what were you expecting for HTTP_HOST?
(please use example.com for your domain)

Handling of requests like http://www.example.com/http://www.example.com/something can be problematical. It is best to block them.

RewriteCond %{QUERY_STRING} http [NC]
RewriteRule .? - [F]

will block any request with http in the query string part of the request.

RewriteRule http - [NC,F]

will block any request with http in the path part of the request.

The above two rulesets might simplify to one ruleset

RewriteCond %{THE_REQUEST} http [NC]
RewriteRule .? - [F]

Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.

RewriteCond %{REQUEST_URI} !piwik
RewriteCond %{QUERY_STRING} http [NC]

;)

Probably GA as well. Someone will know. Leave off the [NC] here, because you only want to filter out the correct forms of the name.

what were you expecting for HTTP_HOST?
(please use example.com for your domain)

Okay, thanks, I will use example.com for my domain this time,,

The request would have been www.not-my-domain.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

and the array $_SERVER was ..

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)

Notice that HTTP_HOST' => 'www.not-my-domain.com , it should be my domain ? I wouldn't have thought that anyone could modify HTTP_HOST value.

Do run Xenu LinkSleuth over your site to make sure the malformed request is not the result of a user clicking a malformed link somewhere within your own site.

I searched here and there; seems this is a Windows .EXE; I run a *nix desktop. I searched for 'Link checker' under Muon package manager; quite a few there.

Thanks to and for those rewrite rules. Here is my 'htaccess now ..

Options +FollowSymLinks
RewriteEngine on
# 124.***.***.*** force a 403 for any attempts to use WordPress files (other than my IP)
RewriteCond %{REMOTE_ADDR} !^124\.***\.***\.***$
RewriteRule ^(wp-login|wp-register|upgrade)\.php?$ - [F] 

Deny from 37.1.207.22

ErrorDocument 400 /400error.php
ErrorDocument 403 /403error.php
ErrorDocument 404 /404error.php
ErrorDocument 406 /406error.php
ErrorDocument 414 /414error.php
ErrorDocument 500 /500error.php
ErrorDocument 501 /501error.php

where should I put the new rules please ?

[edited by: phranque at 11:07 am (utc) on Mar 11, 2013]
[edit reason] use example.com please [/edit]

'HTTP_HOST' => 'www.example.com',

Notice that HTTP_HOST' => 'www.example.com , it should be my domain ?

are you saying the example.com you are seeing for HTTP_HOST isn't your domain?

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.

HTTP/1.1: Header Field Definitions:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

are you saying the example.com you are seeing for HTTP_HOST isn't your domain?

The correct value (i.e the value from the array) for HTTP_HOST is (for example) www.not-my-domain.com

I keep posting all the array values, in attempting to describe the problem, but someone keeps changing www.not-my-domain.com to example.com

So, the problem cannot be resolved, or even understood correctly when the array values are changed. Very frustrating.

As an overview, the only array entry that should contain my domain name (shown as example.com) is 'SERVER_ADMIN' => '**********@example.com',

All the other array entries that contain a domain name should be of the value not-my-domain.com

not-my-domain.com is not my domain

in any case, the value of HTTP_HOST is the hostname requested, so the visitor isn't changing anything and their requested hostname will only reach your server if you have configured your server to accept requests for that hostname.

But the hostname would have been example.com (my domain name), and the uri would have been www.example.comhttp://www.not-my-domain.com/55-93-home/strut-bladders.jpg

[edited by: phranque at 10:40 am (utc) on Mar 11, 2013]
[edit reason] exemplified "not-my-domain" domain [/edit]

<mod>
since i misunderstood the problem description when exemplifying jehoshua's previous posts, i am reposting a "properly exemplified" version of the $_SERVER array dump below:

array (
'DOCUMENT_ROOT' => '/home/********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_HOST' => 'www.not-my-domain.com',
'HTTP_USER_AGENT' => 'webcollage/1.135a',
'PATH' => '/bin:/usr/bin',
'QUERY_STRING' => '',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '400',
'REDIRECT_UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'REDIRECT_URL' => '/55-93-home/strut-bladders.jpg',
'REMOTE_ADDR' => '92.xx.yy.zz',
'REMOTE_PORT' => '50066',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => 'http://www.not-my-domain.com/55-93-home/strut-bladders.jpg',
'SCRIPT_FILENAME' => '/home/********/public_html/400error.php',
'SCRIPT_NAME' => '/400error.php',
'SERVER_ADDR' => '204.***.***.***',
'SERVER_ADMIN' => '***********@example.com',
'SERVER_NAME' => 'www.not-my-domain.com',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
'UNIQUE_ID' => 'UTr9qswPhjQAAEMtKNMAAAAC',
'PHP_SELF' => '/400error.php',
'REQUEST_TIME' => 1362820523,
'argv' => array (
),
'argc' => 0,
)

i have also made this edit to jehoshua's original and subsequent posts to clarify the problem statement but a couple of other posts may be a bit confusing post-edit.
sorry for the mess!
</mod>


jehoshua:
it looks like your attacker has specified your server's IP address in the DNS configuration for not-my-domain.com and your server is probably configured to accept any hostname requested.
you should add some directives to your server config or .htaccess file to specify the hostname for your virtual server or forbid access to any requests for any domain other than yours.

[edited by: phranque at 11:14 am (utc) on Mar 11, 2013]

You have to use example dot something in this forum. Any other hostname is converted to a link and the code is unreadable.

Use example.com for your domain and example.net for not your domain and all will be clear.

Thanks for your replies.