Hi all,

About once every 2 or 3 three days, my site is visited by some nitwit bot (I suppose) who is looking for links like:
admin/phpMyAdmin-2.6.4-pl1/main.php
admin/phpMyAdmin-2.6.4-rc1/main.php
admin/phpMyAdmin-2.10.0-beta1/main.php
admin/phpMyAdmin-2.8.2.1/main.php
admin/phpMyAdmin-2.8.2/main.php
etc. etc., about 150 combinations every time, looking for various versions of phpmyadmin. 150!! Jeez. Obviously, this leads to "Page not found" messages in my Watchdog.

This time he's coming from 88.87.*.*, which, according to www.robtex.com, has a Spanish ISP, but he switches IP numbers with every series of visits. On previous occasions he "came from" Iran, Serbia, VS, France, you name it. So, blocking him on the basis of an IP number doesn't work.

I don't suppose this nutcase can do much damage, but it irritates the hell out of me. And I really don't see how to block him. The IP varies, but the pages he is looking for, ar always the same. Maybe that is a clue to block him? Can I make it so that someone looking for "admin/phpMyAdmin-whatever" is blocked out, without even going to the "page not found" part? I would prefer not see this baboon show up in my logs at all. Is that possible??

Comments

modul’s picture

I notice I used the wrong title: it's not actually a "spammer", just an unwanted visitor.

sepeck’s picture

http://drupal.org/project/httpbl

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

modul’s picture

Thanks for the reply, Sepeck, but I don't think httpBL will cut it. From what I understand, httpBL is IP based, i.e. it only works when your visitor uses the same IP every time. My unwanted visitor, on the other hand, uses a different IP with every series of visits. Today he's from Spain, tomorrow he may be (or at least appear to be) from Mexico or whatever. The one thing which is the same with every visit, however, is the pages he is looking for - a few examples are in my first post. So, I am looking for a way to block visitors who are trying to get to non-existant pages, which have nothing to do with Drupal whatsoever. Any hints, anyone??

sepeck’s picture

It pulls from a block list. It has helped tremendously on drupal.org

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

techguy10’s picture

Just curious, why do you think he's looking for non-existent pages.. trying to hack your site? I'm sure there's a way to deny all requests for non-existent pages so it doesn't burden your servers (is this your concern?), anyways just trying to understand the problem better, I'll check back to see if I can be of more help. I think you already hinted at this; you couldn't block him in the traditional sense because the IP always changes so it'd be something along the lines of just not allowing requests for non-existent pages to go through.. However, I can almost guarantee he (the bot) would be using IP proxies to access your site (do a google search and you will see there are a lot of free sites that offer this), of course it could be his own custom proxy but there is a way at least to block public proxies that are available to the public, a lot of sites categorically block all these proxy sites (though they are constantly changing.. not sure if there's a drupal mod that can keep updating the list automatically) since if someone's using one of the sites they are probably up to no good.

epatr’s picture

not sure if this is what you mean, but phpmyadmin is a web based mysql interface and if there isn't a user/pass set in mysql he can delete all the data or replace all the data with ads or redirects to another site.

modul’s picture

Thanks for your replies.

Obviously, this guy/bot is looking for access to phpmyadmin. He's going through dozens of versions, to see if they are somewhere in my /admin folder - which Drupal doesn't have, of course. Part of the pages he tries to access begin with /typo3.

And why? Who knows. Most likely to have access to data. My stuff isn't exactly top secret - in fact about 99 % of my content is public, the rest is some info for various groups of collaborators.

@Treymondo: what do you mean with "if there isn't a user/pass set in mysql"? There is a user/pass in Drupal's settings.php, but as far as I understand PHP that should be safe. And PHPMyadmin is simply not present in the location where this nut is looking. So, I am not so much afraid that my data would be jeopardized, but it simply makes me itchy to have a couple of hundred unwanted hits every other day. That's why I want this idiot out.

grobemo’s picture

I'm not sure exactly how to do this, or if it would be more trouble than it's worth to you, but maybe you could "fake" a "server not found" error message, or some other error message that would discourage him. If you limit this to non-existent pages in admin/, it shouldn't affect site users.

Anyone know how to do this, or whether it might deter a bot?

techguy10’s picture

Yeah you can change the error pages.. it should already be showing an error page anyways if the page doesn't exist

modul’s picture

Obviously, this is not a "him" who could be discouraged by error messages, not even if it would explain to "him" that I wish something really painful to happen to "his" manhood. It's a bot, and error messages don't matter. "His" logs are probably filled with zillions of error messages.

What I'm after, is some way (maybe in .htaccess?) to kick out all visitors trying to access something with "phpmyadmin" in their request (or "typo3" or "admin" or "main.php" or whatever other pages this bugger tries to access). Is that possible?

techguy10’s picture

Yes I'm sure there is a way, I would extend your search outside of the drupal community since this is an issue that affects webmasters as a whole, so you might be able to find the code somewhere to add to your .htaccess file even if its not through this drupal forum (but hopefully someone else will have a better answer on here)