Strange log entries

I have a couple of questions which are probably very stupid, but I’ll go ahead and ask them anyway. :slight_smile:

My server logs (on shared hosting) show a large number of requests, from various IPs, which take the form /home/my_username/public_html/directory/subdirectory/file.php . Am I right in thinking that there is no legitimate reason for anyone to be trying to access my site using that path? The directory is blocked in the robots.txt file, and files within it are not linked from the main site. The username is the standard cPanel first-eight-letters-of-the-domain version (which I can’t change) and the site was hacked some months back, so I’m not too surprised to find it being used.

As far as I can tell, all these requests have been blocked with a 403 or 404 error. Is there anything else I can do about them? The vast majority of these requests seem to have come via Google translate, if I’m reading the logs correctly.

Sounds like an incorrect redirect using mod_rewrite or something like that. That can sometimes spit out complete paths like the one you have there. But indeed, you shouldn’t be seeing requests like that in your log; people should not even know what your user name is, let alone try and access it.

Thank you. I have various rewrite rules (produced by a script) and now I’ve looked at them, I find they do use that path. e.g.

RewriteRule (.*) /home/my_domain/public_html/directory/subdirectory/file.php

I confess I have no idea if that is correctly written. :blush: Can I change the first part to http: //www .my_domain/directory etc., or is that incorrect syntax? (Without the spaces, of course - I couldn’t work out how else to stop it automatically being tagged as a URL.) I don’t think that can be the whole answer, though, because I have the exact same rule on twelve separate domains, and only three of them have this pathway in the log entries. (The other two only have a handful of occurrences, which I hadn’t noticed before.)

I now promise to go and study the tutorials in the Apache forum. :slight_smile:

Just use this instead:

RewriteRule (.*) directory/subdirectory/file.php

what you have should in theory also work, but it’s not very nice code, and as you’ve just found out not all servers like it :slight_smile:
What is it supposed to do btw? That line looks a bit odd…

Thank you - I’ll change that. It’s from a set of rules supposed to block code injection or SQL injection attempts.

@ScallioXTX: To reply to your next post, which seems to have got lost in transit somewhere, it’s the last line of a block of rules:

RewriteCond %{REQUEST_METHOD} (GET) [NC]
#Avoid any blocage for yourself (for admin access)
RewriteCond %{REMOTE_ADDR} !^***.***.**.***
#the following rules can block some off your url, in case of problem try to suppress them one per one until you solve it
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(s|%73|%53)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(s|%73|%53)%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(f|%66|%46)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)%20(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)%20(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)%20(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)%20(t|%74|%54)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
#end of potential issue rules
RewriteRule (.*) directory/subdirectory/file.php   [L]

You’re quite right to assume I’m clueless when it comes to this stuff. I naively thought I only needed to worry about security on my local machine, not the server, until three of my sites were hacked. :eek: Since then, I’ve been trying to learn as much as I can, and I’m grateful for any assistance. My hosting company didn’t want to know, so I’m pretty much floundering about on my own.