Recent Topics

1 Aug 10, 2005 13:47    

Hey there everyone - I have been getting tons of this get request lately

69.50.163.98 - - [07/Aug/2005:03:51:36 -0700] "GET /blog/htsrv/login.php?redirect_to=%2Fblog%2Findex.php%3Fblog%3D2%26amp%3Bdisp%3Dstats HTTP/1.1" 200 2509 "http://ph-phentermine.zu5.net" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; DT)"

I've blocked them out in .htaccess now but I was wondering - what exactly is this crafted url trying to do ? whats the %2 and %3 mean?

I'd be interested in hearing what you think .

Thanks. :)

2 Aug 10, 2005 14:23

These are just hexadecimal codes (sometimes known as "hex encoding") which is a not-very-bright way some spammers like to try to fool browsers.
Browsers don't distinguish the difference between the hexadecimal codes and the ASCII code they represent.
%2F for eg. means /
%3D is the same as =

Looks to me like someone has set a bot loose which is trying to find htsrv and the stats display. If it had worked you would be seeing referrer spam for ph-phentermine.zu5.net.

Denying them through htaccess works, but your htaccess file could become rather unwieldy. Check out the threads on referrer and other spam, but I wouldn't be worried about these particular hexadecimal codes.

3 Aug 10, 2005 14:30

Actually in my awstats I'm seeing them as a valid linker to my page - so its doing something. ?

I removed the stats functions entirely from B2 as I dont care about tracking who refers me...

in htaccess I blocked the phrase "redirect_to" not the IP ... you don't think that theres another url in B2 that needs that phrase ?

4 Aug 10, 2005 16:17

The 200 code would come from them finding /blog/htsrv/login.php, regardless of whether they were able to get the redirect to display stats.

Changing the htsrv directory name (you have to change it in the config as well) will make your blog safer and if you are really wanting some payback just set up a forwarder so that anyone trying to access htsrv gets sent somewhere nasty.

I would definitely NOT block the "redirect_to" phrase through htaccess. You could block the IP, but that is possibly spoofed anyway. No need to block the url as it should be taken care of through the antispam blacklist.

5 Aug 10, 2005 17:15

The login link has a redirect_to attached to it, as does the lost password link.

6 Aug 10, 2005 18:28

you mean the login link on the main page? that points to /blog/admin/

I can deal with that - also I'm the only blogger so I'm not worried about the lost password link.

If those are the only times that I'd mess myself up I can live with it filtering the redirect_to out.

Thanks EDb and Elpie.

;)


Form is loading...