Trapping Bad Behavior with rewrite -phpmyadmin anywhere in URL

Question

I'm hoping someone can help as I'm a bit of a noob when it comes to apache mod rewrite, and getting this one wrong can screw things up pretty bad.

While going though my security logs I noticed that almost 50% of the attacker bots had the string phpmyadmin (different case, sometimes with version numbers in it). i.e.

hhhh://www.example.com/phpmyadmin/

hhhh://www.example.com/something/phpMyAdmin/

hhhh://www.example.com/something/morestuff/phpMyAdmin/

hhhh://www.example.com/phpMyAdmin-2.11.3/scripts/setup.php

etc. etc. etc.

I'm wondering is there a way I can use mod rewrite to trap all of these and send them to

hhhh://www.example.com/bottrap/index.php

or something similar. (hhhh -> http - spam protection wouldn't allow http)

I figured just for good measure I'd add a deny to all in the robots.txt file and say thanks for the visit by contributing the ip address to the honeypot project.

I can handle the php stuff, but even after reading mod rewrite documentation, I'm still pretty lost. Any help would be much appreciated.

Answer 1

As long as you don't have any legitimate requests for anything containing "phpmyadmin", then you can simply do add this rule near the top of the htaccess file in your document root:

RewriteRule phpbbadmin /bottrap/index.php [L]

Include the R flag if you actually want to redirect the request: [L,R].

I figured just for good measure I'd add a deny to all in the robots.txt file and say thanks for the visit by contributing the ip address to the honeypot project.

I doubt these bots honor the robots.txt file. If anything these are compromised websites or otherwise users unwittingly hosting malicious code either on their websites or home PCs. You can include a DENY From <ipaddress> in the htaccess file if the requests get annoying, but adding them in the robots.txt probably isn't going to do much.

---

Adding NC makes it pick up case variations.

RewriteRule phpmyadmin /phpmyadmin/index.php [L,NC]