Auto IP Ban Script -Stop Roque Scanning and Trap Bad Spiders & Bots

7/28/2019 Auto IP Ban Script -Stop Roque Scanning and Trap Bad Spiders & Bots

1/17

)

Due to frustration from this previous thread:http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/autobanning_ips_that_scan_for_nonexistent_content-

t43805.0.html;msg310478#msg310478 - I created this thread and the Auto IP Ban Script.

Many of us web site/domain account holders have been plagued by the dreaded nuisance of site rippers, site scanners, unruly search engine spiders androgue search engine bots. This is clearly evident whenever you view your error logs and notice a really long list of errors pertaining to files or foldersthat do not reside on your web account. And it leaves you wondering, why are they trying to find that particular file or folder?

This form of site sniffing is due to someone or some program automatically running a script that looks for certain files or folders. What they arelooking for are security holes in your web account for files that can be exploited. Although there is the ever present danger of exploits and the constantneed for security; many of these exploits go unfixed or unnoticed until it is much too late for the account owner.

In some cases certain search engines and or robots will crawl your pages and more than often will not respect or obey the parameters set forth in the

robots.txt file that you have created and or configured. Some of these spiders/bots will ignore the robots.txt and then traverse wherever they like aboutyour web account folders. This in turn will list or collect everything in your web account regardless of what you have blocked or have not properlyhidden.

In response to this annoying practice of sniffing or scanning a web site; I attempted to seek assistance from local hosting providers and other resources.To no avail, not a single person or company had a sure fire (and or free) way to fully combat this problem. I was told to either just ignore the scanningor "manually edit" my .htaccess file each and every single time there was a violation. Confounded by the lack of assistance and the need for beingcheap; I set forth to learn more PHP coding (yes, I took the time to read) and came up with a simple but highly effective script that dealt with theproblem immediately. Within the first 24 hours of implementing my newly created script, I had effectively and permanently banned five IP addressesthat were scanning my web sites. After the first 5 seconds of them scanning my site and hitting the Auto IP Ban Script - THEY WERE STOPPEDCOLD!

So, here is the script. As you can see it is small, plain, loosely written and has much potential. Try it out. It shouldn't be too hard to get it to work onyour web site. It only took me less than a day to write and perfect. Have fun and I hope this works for you rather than the - "Just deal with it" or"Ignore it" responses you will normally get.

Download the ZIP file:http://www.fbi-team.org/_pub/auto_ip_ban.zip
http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/autobanning_ips_that_scan_for_nonexistent_content-t43805.0.html;msg310478#msg310478http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/autobanning_ips_that_scan_for_nonexistent_content-t43805.0.html;msg310478#msg310478http://www.fbi-team.org/_pub/auto_ip_ban.ziphttp://www.fbi-team.org/_pub/auto_ip_ban.ziphttp://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/autobanning_ips_that_scan_for_nonexistent_content-t43805.0.html;msg310478#msg310478http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/autobanning_ips_that_scan_for_nonexistent_content-t43805.0.html;msg310478#msg310478


2/17

Auto IP Ban Script (Stop Rogue Scanning and Trap Bad Spiders/Bots)

(Installation steps [Testing Phase] - Please read carefully)

1. Copy below code into a file called:mytrap.php(Use an HTML/PHP editor or Notepad. Be sure to remove the trailing spaces if you copy from this forum)

Code:


3/17

// Display the error message to the user. (You may change to read what you want).echo 'IP Address '.$ipad.' - Blocked or Banned!

THANK YOU - DON\'T COME AGAIN!IP Address '.$ipad.' Has Been Blocked or Banned!
Contact the web admin ifthis ban is by mistake.
Have a nice day!';// Close the .htaccess file - all done.@fclose($open);} else {// IP address is already banned - no need to rewrite to .htaccess file.// Display the error message to the user. (You may change to read what you want).
echo 'IP Address '.$ipad.' - Blocked or Banned!THANK YOU - DON\'T COME AGAIN!IP Address '.$ipad.' Has Been Blocked or Banned!
Contact the web admin ifthis ban is by mistake.
Have a nice day!';}// End of File/Script;exit;?>
2. Save mytrap.php file and then FTP upload to the root folder of your web account.(You can also use this same file in any subdirectories designated as 'Add-On Domains')

3. For testing purposes only - create an empty text file called htaccess.txt and then FTP upload it to the same root folder of your web account wherethe mytrap.php file was uploaded to.(This way while testing the Auto IP Ban script, you will not overwrite or destroy your existing original .htaccess file)

Quote*** WARNING *** - the following step is for those who have some knowledge in editing the .htaccess file.It is highly recommended that you make a copy of your original .htaccess file and keep in a safe place in the event that an error occurs.

- If you are well versed in manually editing the .htaccess file - proceed with caution.- If you are not well versed in manually editing the .htaccess file - STOP RIGHT NOW!- Please consult the latest documentation regarding the .htaccess file: http://httpd.apache.org/docs/2.0/howto/htaccess.html

4a. Open your original .htaccess file in a text editor and add the following lines of code:(It is recommended that you put these lines of code at the top of the .htaccess file

)

Code:
http://httpd.apache.org/docs/2.0/howto/htaccess.htmlhttp://httpd.apache.org/docs/2.0/howto/htaccess.html


4/17

Options +SymLinksifOwnerMatchOrder Allow,DenyAllow From All

4b. Then add these lines at the bottom of the .htaccess file - be sure to leave an extra empty line at the bottom too!Code:

RewriteEngine OnRewriteRule ^cgi-bin /mytrap.php [NC]RewriteRule ^cgi-bin/(.*)$ /mytrap.php [NC]

(Be sure that you are not using this directory/folder "CGI-BIN"- Ensure that you have added the "Options +SymLinksifOwnerMatch" line of code tothe .htaccess file or you will ban/block your own web site IP address and or will receive an "Error 500 Page" when accessing your site. If you are infact using the "CGI-BIN" folder, edit this to reflect a folder not in your root folder. (Example: /home/account/public_html/fumuda)

5. Save .htaccess file and then FTP upload to the root folder of your web account.

6. Open a web browser and enter in the address bar: http://www.YoUr_WeB_sItE.cOm/cgi-bin(You can use a trailing slash too - Change "YoUr_WeB_sItE.cOm" to your own web domain)

7. You should be presented with a red background screen with white colored text stating that your IP address has been banned/blocked.

8. Go check your email that you changed in the mytrap.php script and you should have a message from your hosted server with your own IP address(that has been banned), the file/folder you tried to access and the user agent string of your browser.

9a. Download/Browse to: http://www.YoUr_WeB_sItE.cOm/htaccess.txt

10a. Open the htaccess.txt file in Notepad and you should see the line: Deny from 12.34.56.789 (with your IP address instead)

11a. If you see the red message screen, have received the email with the ban info, and verified the "deny" text was written to the htaccess.txt file -EVERYTHING WORKED PERFECTLY!


5/17

How do I unban myself? [Testing Phase]

Technically you haven't banned yourself from your own web site. At least not yet. Remember the htaccess.txt file? This was used only for testingpurposes. Luckily it wasn't the real .htaccess file or you wouldn't be able to access your web site via a web browser right now.

So, with the testing complete; there is no need to unban yourself.

Setting Auto IP Ban for [Live Banning]

A. Follow the instructions in step #1 above but edit the $file value from htaccess.txt to .htaccess(Make sure the double quotes stay around the value and also no extension on the end)

B. Skip step #3 altogether - Testing is no longer needed

C. Continue the rest of the steps until you come to steps #9a, #10a, and #11a - skip those three steps and replace with the below steps #9b, #10b, 11b

9b. Now type your web URL in the browser address bar: http://www.YoUr_WeB_sItE.cOm

10b. You should be presented with an "Error 403 - Forbidden Access" page.

11b. Download your: .htaccess file from your root folder - open it in a text editor and look at the last line of the file - You should see the line:Deny from 12.34.56.789 (with your IP address instead) .

D. If you see the red message screen, have received the email with the ban info, and verified the "deny" text was written to the .htaccess file, and mostof all, CAN'T ACCESS YOUR WEB SITE - EVERYTHING WORKED PERFECTLY!

How do I unban myself? [Live Banning]So now you can't access your web site. The Auto IP Ban Script worked perfectly but now you want to access your web site again.

The fix is simple. Download your: .htaccess file from your root folder - open it in a text editor and delete the entire line that contains your IP addressfrom the file and then FTP upload the file back to your web account. Then refresh or reload your web page. You should now be able to access and seeyour web site again.


6/17

Adding Extras (Blocking access to other folders and files)

With the working functionality of the Auto IP Ban Script, a web owner has the potential flexibility to practically block anything that does not exist intheir web directory folders. As it may sound simple, this is the hard work that needs to be done to make the Auto IP Ban Script really effective.

If you want to add more folders or files that these miscreants have been looking sniffing or scanning for; the first thing you need to do is locate whatthey have already be trying to find. This information can be found in your web account logs. Depending on the frequency of the violations, you mayhave a huge amount of information or a very little amount to sift through. The best way to find these violations is to use a log viewer. I recommend:http://www.kiwisyslog.com/kiwi-log-viewer-overview/ - You can sift through large filesize logs easy and filter to highlight specific things you need tofind. Your best bet is to look for a cluster of lines by the same IP address that is attempting to access non-existent files or folders. They are usuallygrouped together in a span of about 1-15 minutes.

Once you have found all the violations and recorded them on paper or a text file, you will need to add them to the .htaccess file. As with in Step 4b.you can add extra lines with the corresponding violations you have found. Just add a new line and change the folder name or file name to match yourrecordings. If you want to block everything inside a folder, use the character set /(.*)$ after each folder name. This will block everything inside thatfolder. It works also for different versions of the folder whether it be plural or numbered variations.

Example Additions:

Code:

RewriteEngine OnRewriteRule ^cgi-bin /mytrap.php [NC]RewriteRule ^cgi-bin/(.*)$ /mytrap.php [NC]# Newly Added FoldersRewriteRule ^administrator /mytrap.php [NC]RewriteRule ^horde /mytrap.php [NC]RewriteRule ^phpmyadmin /mytrap.php [NC]# Newly Added FilesRewriteRule ^cgi-bin/formemail.cgi /mytrap.php [NC]

RewriteRule ^hidden/login.php /mytrap.php [NC]RewriteRule ^README /mytrap.php [NC]

(You can add as many as you like! Just make sure you are not using the folder or files you add or everyone that visits them will be banned from yourweb site)
http://www.kiwisyslog.com/kiwi-log-viewer-overview/http://www.kiwisyslog.com/kiwi-log-viewer-overview/


7/17

Bot and Spider Trapping (The Tangled Web You Weave)

The Auto IP Ban Script has an extended feature to lure and trap search engine spiders and robots that ignore or disobey your configuration settings inthe "robots.txt" file. If a search engine spider or robot so happens to ignore your "robots.txt" file; you can catch them in the act and effectively banthem permanently from your web site. The setup is really easy.

1. Install, edit, configure and verify that Auto IP Ban Script is working properly.

2. Create or edit yourrobots.txt file.

3. Add the following lines to your robots.txt fileCode:

Disallow: mytrap.phpDisallow: /mytrap.php

4. Save and FTP upload your robots.txt file to your root folder of your web account.

5. You can then choose to add a "blind" link at the top of your web page just below the tag so that search engine spiders and robots will pick itup. If they ignore the robots.txt file - they will be banned.Code:

Make sure the image file you use is put in the proper folder according to the SRC info. Also, it is best to use an image that has a transparentbackground so it will not be visible to any regular visitor. We don't want to ban our honest visitors, now do we?

(Check with the more common respectful search engines [Google, Yahoo, etc] to see if your web site may be penalized for using "blind" links. Somesearch engines will mark/grade/rate your web site lower if you have these types of hidden links in your web code)

6. Sit back and watch the fun of spiders and robots being banned!


8/17

Maintenance Thereafter [Long Term Effects]

You ask what are the drawbacks to using this script? Aside from unbanning regular nosy visitors, there is only one required maintenance feature.Depending on the frequency of sniffing and scanning attacks on your web site; you will have to periodically download and check your .htaccess file forexcessive amounts of banned IP addresses. If you have a lot of scanning going on your web pages, your .htaccess can grow to a very large filesize in afew weeks. Moderate your .htaccess file and ascertain if the Auto IP Ban Script is right for your web site. If you are getting sniffed and scanned on a

regular basis and it is becoming a serious issue, I highly recommend that you purchase some software that will handle the demand for better security.

Closing

By no means is the Auto IP Ban Script supposed to be a fix-all to stopping web site scanning and disobedient search engines. Auto IP Ban Script is aprimary step in an attempt to curb or discourage web site sniffing/scanning for non-existent files and or folders. Thus it will save precious bandwidthusage and processing time. Not to mention, it will reduce the size of your log files and give you some piece of mind in regards to web site security.

If you have any questions about Auto IP Ban Script; please post here or email me at: [email protected]

Enjoy!

Re: Auto IP Ban Script (Stop Rogue Scanning and Spider/Bot Trapper)

Reply #1 on: October 05, 2007, 06:50:37 PM

Very neat - please keep us up to date on it's progress!

Logged

New to Web Site Hosting? Check Out the Lunarpages Blog Hosting Guide!
mailto:[email protected]://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg310835#msg310835http://blog.lunarpages.com/blog-hosting/mailto:[email protected]://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg310835#msg310835http://blog.lunarpages.com/blog-hosting/


9/17

Follow us @lunarpages on Twitter!Important Threads:Read This Before Posting! | Lunarforums Rules!|Mitch's Link of the Day!

Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !

Need Web Hosting Help? Check out the Lunarpages Web Hosting Wiki. It has tons of tips, tutorials and resources!

Re: Auto IP Ban Script (Stop Rogue Scanning and Trap Bad Spiders/Bots)

Reply #3 on: October 23, 2007, 11:39:34 AM

Had to register to thank the inventor! Have this installed today and it looks great!

I have some questions about .htaccess and how to get a "hit" on a certain request that i know only a hacker would hit.

I host some small sites with a couple of hundred visitors per day. On them i run a opensource php image gallery called 4images which seems to bepopular trying to hack. People are going at it a couple of times per week according to the access log. I get around computers well in general and hasmanaged to get this going on a VPS, but my php and .htaccess skills are limited so i might as well ask here...

1. I have "visitors" in the log looking like this /index.php?template=../../../etc/passwd%00 or they try upload a php script cloaked as a .jpg and thentry to call it /index.php?template=../../data/tmp_media/hackerscript.jpg%00 (The jpg hack is patched a long time ago but its still anoying)

Is it possible to trigger on the ../../ (or perhaps %00) part in .htaccess?

2. Would it be possible to add a feature of generally allowed admin IPs? For example, i know which IP-addresses that would access the /adminfolder of the gallery software. With this feature, anyone but the allowed IPs will be blocked. That way if a previously unknown hack to the admintools where found it is prevented with this.

Again, super script!
http://www.lunarpages.com/twitterhttp://www.lunarforums.com/lunarpages_webhosting_help/read_this_before_posting_lunarforums_faq-t49489.0.htmlhttp://www.lunarforums.com/lunarpages_web_hosting_hosting_plans_site_information/forum_rules-t30283.0.htmlhttp://www.lunarforums.com/lunarpages_web_hosting_hosting_plans_site_information/forum_rules-t30283.0.htmlhttp://www.lunarforums.com/lunar_chit_chat/mitchs_link_of_the_day_archive-t52382.0.htmlhttp://www.lunarforums.com/lunar_chit_chat/mitchs_link_of_the_day_archive-t52382.0.htmlhttp://blog.lunarpages.com/http://feeds.feedburner.com/lunarticshttp://www.web-hosting-newsletter.com/http://wiki.lunarpages.com/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg313931#msg313931http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg313931#msg313931http://feeds2.feedburner.com/lpnewsletterhttp://feeds.feedburner.com/lunarticshttp://www.lunarpages.com/twitterhttp://www.lunarforums.com/lunarpages_webhosting_help/read_this_before_posting_lunarforums_faq-t49489.0.htmlhttp://www.lunarforums.com/lunarpages_web_hosting_hosting_plans_site_information/forum_rules-t30283.0.htmlhttp://www.lunarforums.com/lunar_chit_chat/mitchs_link_of_the_day_archive-t52382.0.htmlhttp://blog.lunarpages.com/http://www.web-hosting-newsletter.com/http://wiki.lunarpages.com/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg313931#msg313931


10/17

/ThomasGothenburg, Sweden

Logged


11/17

While reading over this humongous nugget of information:http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/htaccess_everything_you_need_to_know-t43944.0.html

I found a better way to setup scanners, sniffers, and bad bots. With a simple rework of the character string, one could lay justabout any type of trap for any file, folder and or string that these miscreants are looking for.

Again there are two things to consider:1. Ensure that you have no files or folders using these character strings or you will ban innocent visitors and even yourself fromyour web site. If you do, just remove the banned IP and the offending lines from your .htaccess file and re-upload to your FTPaccount.

2. Compile a list of things that these scanners, sniffers, and bad bots are looking for by sifting through your log files.

Now, for the good stuff. With simple reading and understanding of how things in the .htaccess world work; I came up with some

new character strings to get hits.

Before we were using just this set of strings in the .htaccess file:Code:

RewriteEngine OnRewriteRule ^cgi-bin /mytrap.php [NC]RewriteRule ^cgi-bin/(.*)$ /mytrap.php [NC]

But now we can make it much simpler by checking for specific things in a requested string query. So we can use these sets of

strings in the .htaccess file instead:

Code:

RewriteEngine On# Checks for a specific file nameRewriteRule ^prx.php$ /mytrap.php [NC,L]# Checks for character string queries inside a file name and or folder nameRewriteRule ^(/*.*)?cgi(.*/*)?$ /mytrap.php [NC,L]
http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/htaccess_everything_you_need_to_know-t43944.0.htmlhttp://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/htaccess_everything_you_need_to_know-t43944.0.htmlhttp://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/htaccess_everything_you_need_to_know-t43944.0.htmlhttp://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/htaccess_everything_you_need_to_know-t43944.0.html


12/17

Inque187Anti-Cheat & BetaTeamSpacescooter Operator

Offline

Posts: 39

Sic Vis Pacem, ParaBellum!

Re: Auto IP Ban

Script (Stop

Rogue Scanning

and Trap Bad

Spiders/Bots)

Reply #4 on:October 24, 2007,05:15:24 PM

Inque187

Anti-Cheat & BetaTeamSpacescooterOperator

Offline

nvm

Last Edit: October 24, 2007, 05:47:40 PM by Inque187 Logged
http://www.lunarforums.com/profiles/inque187-u13724.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/profiles/inque187-u13724.htmlhttp://www.fbi-team.org/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.fbi-team.org/http://www.lunarforums.com/profiles/inque187-u13724.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314156#msg314156http://www.lunarforums.com/profiles/inque187-u13724.html


13/17

Posts: 39

Sic Vis Pacem, Para

Bellum!

Re: Auto IP

Ban Script

(Stop Rogue

Scanning and

Trap Bad

Spiders/Bots)

Reply #5 on:October 24,2007, 05:26:58PM
http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.fbi-team.org/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.fbi-team.org/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314159#msg314159


14/17

thomasjNewbie

Offline

Posts: 4

Re: Auto IP BanScript (Stop Rogue

Scanning and Trap

Bad Spiders/Bots)

Reply #6 on:October 25, 2007,01:17:27 AM

Thanks for your reply!

Unfortunately it does not work in my case. I might have a clue on why...

As you see in my previous post the log shows this entry " http://www.mysite.com/index.php?template=../../../../../etc/passwd%00" i would like to trigger on the ../../ or passwd. BUT those are not a part of the catalogstructure or filename in Apaches point of view but a parameter to php since its after the ? right?

The other question, about authorized IP:s is that doable? (perhaps some sort of IF in the mytrap.php? "IF ip equals123.12.12.12 then OK"

/Thomas

Logged

Inque187Anti-Cheat & BetaTeamSpacescooterOperator

Offline

Posts: 39

Sic Vis Pacem, ParaBellum!

I'll look into that suggestion but wouldn't that defeat the main purpose of keeping certain unauthorized sniffers/snoopersaway? If the IP address does not generate a block, they should be good to go without having to add an extra "IF" statement.

Logged
http://www.lunarforums.com/profiles/thomasj-u34841.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.mysite.com/index.php?template=../../../../../etc/passwd%00http://www.mysite.com/index.php?template=../../../../../etc/passwd%00http://www.lunarforums.com/profiles/inque187-u13724.htmlhttp://www.fbi-team.org/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.lunarforums.com/profiles/thomasj-u34841.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg314185#msg314185http://www.mysite.com/index.php?template=../../../../../etc/passwd%00http://www.mysite.com/index.php?template=../../../../../etc/passwd%00http://www.lunarforums.com/profiles/inque187-u13724.html


15/17

Re: Auto IP

Ban Script

(Stop Rogue

Scanning and

Trap Bad

Spiders/Bots)

Reply #7 on:November 20,2007, 01:38:07PM

thomasjNewbie

Offline

Posts: 4

Re: Auto IP Ban

Script (Stop Rogue

Scanning and Trap

Bad Spiders/Bots)

Reply #8 on:November 20, 2007,02:26:06 PM

Quote from: Inque187 on November 20, 2007, 01:38:07 PMI'll look into that suggestion but wouldn't that defeat the main purpose of keeping certain unauthorized sniffers/snoopersaway? If the IP address does not generate a block, they should be good to go without having to add an extra "IF"statement.

Well perhaps. Its another way of using this script. I know the specific IPs (home computer and my computer at work) thatwill visit the www.site.com/admin/ folder. I would add the /admin/ folder as "forbidden RewriteRule /admin/mytrap.php". Since i know which IPs will visit /admin, all others that try to run anything in there is banned. Forexample, if there is a newly discovered bug in the script, the first thing a hacker would do is to gain admin access andhead for the admin tools. With this he is busted before he can say php.

Could you confirm my other suspicion about "../../../../etc/passwd%00" not being a part of the url from a Apache point ofview an therefor not working?

Thanks anyway!

/Thomas

Logged
http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/profiles/thomasj-u34841.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.site.com/admin/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.fbi-team.org/http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.lunarforums.com/profiles/thomasj-u34841.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316417#msg316417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg316415#msg316415http://www.site.com/admin/


16/17

quattroneNewbie

Offline

Posts: 1

Re: Auto IPBan Script

(Stop Rogue

Scanning and

Trap Bad

Spiders/Bots)

Reply #9 on:April 02, 2011,07:06:03 PM

I too felt compelled to register just to say thanx to Inque187. I have been plagued by snifbots for quite awhile now, banningIPs by hand every once in awhile when the outrage welled inside me, but that was for sure a losing battle. It just nowoccurred to me that perhaps there was a way to automatically do that when certain non existent folders or pages were

pinged. And there arent a lot if any solutions out there -- just this one, and it works great. Thanx so much!!

Logged

rjsNewbie

Offline

Posts: 1

Re: Auto IP

Ban Script

(Stop Rogue

Scanning and

Trap Bad

Spiders/Bots)

Reply #10 on:November 13,2011, 01:53:25PM

Well, I too felt I should register to say its a great idea.!!

Many thanks to Inque187 for this concept.rj

Logged
http://www.lunarforums.com/profiles/quattrone-u84837.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/profiles/rjs-u129684.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/profiles/quattrone-u84837.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg366553#msg366553http://www.lunarforums.com/profiles/rjs-u129684.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371103#msg371103


17/17

dgswilsonNewbie

Offline

Posts: 1

Re: Auto IP BanScript (Stop Rogue

Scanning and Trap

Bad Spiders/Bots)

Reply #11 on:December 02, 2011,05:55:27 AM

very nice, thanks

I have a perl logger that records IP, UA etc. So how do I tell script to not write ban? I'm pretty sure I know where to dothis but I thought I'd just ask. Also I guess I'll ask if there is a way to output to a different location than .htaccess - Like

(log.txt)? Like $file = "log"; and then replace ban with (?) write somethingLogged

tazilonNewbie

Offline

Posts: 1

Re: Auto IP Ban

Script (Stop

Rogue Scanning

and Trap Bad

Spiders/Bots)

Reply #12 on:October 21, 2012,07:10:05 AM

I realize that this thread is 5 years old, but I just found it, implemented the script, and it works VERY WELL!

Thank you VERY MUCH!

I've been lokking for something like this for a long time... thanks again!
http://www.lunarforums.com/profiles/dgswilson-u130344.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/profiles/tazilon-u139019.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/profiles/dgswilson-u130344.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg371659#msg371659http://www.lunarforums.com/profiles/tazilon-u139019.htmlhttp://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417http://www.lunarforums.com/lunarpages_security_center/auto_ip_ban_script_stop_rogue_scanning_and_trap_bad_spidersbots-t43858.0.html;msg381417#msg381417

Documents

Auto IP Ban Script -Stop Roque Scanning and Trap Bad Spiders & Bots