Best way to get rid of annoying virus exploit hits

Forum Moderators: phranque

Message Too Old, No Replies

Best way to get rid of annoying virus exploit hits

like _vti-bin, formmail.pl, MSOffice, etc.

sublime1

9:06 pm on Dec 19, 2004 (gmt 0)

Our site does not have any URLs that end in .cgi, .asp, .dll, .pl or a number of other cases that show up in our logs every day. They are all from virus-infected servers that are attempting to infect other servers using known exploits. Our servers just return a 404 now. But these are pretty, helpful error pages. All I really want to do is send back a brief 403: Forbidden.

My question is, what's the best way to identify all of the patterns that I should exclude: a single RewriteRule or a set of RewiteCond's? For example, I have
RewriteRule .*\.asp$ - [NC,F,L]
working. Is there a way to do a regex like
RewriteRule .*\.[asp¦cgi¦pl¦dll]$ - [NC,F,L]
to mean anything ending with ".asp" or ".cgi", etc. The example here doesn't work, because I think my regex is wrong. I could do a set of RewriteConds for each case, but I suspect there's a more clever way.

Can anyone point me to the right place or give me an example?

Thanks in advance!

wilderness

9:27 pm on Dec 19, 2004 (gmt 0)

like _vti-bin, MSOffice, etc.

Many websmasters have believed all along that these two UA's were a virus or worm.

In fact what they are is a visitor using either MS Word or MS Front Page for their browser.

Why anyone would chose to do such a thing is beyond the comprehension of most sane people.

I've posted this previously either in this forum or forum #11. The message just hasn't been repeated over and again.

Don

sublime1

9:39 pm on Dec 19, 2004 (gmt 0)

Aha -- sorry for the post, nevermind -- my regex was incorrect, I should have used
.*\.(asp¦cgi¦pl¦dll)$
instead of the square brackets.