The only clue is in the URL column of my stats report where it says

How about a usable reference from your raw logs[

If g### can be believed, you may have joined a club with (to date) 7,120 members.* I've never seen so many “This site may harm your computer.” lines in a single search.

If you are :: cough, cough :: exceptionally foolhardy, you can proceed to:

Caution! Your computer contains a variety of suspicious programs.

And if it didn't before, it will by the time we're done with it ;)

Your System requires immediate checking! The system will perform a fast and free check your PC for malicious programs.

Or, in the alternative, I can force-quit the browser.


* Except that those other 7,120 people don't seem to be paying a lot of attention to their logs.

94.75.243.zzz - - [11/Feb/2011:13:09:22 -0600] "GET /V20xRmRRPT0K HTTP/1.1" 404 210 "-" "-"

Did it look like this?

There is a recent (still active) thread in this forum discussing the perils of allowing both blank refers and UA's access.

thanks for your responses...

and yes, it looked like this

200.62.51.182 - - [12/Jun/2011:05:01:50 -0600] "GET /V20xRmRRPT0K HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:50 -0600] "GET //scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:51 -0600] "GET //admin/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:51 -0600] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:52 -0600] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:52 -0600] "GET //db/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:53 -0600] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:54 -0600] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"
200.62.51.182 - - [12/Jun/2011:05:01:54 -0600] "GET //mysql/scripts/setup.php HTTP/1.1" 404 2156 "-" "-"

i'll check the thread on blank refers and ua's.

is there something i can write in the .thaccess file to keep them out?

That is looking for things to "exploit". with default names left on them.

See this thread
a legitimate blank? [webmasterworld.com]

and syntax replies by both keyplyr & g1smd

thanks so much wilderness.
checking thread now...

This looks like a great solution for me. But I just want to be sure before I absolutely mess things up - do I paste what's below into the top of the htaccess file? or somewhere else? or in some other file?


Many thanks again


RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_METHOD} !^HEAD$
RewriteCond %{REQUEST_URI} !^/robots\.txt
RewriteRule .* - [F]

If NOT turned on previously within your htaccess?

Those lines (or all others) should be lead by a solitary occurrence of:

RewriteEngine on

Additionally and for future reference you might want to add a remark line for explanation

#deny blank refer and UA, except robots/txt

The general rule for ordering mod_rewrite directives in the .htaccess file is:

- block access by IP, UA, path, etc.

- redirect old URLs to new URLs.
- canonicalisation rules.
- general redirect non-www to www.

- internal rewrites.

The file is parsed by each Apache module in turn, each one picking out the parts it needs.

wow.
now looks like the site is under attack from something called muieblackcat?
i searched. seems to by same type of deal.
it's also trolling admin pages.
i put mod rewrite in .htaccess file to block anything without referer or ua.
but didn't seem to stop it.
any possibility this thing is actually getting account information from the site?
any suggestions?

i put mod rewrite in .htaccess file to block anything without referer or ua.
but didn't seem to stop it.

Brr. Just to double-check: You mean that in spite of the blocks, it is still showing up in your logs with a 200 rather than a 403? That doesn't sound good-- but statistically it is more likely that there is a booboo in the wording of your htaccess than that you've got an evil genius at work. Better put up some details.

here's a snippet of info from the latest vistor log
unfortunately i can't see whether it returned a 200 or 403 until logs are archived later - maybe i can get a clue from bytes returned? (between 580 and 602)

62.205.#*$!.x //mysql/scripts/setup.php 6/14/11 11:50 AM 591
62.205.#*$!.x //myadmin/scripts/setup.php 6/14/11 11:50 AM 593
62.205.#*$!.x //dbadmin/scripts/setup.php 6/14/11 11:50 AM 593
62.205.#*$!.x //db/scripts/setup.php 6/14/11 11:50 AM 588
62.205.#*$!.x //admin/phpmyadmin/scripts/setup.php 6/14/11 11:50 AM 602
62.205.#*$!.x //admin/pma/scripts/setup.php 6/14/11 11:50 AM 595
62.205.#*$!.x //admin/scripts/setup.php 6/14/11 11:50 AM 591
62.205.#*$!.x //scripts/setup.php 6/14/11 11:50 AM 585
62.205.#*$!.x /muieblackcat 6/14/11 11:50 AM 580


and here's what i have in the .htaccess file


AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/#*$!#*$!#*$!/.htpasswds/public_html/#*$!#*$!xx/passwd"

<Files 403.shtml>
order allow,deny
allow from all
</Files>

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_METHOD} !^HEAD$
RewriteCond %{REQUEST_URI} !^/robots\.txt
RewriteRule .* - [F]

deny from 200.62.x.#*$!

Blocking a few IP ranges is not the answer. You will get a load of php hack attempts from virus-infected home and business computers and servers on loads of IPs. UAs change, referers are unreliable and HEAD is not a problem anyway. You have to block the bot according to other rules. In my case I block all hits on .php pages, since none of my sites use php: I appreciate that is not a solution for everyone. :)

Even if you do use PHP, you can use extensionless URLs with URL rewriting and then you can still block all external requests for .php URLs. :)

Thanks so much everyone