Recently my site has been hit with huge numbers of injection attacks. Right now, I trap them and return a static page.
Here’s what my URL looks like:
/products/product.php?id=1
This is what an attack looks like:
/products/product.php?d=-3000%27%20IN%20BOOLEAN%20MODE%29%20
UNION%20ALL%20SELECT%2035%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C%27qopjq%27%7C%7C%27ijiJvkyBhO%27
%7C%7C%27qhwnq%27%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
I know for sure that this isn’t just a bad link or fat-fingered typing so I don’t want to send them to an overview page. I also don’t want to use any resources on my site delivering a ‘missing’ page.
Based on a couple of comments on Stackoverflow, I looked up how to return ‘page not found’. This Stackoverflow answer by icktoofay suggests using a 404 and then the die(); – the bot thinks that there isn’t a page and might even go away, and no resources are used to display a page not found message.
Here’s what mostly works.
header("HTTP/1.0 404 Not Found");
die();
I still get attempts, but they usually only try 20 or so times and then they go away for a few days.