Recently I too was attacked by a hacker through my extCalendar component. In my Recent Visitor logs I was seeing variations of this:
So after a search I found this forum, read through it and added the:
// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
but I continued seeing this request on my Recent Visitors log with a Http Code: 200
- which I think is telling me that it was successful.
So I decided to simply remove the component. But I continued seeing this request with a 200 code. Now I would assume I would see a 404 code since the files were all removed. But I didn't, so I read more. Saw the additions to the .htaccess that were recommended and added those. And this did seem to have an effect. Now I was seeing a 302 redirect code followed by my my index page and 200 code. But this still did not seem to completely solve the problem, because i was starting to see another variation of the above attack:
2 forward slashes before the link. This was followed by another 200 Http Code.
So here is what I did - and I am sure the experts will tell you that it may or may not be recommended (experts please advise):
What I noticed was that all of these attacks were coming from a libwww-perl/5.805 Agent
. To my knowledge only hackers have used this agent to access my site. Regular visitors tend to use more common browsers like IE, Safari, Opera and Firefox. So I did a little research and found that I could add to my .htaccess another Rewrite that would forbid this agent altogether. I have added the following Condition to a list of known bad bots agents. Below is a simplified rule without the other offending agents.
After adding this each Recent Visitor attempt is followed by a Http Code 403 - forbidden. It is my hope that this has stopped any successful attacks.
To all experts out there, feel free to tear my post apart. I have no ego in writing this. My intention is only to share my miserable existence.