Google results show "czxt2s" described as (yet another) SQL injection agent. See: Wikipedia SQL [en.wikipedia.org...]

Search also for "CONCAT(0x27,0x7c,0x5f,0x7c)" for info about the type of attack.

The various IPs are infected machines, and their owners/users are most likely clueless. If you're not running SQL, blocking IPs en masse might be overkill because compromised machines rarely visit more than once.

Alternatively, you can block by UA as you did. And/or you can ignore the requests (404), or pick one of the parts of the URI, like CONCAT, and use REQUEST_URI to block (403), or send them packing (301). See jdMorgan's Apache forum Library for info about mod_rewrite rules.

You'll see many exploits in your logs because they're very common. (For example, I see PHP-related attacks all the time -- most recently via ZmEu -- and because I don't use PHP, I 301 'em.) Whenever you're hit by something strange, Google the UA or a part of the request and you'll learn a lot.

Hi Pfui - Thank you. My website is on a hosted server, so when I see these types of things I can't do much about SQL or PHP because I think my host is in control of those, so I tell them about the attack, but I don't understand what is happening. My website is half html only and the shopping cart is osCommerce, so that uses the PHP and SQL. I can use htaccess and robots.txt, which I can edit and update on the server. I'll try to see what an SQL injection attack is and what to do if they succeed in whatever it is they are trying to do. There were three IPs used in the attack, all from South America and Mexico. Thanks again for the info. - Grandma_genie

I'm not sure where I got it from originally, but I have a line in my .htaccess to block SQL injection attacks:

RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC,OR]

(NOTE - this line will NOT work on its own. It is an extract only)

I understand it won't catch all injection attempts, but would have caught the one you quoted, as it includes the function "select".

HTH.

I'm not sure where I got it from originally [webmasterworld.com]

Thanks wilderness - my version is slightly different to jdMorgans, and I have a suspicion I found it on another web site.

But whatever, it is very handy to have. So a big thanks to whoever wrote it. :)

Oh, that is very helpful. I've added it to my htaccess file. Thank you everyone.

Hi - It didn't work. My osCommerce doesn't like it. It won't let me update some files. I get a forbidden prompt. Not sure what to do about it. - Grandma_genie

If you just copy and pasted the thing?
You need to correct the broken pipe characters.

If you are sure that you have got the syntax for the complete rule correct (that is a very big if), then you might need to add an exception to the rule for your own osCommerce queries.

Yes, I fixed the broken pipes before I put it in the htaccess file, but I discovered the problem when updating some files in the oscommerce section of the site, which is when I got the forbidden page. I knew it was the htaccess that was the problem, so I took off the new code. I'm sure I have to do something with php to make it work, or add some rule exception to the htaccess coding, but just don't know what to do. If no one here in Webmasterworld can help, I will try the oscommerce forums. Does the code have to be in the htaccess file in the root folder, or should it be in a different htaccess file in the OSC section of the files? Unfortunately, I am totally baffled by php, so putting codes in those files I am afraid to do.

The exception should be applied to the rule in your .htaccess.

I'm certainly no expert at mod_rewrite, but the first thing I would try is excluding my own IP address from the rule. Like this:

RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC]
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.12$
RewriteRule (.*) - [F]

(replace the numbers with your own IP address)

That should work if you have a fixed IP. But if you have a dynamic IP (which dialup and most home adsl services are), then you'll need to express the IP as a range.

Note this quote from jdMorgan about this particular rule [webmasterworld.com...] :

You should place the code snippet "early" in your list of mod_rewrite rules; For example, there is no use in redirecting such abusive client requests to canonicalize the domain name, or in rewriting these requests to another filepath.

If excluding your IP doesn't work, I suggest you seek help in the Apache forum here at Webmasterworld. jdMorgan (and others) are very knowledgeable about .htaccess and very helpful.

@genie: A few thoughts --

1.) Echoing Mokita: Ask/follow up .htaccess/mod_rewrite Qs in the Apache forum. The more forum-specific your content, the more specific your assistance from its denizens. (For example: Remove the "OR" if the condition is the last one.)

2.) Go slowly when it comes to tweaking .htaccess, etc. From your threads, it sounds like your seeing server logs for the first time was akin to tumbling down Alice's rabbit hole, ending up stunned, curious, and a bit overwhelmed. That's normal:) Thing is, rushing headlong into anything .htaccess risks messing up everything. Baby steps.

3.) Spend additional time learning what you're doing with .htaccess before you do it and you'll spare yourself lost time, and customers. The answers to the vast majority of your Qs are likely in this site's specific forums' documents and posts. Studied up and still stumped? You're surrounded by helpful geeks who've been there, fixed that. (Thank goodness!)

We now return you to your regularly scheduled spider/UA programming:)

I am a bit nervous putting my htaccess file (even with the editing) here in the forum, so I will just put in the first part:

php_flag display_errors 1 (This has always been in the htaccess file. I don't know what it does.)

order allow,deny
deny from 123.125.nn
deny from 124.114.nn
deny from 124.115.nn
allow from all (My site host put this in the htaccess file for me and I have been adding to it as the need arises.)

ErrorDocument 404 /notfound.html

RewriteEngine on
#
# Return 403-Forbidden to unwelcome/malicious user-agents
RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ZmEu [NC]
RewriteRule ^ - [F]
#
RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC]
RewriteCond %{REMOTE_ADDR} ^000\.00\. [OR]
RewriteCond %{REMOTE_ADDR} ^000\.00\.
RewriteRule (.*) - [F]

Following this are more rules:
# Return 403-Forbidden response for hotlinked image requests
# Externally redirect old mod_userdir-format requests to canonical hostname
# Externally redirect certain non-canonical hostnames to canonical hostname, preserving http/https protocol
( jdMorgan helped me with these and they are working.)

My IP address is dynamic. It changes every day with the first three digits the same, but the next two alternate, then the next series of numbers (2 sets) are always different. Will the way I have shown it above work? I also notice my ISP changed the number completely after a few months. So, I would have to keep checking it to be sure they didn't change them completely again. I also turn my modem off every night. If I leave it on, will the IP stay the same? How do you feel about leaving your modem on all the time?

Thank you Pfui and Mokita. Learning these things is difficult with this aging brain, but I appreciate all your patience.

Um, genie... That's precisely the kind of post Mokita and I explained was best-suited for the Apache forum. This is the Search Engine Spider and User Agent Identification forum.

Regardless, too many scattershot/off-topic and/or confusing details and errors to take care of for you, sorry.

# IF query string contains phrase and either IP than deny access; allow ALL others
RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC]
RewriteCond %{REMOTE_ADDR} ^000\.00\. [OR]
RewriteCond %{REMOTE_ADDR} ^000\.00\.
RewriteRule (.*) - [F]

Correction:
# IF query string contains phrase deny ALL except either IP
RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC]
RewriteCond %{REMOTE_ADDR} !^000\.00\. [OR]
RewriteCond %{REMOTE_ADDR} !^000\.00\.
RewriteRule (.*) - [F]

Your internet provider should have a valid range which would allow to utilize that complete range regardless of how frequently your assigned IP changes.
Suggest taking your IP range and doing an ARIN-WHOIS (which could be difficult because ARIN has eliminated the recent exception pages to their new WHOIS requests)to determine the valid range.

Don

You know, Pfui, that is exactly what I was thinking when I posted it. Then I thought, but Pfui and Mokita won't see my reply and think I was being rude. So then I didn't know what to do, so posted it here.

Also, thank you Wilderness for your helpful reply. So now I'm going to put this in the htaccess file and see what happens. Wish me luck. Should I still post it in the Apache forum anyway? If it doesn't work, should I continue this in the Apache forum? Now totally confused about where to post next.

Hi genie,

Thank you for being so thoughtful, you have a kind heart. A simple way around your quandary would be to post a short message in this thread thanking us for the suggestions and mentioning that you would post any further questions in the Apache forum.

Then there is no possibility of being thought rude. ;)

Good luck with refining the rule.

Do be careful that none of those terms could legitimately apply before you drop visitors in the bit bin.

I know a garden centre site where searching for "snowdrops" drops you back at the homepage with no explanation!

Don't know much about OSC, but a lot of developers use "insert", "update" and "delete" as a part of an action call that is passed thru URL Scope.

Example of URL: /admin/product.php?productID=100&action=update, and the entry in .HTACCESS file as shown above will definitely catch and bounce the request.

Allowing certain IP to pass thru is just a Band-Aid. The Ideal fix to this issue is actually to sanitize all user`s input to begin with.