If you’re seeing a lot requests like these in your logs
http://whocares.de/category/misc//war.php?
vwar_root=http://smolen.org/test.txt??
this might come in handy:
# Send unwanted query strings elsewhere
RewriteCond %{QUERY_STRING} http:\/\/.*\?\?
RewriteRule ^.*$ http://www.turnofftheinternet.com/? [L]
Add, adapt and change to your needs ;)
I usually try to find out what the referenced “text file” = php script wants to do and if the owner of the webspace it is placed is supposed to know it being there.
In most cases the owner of the web space is thankful for pointing him to this file (and usually some other hole in his web space)
Regards,
Ingo
Actually, that’s what I normally do. However, as opposed to your findings, I have made the experience that
* the response is nil, not even a “thank you”
* as a singular action the offending files are removed
* the security hole that allowed placement of these files in the first place isn’t closed
So just some days later the very same sites will show up in my logs again with just the remote file name having changed.
Which of course doesn’t keep me from writing yet another mail to the webmaster.
Pingback: security