Rewrite rule to "kick in" before default Cotonti response?

foxhound	#33537 2012-03-13 22:33
Donator Bedankt: 5 tijden	Some kid was sending us request after request continously trying an injection script. At first I ignored it cause it was catched by the logs but when he/she managed to crash apache with the constant flow after like 4 days it was time for some contra actions. This is what I did: RewriteCond %{QUERY_STRING} ^id=&para=xxxxxxxxxxxxx$ [NC] RewriteRule page.php http://127.0.0.1/index.php? [NS,S,L] RewriteCond %{QUERY_STRING} ^e=&para=xxxxxxxxxxxxx$ [NC] RewriteRule plug.php http://127.0.0.1/index.php? [NS,S,L] Redirecting to a local IP hoping it would flow back on his own server. This solved the issue and he is hardly coming through at the site anymore but still trying so I think he has not yet figured out the traffic he is sending in is redirected. I am typing all those "xxxxxx" cause I dont want google to catch this topic with the injection he is using. If you want I can sent you both injections he is trying so you can have a look. <img src="http://www.armaholic.com/datas/thumbs/green-sea-battalion-uniforms-version-03-preview_4.jpg" alt="green-sea-battalion-uniforms-version-03-" />

foxhound

#33537 2012-03-13 22:33

Some kid was sending us request after request continously trying an injection script. At first I ignored it cause it was catched by the logs but when he/she managed to crash apache with the constant flow after like 4 days it was time for some contra actions.

This is what I did:

RewriteCond %{QUERY_STRING} ^id=&para=xxxxxxxxxxxxx$ [NC]
RewriteRule page.php http://127.0.0.1/index.php? [NS,S,L]
RewriteCond %{QUERY_STRING} ^e=&para=xxxxxxxxxxxxx$ [NC]
RewriteRule plug.php http://127.0.0.1/index.php? [NS,S,L]

Redirecting to a local IP hoping it would flow back on his own server. This solved the issue and he is hardly coming through at the site anymore but still trying so I think he has not yet figured out the traffic he is sending in is redirected.
I am typing all those "xxxxxx" cause I dont want google to catch this topic with the injection he is using. If you want I can sent you both injections he is trying so you can have a look.