so, I'm getting a lot of unwanted traffic from here:

http://www.genji.co.jp/

(crick here for English version, ha ha)

Specifically from this page (but maybe others as well):

http://www.genji.co.jp/~nakagawa/study/sportsbbs/6125.html

They got a boat load of links there like this:

http://torbtown.com/showthread.php?f=15&s=70373

which all come up 404 Not Found 'cause I don't have that or any other php pages on my site...

I just now altered my htaccess file to:

a) Erased the line of code that was allowing php to run (as I'm not running any scripts now anyway) and

b) Block them, so they now get a Forbidden as opposed to Not Found, but I'd rather Redirect them to my home page... is that possible? I'm not finding code syntax for that...

Also,

I get a boat load of requests for pages that don't exist that my stats list as stuff like:

//mysql/config/config.inc.php?p=phpinfo();
//phpMyAdmin/config/config.inc.php?p=phpinfo();
//PHPMYADMIN/config/config.inc.php?p=phpinfo();
//phpmyadmin/config/config.inc.php?p=phpinfo();
//php-my-admin/config/config.inc.php?p=phpinfo();
//myadmin/config/config.inc.php?p=phpinfo();
//dbadmin/config/config.inc.php?p=phpinfo();
//pma/config/config.inc.php?p=phpinfo();
//admin/config/config.inc.php?p=phpinfo();
//p/m/a/config/config.inc.php?p=phpinfo();
//phpMyAdmin-2.2.3/config/config.inc.php?p=phpinfo();
//mail/config.inc.php?p=phpinfo();

before we get into the single slash entries that really are pages that I've moved or axed, like:

/nola/nola_2_3/nola_2_3_158.html
/nola/nola_2_3/nola_2_3_163.html
/PSG/psgindex.htm

etc.

then there's the bazillion /showthread.php?yadda&yadda from the Japanese site that I'm currently blocking but want to redirect...

is there anyway to block out those double slash hits to my site? I know it's just a lame assed attempt to get in a 'back door', but I don't have That back door and I'm tired of bots and kiddies knocking on it.

as far as bots go, these are the bots that have hit me so far this month, or at least, the ones my server recognizes as bots and lists as such in my (rather worthless) stats:

yandex
tcl
slurp
googlebot
robot
speedy
legs
jeeves
voila
ia_archiver
larbin
core
python

the first four run into the thousands of hits... they are spidering pretty much everything... sometimes more than once. The others generate less than 100 hits, those closer to the bottom of list score less than ten hits... none of them seem particularly nasty or responsible for the double slash hits..

but what do I know? that's why I'm askin' you guys.

thanks
twj

No fucking idea.

Pack, BK or HP can probably
help ya out, though.

you trying to block a referrer and redirect to index.htm?

Pac, ya, basically...

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://www.jenji\.co.jp
RewriteRule .* [http://forwardingsitehere/...] [R=301,L]


Should take care of it... Just change out forwardigsitehere with the site you want it redirected to...

as far as the // problem... I'd probably deny per IP (if its the same IP block), or make a custom 403 page that redirects automatically to your site.

If you know you have someone trying to find a backdoor, this line here

Options -Indexes will turn off indexes if you don't already have it in .htaccess. Might be a good idea to add it to block index viewing.

and then... in a puff of sparklies and a hearty "Hi Ho Unicorn!", once again the mighty Pac vanishes into the sunset *laughs*

I'm going on Nola Patrol now, catch you on the flip side.
twj

lol

oh, there you are, wow, thanks, will give it a shot tonight when I get back, you da best, thanks Rangerman.

laters
twj

um, as far as the Options -Indexes goes, I have a physical index.html page in every directory, so... that takes care of that, yes? I mean, if there's a way around displaying the contents of a index.extension page in a directory and actually seeing the contents of the directory itself, then I wanna know about it... p0rn here I come! woohoo!

okay, now I'm really late.
laters
twj

Its possible... but you have to know a language or two to do it... (perl, python, etc)

would probably be easiest to do in perl... since thats a serverside language anyway.

Pac;

okay, that snippet of code you gave me ain't working...

first obvious glitch is that it's genji, not jenji, so I changed that...

the snippet of code now reads:



Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://www.genji\.co.jp
RewriteRule .* [http://www.torbtown.com/index.html] [R=301,L]


and what this is getting me is an infinite redirect loop that server can't resolve... worse than the original 404 as far as I'm concerned... mmph. it looks so clean too, like it Should work... what's missing? what's out of place? blah....

for the time being, I've swapped the code back to:



Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://www.genji.co.jp/.* [NC]
ReWriteRule .* - [F]


which generates the oh so groovy FORBIDDEN error page, but I want that redirect, dammit... grrr...

thoughts? what am I doing wrong here??

hrm... try taking out the last .jp in the code I gave ya

I've never tried to do that with a funky URL...

Mr P is in here...

any ideas Mr P?

I woulda thunk my code woulda worked

mmmph, it's a puzzle I can't put down...

so, I still can't figure out why the snippet you gave me doesn't work correctly... it's so clean and polite,,, and it smells good, too.

poking around the net, I see other folks saying to do basically the same thing,,, although the dot asterisk (.*) bit changes from application to application

in My pointy little old school head, the asterisk is a wild card, yes? for a whole freekin' string (dollar sign is a wild card for just one symbol)... so I don't see Why swapping out the wildcardstring and replacing it with something more specific works,,, but...

This Works!

all the links from that Japanese page are targeting a non existent "showthread.php" page on my site, so I jiggied the code to look like this:



Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://www.genji.co.jp/.* [NC]
ReWriteRule ^showthread\.php$ http://www.torbtown.com/index.html [R=301,L]


and it works just spiffy now...

now I wanna know why your snippet went into an infinite loop... that's driving me crazy... yours is cleaner and will (or rather Should) catch crap that is Not targeting a specific non existent page on my site...

blah. I love this stuff, but it give me a headache sometimes... most of the time.

naw, it's not the condition part, I was writing that a couple of different ways, both worked, it was passing the condition statement and then glitching on the rewrite...

just for shits and giggles, and because it's about the Only thing I didn't try before, I dropped the .jp as per your suggestion, just to see what happens:

it still passes the conditional just fine even without the .jp, and it still goes into an infinite redirect loop...

it's the rewrite that's glitchy... and I can't see WHY! the books, and the other, less reputable, web sites are also telling me to do what you suggested (although they ain't as cool as you)...

freeky shit.

lol what version of apache is your host running?

that might be it... although its pretty far fetched.

okay, whereas you didn't manage to hand me "the answer" on a golden platter with a silver spoon, you did indeed manage to hand me "The Answer" and get me onto the right track for figuring this shit out and cleaning up some stuff...

Pac, I can't say this enough:

you da best

thanks comrade.

huh? oh, I don't have a clue, I could dig around and find out, but currently I'm of a mind that it's Their Fault... after all, they ain't here, so fuck 'em, the freeks.... hold on a sec'..

Apache/2.0.63 (Unix) PHP/5.2.12 FrontPage/5.0.2.2635 mod_ssl/2.0.63 OpenSSL/0.9.7e-p1 Server at www.torbtown.com Port 80

I say we hate them, the freeks. That makes more sense to me. your snippet of code is Clean. it's Polite. it sez Please and Thank You and it Smells Good. I don't think it's your code. It should work. So let's hate them... that works for me.

hahahahaha

kk... works for me hahahah

hmmm... of course, now that I think about it, this makes perfect sense...

by targeting specific pages to be redirected,,, I don't need the conditional anymore...

duh.

cleanup here I come...

well, there, that should clean up a boat load of 404s.

Thanks for alla the help and hints and pointing me in the right directions when you coulda just kicked me upside the head.

this place rocks.
beddy bye for bozoboy
laters
twj

You figure it out torb?

Skunk: ya, but then I got hit with another problem...

I threw those redirects up that night, checked back the next day, and Nice; hundreds of 404s were now nicely resolved into 301s.

I check back yesterday and Whoa, many thousands of hits higher than norm, this can't be right.

I poke around, and no, it ain't right, some numbnut hacked into my site and dumped a "news bot bomb" on me... I suddenly got a new directory that doesn't belong there ("news") with a script in it churnin' out pages that ain't mine....

now, admittedly, said script and corresponding garbage Was sucking in a fair amount of organic traffic... but that just ain't how we do things in Torbtown, ya know? Regardless, I don't take kindly to strangers messin' around in my town.

Here's the varmint that logged into my site and deposited the little "i love you":

75.33.53.75

as far as I'm concerned, it's open season on that fuck head.

now then, here's a kicker: said varmint had ZERO "failed attempts" when logging in (via the online control panel). In other words, they didn't just 'random monkey' passwords until they hit upon the correct one, they Had the correct password first shot out...

either they had a 'random' password they were using once (and only once) on each site down the list,... OR, they specifically had mine and knew it.

I whacked their "news" directory and, with Pac's help, turned off all scripting on my site. There will be No hanky panky in my town without me knowin' 'about it.

now I gotta wait a while for shit to settle down again before I can get a clean reading on the type of traffic I'm getting...

mmph.

anyway, once again, open season on this fuck:

75.33.53.75

===

and now for something completely different:

what's the story with the little graphic that pops up in the url window of our browsers? It's the graphic with the .ico extension (icon)...

I've been living under the assumption that, in general, it's only human driven browsers that pull that asset, and I use it as a 'guesstimate' as to how many New organics hit my site (as opposed to Returning organics, who have already pulled it, and therefore use their cached version when returning to my site)

is that a bad assumption? do bots pull that hummer as well? they didn't, back in the day, but times are a changing, ya know?

thanks.
twj

Damn dude, sorry to hear your site got hacked.

*shrugs* they didn't destroy anything, they just added a bandwidth sucking sack of shit thingy, and associated my 'good' name with their mindless dribble for a while...

coulda been a lot 'worse'.

I'm wondering how they could have the exact password? Perhaps some guy affiliated with your host?

I doubt that... Pac suggested keylogger or trojan... which I also doubt (scans come back clean, anyway)

you know how when you sign up for new stuff they send you a generic password to get you started (with the Strong recommendation that you change said generic password asap?)

well, I never changed it. it was just a nine digit string, not alpha numeric.... (it is now alpha numeric)

ran with that nine digit string for Years, no problems...

oh well.

I doubt keyloggers 'cause I only typed that password into this comp One Time, a few years ago... since then the 'password manager' thingy has remembered it for me... sooo... nothing for a key logger to log, yes?

trojan, maybe, but I can't find it.

zero problems since I changed the password and erased the directory... and turned off scripts.

These numbnuts are Worthless without their scripts... the losers.

Well if it was a generic password, then that's probably the cause torb :D I'd still contact your host and see what's up with that though.

hmmm... I dunno... a nine digit random number is a nine digit random number, ya know? As mentioned, they logged in in One, no "failed attempts"... they either had THAT random number tagged with my domain name, OR, they were using THAT random number once, and only once, with each domain in a list of domains (so as to not trigger an alarm with too many "failed attempts") and just Bingoed with mine... which is what I think went down.

I'll play with it more on Monday... right now Nola just invited me to go watch that new Dragon movie with her, and I really wanna see it... gotta get ready to git.

catch you on the flip side
twj