0

I have the following rewrite rule in my .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
# START Upgrade unsecured connections
RewriteCond %{HTTP_HOST} my-site-com-dot-com\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.my-site-com-dot-com.com/$1 [R,L]
# END Upgrade unsecured connections
# BEGIN Deny GET from site.ru referrer
RewriteCond %{THE_REQUEST} http:// [NC]
RewriteCond %{HTTP_REFERER} site\.ru [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*)site\.ru
RewriteRule ^(.*)$ - [L,R=403]
# END Deny GET from site.ru referrer
</IfModule>

But, I cant seem to block these spam bots that use http://site.ru as their referrer.

When these bots access my site on the http (unsecure) part of the site i get this:

1.2.5.4 - - [07/Jun/2018:10:44:36 +0200] "HEAD / HTTP/1.1" 302 153 "http://site.ru" "curl/7.52.1"
1.3.4.5 - - [07/Jun/2018:10:45:33 +0200] "HEAD / HTTP/1.1" 302 153 "http://site.ru" "curl/7.52.1"

Which means the rewrite rule is not working in the way I want...i.e. block when the referrer is http://site.ru regardless whether they access the site on http or https url.

When I test using curl to access the secure site on its secure URL https://www.my-site-com-dot-com.com

1.2.5.4 - - [07/Jun/2018:09:53:18 +0200] "HEAD / HTTP/1.1" 403 3934 "http://site.ru" "curl/7.52.1"
1.3.4.5 - - [07/Jun/2018:09:53:49 +0200] "HEAD / HTTP/1.1" 403 3934 "http://site.ru" "curl/7.52.1"

Which is great, then rewrite rule in this instance works here. I want to DENY (403) access all the time to the bots that use site.ru as their referrer.

The above are doctored live examples are my own tests... ...but below is LIVE raw logs with src-ip's doctored from spams bots trying to hack my site(s).

162.xxx.yyy.zzz - - [07/Jun/2018:07:02:30 +0200] "GET /wp-content/plugins/apikey/ini.php HTTP/1.1" 301 4679 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
162.xxx.yyy.zzz - - [07/Jun/2018:07:03:00 +0200] "GET /wp-content/plugins/apikey/ini.php HTTP/1.1" 301 4679 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
162.xxx.yyy.zzz - - [07/Jun/2018:07:03:02 +0200] "GET /wp-content/plugins/apikey/ini.php HTTP/1.1" 404 18906 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
162.xxx.yyy.zzz - - [07/Jun/2018:09:23:29 +0200] "GET /wp-content/plugins/easyrotator-for-wordpress/cache.php.suspected HTTP/1.1" 301 4711 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
172.xxx.yyy.zzz - - [07/Jun/2018:09:23:30 +0200] "GET /wp-content/plugins/easyrotator-for-wordpress/cache.php.suspected HTTP/1.1" 404 18938 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
162.xxx.yyy.zzz - - [07/Jun/2018:09:23:31 +0200] "GET /wp-content/plugins/easyrotator-for-wordpress/cache.php.suspected HTTP/1.1" 301 4711 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
172.xxx.yyy.zzz - - [07/Jun/2018:09:23:33 +0200] "GET /wp-content/plugins/easyrotator-for-wordpress/cache.php.suspected HTTP/1.1" 404 18938 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
162.xxx.yyy.zzz - - [07/Jun/2018:09:23:34 +0200] "GET /wp-content/plugins/easyrotator-for-wordpress/cache.php.suspected HTTP/1.1" 301 4711 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
172.xxx.yyy.zzz - - [07/Jun/2018:09:23:35 +0200] "GET /wp-content/plugins/easyrotator-for-wordpress/cache.php.suspected HTTP/1.1" 404 15384 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
172.xxx.yyy.zzz - - [07/Jun/2018:09:53:51 +0200] "HEAD / HTTP/1.1" 403 4487 "http://site.ru" "curl/7.52.1"
172.xxx.yyy.zzz - - [07/Jun/2018:10:06:02 +0200] "HEAD / HTTP/1.1" 403 4487 "http://site.ru" "curl/7.52.1"
172.xxx.yyy.zzz - - [07/Jun/2018:10:24:14 +0200] "HEAD / HTTP/1.1" 200 4615 "http://site.ru" "curl/7.52.1"
141.xxx.yyy.zzz - - [07/Jun/2018:10:27:53 +0200] "GET /wp-content/plugins/three-column-screen-layout/db.php HTTP/1.1" 301 4695 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
141.xxx.yyy.zzz - - [07/Jun/2018:10:27:54 +0200] "GET /wp-content/plugins/three-column-screen-layout/db.php HTTP/1.1" 404 18922 "http://site.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"

Your help much appreciated Thanks

Jenny D
  • 27,358
  • 21
  • 74
  • 110
AngelP
  • 1
  • 2
  • 1
    You need to turn on rewrite logging to figure out which part of your rewrite rules is the problem. The post linked as duplicate has information on how to do that. – Jenny D Jun 07 '18 at 09:35
  • marked as duplicate? – AngelP Jun 07 '18 at 09:58
  • The link in the yellow box at the top of the question, where it says "This question already has an answer here". – Jenny D Jun 07 '18 at 10:00
  • Ah ok, missed link at the top... I belive my question is more specific as the post you provided is gernealized into diffeent rules. I am trying to block a specific referrer and i cant seem to find right way of doing so and post you link me too doesn't seem to provide a solution to my problem. – AngelP Jun 07 '18 at 10:03
  • Any advise on this much appreciated, as getting continual attempts from these spam sources trying to a referrer which they are not and be nice to block with a working rewrite rule. – AngelP Jun 08 '18 at 11:39
  • @JennyD I cant post in the question your marked, need "50 reputation" and like i said the question does not help in what I am trying todo. – AngelP Jun 09 '18 at 08:44
  • Did you turn on rewrite logging and read the logs? – Jenny D Jun 10 '18 at 12:21

0 Answers0