or the other removed dirs/files), then it gets a 403. The ".*" on the end is redundant, but won't do anything other than slow things down a little.

The change you made should not be necessary. I'd would look elsewhere for the problem. Maybe that request was from a "spoofed" Zeus, like "Mozilla/4.0 (compatible; Zeus blah blah)" or maybe it requested "bait", not "Bait"? Or maybe there are other RewriteConds not shown? ...Just guesses, but I'm stumped - It should have worked.



1:44 pm on Jun 6, 2003 (gmt 0)

10+ Year Member

Maybe that request was from a "spoofed" Zeus, like "Mozilla/4.0 (compatible; Zeus blah blah)" or maybe it requested "bait", not "Bait"? Or maybe there are other RewriteConds not shown?

Hi Jim;

The UA was Zeus 2.6 and it had just visited my contact-info poison page, which is permitted in the Rewrite line:

RewriteRule!^(includes/403\.html¦cgi-bin/MKCounter\.cgi¦robots\.txt¦[b]contact-info\.html[/b]¦cgi-bin/contact-info\.cgi¦Bait/.*) - [F]

It entered my site and went for the contact-info.html page, then activated the link to send it to the major poison directory named Bait, and the honeypot file. It attempted to follow this link but my Regular expression was incorrect and it remained blocked by my 403 ruleset. That rewrite condition set is fairly long and thorough, and gets updated regularly.

I solved the exclusion problem by typing out two separate allowances for the Bait directory, one for all html files, Bait/.*\.html and one for Bait/contact-info\.cgi, and tacking them to the end of the Rewrite rule. I was trying to get both with one wildcard rule but didn't have the Regexpr correct with Bait/.*.

I tested my rules in Wannabrowser before and after adding the two new rules and it now works as desired. Any bot following the poison link on /contact-info.html will be treated to a gourmet dinner in my /Bait/ directory.

If you can see how I could allow access for ANY .html AND ANY .cgi files in the Bait directory, in one short expr, let me know. ;)


Featured Threads

Hot Threads This Week

Hot Threads This Month